All information given here is taken from “Advisory: COVID-19 exploited by malicious cyber actors” – a joint advisory from the United Kingdom’s National Cyber Security Centre (NCSC) and the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). A link to the full document is provided at the end of the article
An increasing number of cyber criminals are exploiting the current COVID-19 pandemic for their own objectives. In the UK, the National Cyber Security Centre (NCSC) has detected more UK government branded scams relating to COVID-19 than any other subject
Summary of attacks
Cyber criminals are using the COVID-19 pandemic for commercial gain, deploying a variety of ransomware and other malware. They will often masquerade as trusted entities (such as local councils or the Government) and their activity includes using coronavirus-themed phishing messages or malicious applications.
Mitigating the risk
Following the NCSC advice set out below should help mitigate the risk to individuals and families from malicious cyber activity related to both COVID-19 and other themes
- NCSC guidance for the public to help them spot, understand and deal with suspicious messages and emails: https://www.ncsc.gov.uk/guidance/suspicious-email-actions
- NCSC guidance for individuals and families: https://www.ncsc.gov.uk/section/information-for/individuals-families
- Advice for professionals and organisations can be found in the full Advisory document at the end of this article
Phishing guidance for individuals
The NCSC’s suspicious email guidance (https://www.ncsc.gov.uk/guidance/suspicious-email-actions) explains what to do if you’ve already clicked on a potentially malicious email, attachment or link. It provides advice on who to contact if your account or device has been compromised and some of the mitigation steps you can take (such as changing your passwords). It also offers NCSC’s top tips for spotting a phishing email:
• Authority – Is the sender claiming to be from someone official (like your bank, doctor, a solicitor, government department)? Criminals often pretend to be important people or organisations to trick you into doing what they want.
• Urgency – Are you told you have a limited time to respond (like in 24 hours or immediately)? Criminals often threaten you with fines or other negative consequences.
• Emotion – Does the message make you panic, fearful, hopeful or curious? Criminals often use threatening language, make false claims of support, or tease you into wanting to find out more.
• Scarcity – Is the message offering something in short supply (like concert tickets, money or a cure for medical conditions)? Fear of missing out on a good deal or opportunity can make you respond quickly.
How these attacks work
Cyber criminals take advantage of human traits such as curiosity and concern around the coronavirus pandemic in order to persuade potential victims to click on a link, download an app, or open a file/email attachment that may lead to a phishing website or the downloading of malware (including ransomware)
- A malicious Android app purports to provide a real-time coronavirus outbreak tracker but instead attempts to trick the user into providing administrative access to install ‘CovidLock’ ransomware on their device.
- An email subject lines contain COVID-19 related phrases such as ‘Coronavirus Update’ or ‘2019-nCov: Coronavirus outbreak in your city (Emergency)’ – this email then contain malicious files or links which users are encouraged to download or follow.
- An SMS (text) message purporting to be from ‘COVID’ and ‘UKGOV,’ (see figure 1) includes a link directly to a phishing site (see figure 2). Historically, SMS phishing has often used financial incentives, including government payments and rebates (such as a tax rebate) as part of the lure. Coronavirus-related phishing continues this financial theme, particularly in light of the economic impact of the epidemic and governments’ employment and financial support packages.
Figure 1: UK Government themed SMS phishing email
Figure 2: UK Government themed phishing page
As this example demonstrates, malicious messages can and often do arrive by methods other than email. In addition to SMS, possible channels include WhatsApp and other messaging services. Malicious cyber actors are likely to continue using financial themes in their phishing campaigns. Specifically, it is likely that they will use new government compensation schemes responding to COVID-19 as themes in phishing campaigns.
To create the impression of authenticity, these people may spoof (fake) sender information in an email or message to make it appear to come from a trustworthy source, such as the World Health Organization (WHO), Government, or an individual with ‘Dr.’ in their title.
In several examples, these criminals send phishing emails that contain links to a fake email login page. Other examples purport to be from an organisation’s human resources (HR) department and advise the employee to open the attachment.
Malicious file attachments containing malware payloads may be named with coronavirus or COVID-19 related themes, such as “President discusses budget savings due to coronavirus with Cabinet.rtf.”
Malicious cyber actors (another name for cyber criminals, due to the “act” they put on to impersonate official senders and websites) are continually adjusting their tactics to take advantage of new situations, and the COVID-19 pandemic is no exception. Malicious cyber actors are using the high appetite for COVID-19 related information as an opportunity to deliver malware and ransomware and to steal user credentials. Individuals and organisations should remain vigilant. For genuine information about the virus, please use trusted resources such as:
- the UK government website – https://www.gov.uk/coronavirus
- Public Health England – https://www.gov.uk/government/organisations/public-health-england
- NHS websites – https://www.nhs.uk/conditions/coronavirus-covid-19/
Download “Advisory: COVID-19 exploited by malicious cyber actors” PDF below:
Post taken from Platform Housing, with their permission/