Updated: COVID-19 incites crimes of opportunity

4/21/20 Update:

Since publishing this blog, we’ve seen some interesting developments in this space. First, this is not going unnoticed in the community. I’ve seen several news reports and even local television public service announcements addressing the need to stay diligent and be on the lookout for attacks of all kinds, similar to what was described in my initial post. It should go without saying that this isn’t going unnoticed in the criminal community either – phishing email statistics are proving that out as well.

We’re also seeing the “new infrastructure” under attack as this has become a lucrative target. Not only for attackers, but on the dark web, weaponized exploits can go for as much as a half a million dollars. Cybercrime’s own self-stimulus.

And finally, there’s big brother – Google and Apple (and likely others) are flexing their data muscles and building tracking systems. Great use of technology to support a good cause? Sure. Scary 1984 moment? Maybe. Time will tell.

Cybercriminals don't care that you're worried about a global pandemic. They are opportunistic, and we should expect them to take advantage of COVID-19 in a variety of creative ways. With our economy essentially shut down and one in five Americans ordered to stay home, millions of people are less mobile and will ultimately spend more time than ever on the internet. The good news is that people may be less vulnerable to the cyber threats that abound due to this reduced mobile, but there are plenty of ways to target people, and the latest crisis provides ample fodder to start with.

Cybercriminals have already figured out that most of us are glued to the breaking news and real-time social media coverage about the pandemic, thus are more susceptible to opening updates from what appear to be trusted sources. Panicked people are looking for maps that show the spread of the disease and other statistics. For example, a recent Android app turned out to be ransomware that changed the user's password, blocked access, and charged a fee to restore the password to unlock the device.

Another example includes spyware designed using actual data from the John Hopkins University's Coronavirus tracking map, which turned out to be a malicious application that claimed not to require special privileges, but once installed, requested access to everything from files and location to the device's camera and microphone. This, of course, had nothing to do with the university directly but was just a malicious attack using their name—the Johns Hopkins Coronavirus Resource Center on the university's website continues to be safe to navigate.

Phishing scams may be something people are becoming increasingly aware of, but even trained eyes can fall victim to an email with an apparent COVID-19 update from a company they know. I recently received an email with a malicious attachment, claiming to be a statement about COVID-19 from a major healthcare provider that I know well. Clearly, the information was tempting, but a more in-depth look led me to discover it was from a nefarious source.

Another attack that criminals may use is to try to capitalize on the financial difficulties we are currently experiencing. With a plummeting stock market and vulnerable financial institutions, people are more susceptible to opening malicious attachments if they come from a bank or credit card company where they have an account.

We've seen phishing attacks from numerous financial institutions have success in the past. These emails often say there has been a change to your account, trying to lure you into following a link to a website or into opening an attachment. As it stands now, I would personally be likely to open an email attachment that comes to me from my bank with news about an account change or move. Think twice and double-check the source to be safe!

Many Americans have gone from five days a week in the office to working full-time from home. They likely don't have much interaction with their IT departments unless they get locked out of a device or have a software problem. Cybercriminals know this and will use this vector to claim to be from the IT department of your company, requiring you to download an upgraded VPN client or critical update to your software (or other similarly dubious but purportedly mandatory task). Be wary of all emails and check the sender's address, even if they appear to come from someone inside your organization.

We are also less guarded about helping others. Scams that play on our generous side are common in challenging times, and we've seen bogus charitable donation requests in previous natural disasters. It's always wise to be very suspicious of invitations for donations in general, but if it is not coming from a source that you have previously done business with and recognize, it's especially wise to avoid any unrequested solicitations.

Ultimately, the scams that we are seeing during the COVID-19 pandemic are not new. Criminals are not getting smarter,1 but they are more inventive when the times allow. They leverage the immediacy and the emotions of unique situations and find ever more imaginative ways to separate you from your money or data. In addition to practicing good personal hygiene, you can protect yourself from these scams by being more cautious than usual about your cyber hygiene. The United States Secret Service has released some excellent advice on how to protect yourself from cybercriminals exploiting COVID-19 fears. Please let me know if you come across new examples, and if these tips are working for you.

Just a day or so ago, I received this proof that criminals aren’t getting smarter.