Receiving emails related to Coronavirus? Monitoring websites or downloading apps with COVID-19 outbreak statistics? T&M offers information about COVID-19 cyber-attacks and tips on how to avoid falling victim.

Introduction

As COVID-19 spreads around the world and across our nation, it has caused significant disruption to businesses and a high degree of panic. Companies have activated business continuity plans and have relegated most of their employees to work from home to contain the spread of the virus. In a new era where millions of people are actively monitoring current events online, secure networks and user awareness are now more critical than ever as cyber-attacks emerge in the form of phishing scams and ransomware. Both of these scams can be prevented through online education and mindfulness.

Phishing scams are a common social engineering tactic employed by hackers to steal data, login credentials and personal information. The attacker generally disguises their identity as a credible source in order to entice the user to click on a file or visit a malicious site. If clicked or accessed, the user could have malicious files downloaded to their device that steals information or deploys ransomware. Ransomware is a malicious agent that, once downloaded, will encrypt all the user’s data. The hacker will often demand a ransom be paid for decryption, but even if the ransom is paid, there is no guarantee that the hacker will decrypt the files and the user’s data could be lost forever. How are attackers taking advantage of the COVID-19 outbreak to deploy these scams? 

Phishing Scam: Fake WHO and CDC Emails Containing Malware & Credential Harvesters

Cyber criminals are impersonating the U.S. Centers for Disease Control and Prevention (CDC), creating domains similar to the CDC’s website to steal email credentials and even request Bitcoin donations to allegedly fund a vaccine. Emails have also been sent that misinform people of disruptions in the supply chain and entice users to open malicious attachments.

According to researchers from Kaspersky Lab, malicious emails are also appearing to come from the World Health Organization (WHO) providing information related to safety measures to avoid infection. Recipients who click on the embedded links are asked to enter their email login credentials, which are then stolen. Cybersecurity researchers are continuing to monitor the various types of email threats but note that attackers are leveraging both malicious links and malicious attachments.

Check Point Software Technologies reports that since January 2020, “there have been over 4,000 coronavirus-related domains registered globally. Out of these websites, 3 percent were found to be malicious and an additional 5 percent are suspicious. Coronavirus-related domains are 50 percent more likely to be malicious than other domains registered at the same period.”

Cybersecurity researchers have also identified malicious RTF (Rich Text Format) files being attached to emails that claim to contain information about the Coronavirus pandemic. When the attachments are opened, a remote access trojan (RAT) is executed. The RAT automatically proceeds to take screenshots of the victim’s computer system, create a list of the victim’s files and directories, and download the victim’s files among other malicious activities.

COVID-19 Ransomware: CovidLock is Encrypting Phones and “CoronaVirus” is Infecting Computers

Cybersecurity researchers have identified a malicious app developed for Android phones that purports to deliver up-to-date figures on the global pandemic. In reality, downloading and using the app will lock the user’s phone. A demand for money is then issued to unlock the device or to prevent the phone’s data from being deleted. This attack is currently being called CovidLock and a ransom of $100 in Bitcoin within 48 hours is demanded of victims. If payment is not made, the operators behind the scam are claiming they will also track the location of the phone and delete photos and social media accounts. Even if payment is made, there is no guarantee that the operators will refrain from carrying out their threats.

It has been reported that the encryption of this attack has been reverse engineered and there will be a decryption key made public for anyone affected, however, this is not going to prevent another similar attack from being deployed that utilizes a different encryption method.

Another piece of ransomware identified by security researchers is CoronaVirus, which is infecting computers by disguising itself as WiseCleaner, an application that purports to improve your computer’s performance. Once installed, the files on the computer will become encrypted unless a ransom is paid using Bitcoin. Again, there is no guarantee that the files will become decrypted once the ransom is paid.

Best Practices

What can we all do to be cybersafe against phishing scams and ransomware attacks? T&M offers these best practices:

• When looking for current information about COVID-19, it is important to only visit websites from known, credible sources such as the CDC or the WHO.
• Avoid downloadable applications related to the Coronavirus and make sure to inspect every email received that contains attachments or links to ensure that the email is coming from a legitimate or known source.
• Carefully inspect the URL of websites and other links you may receive in an email or that redirect to a login screen. Ensure that the URLs are legitimate. A suspicious and potentially malicious URL may contain misspelled words.
• Perform routine backups of important computer files onto an external device or to cloud storage. If your device becomes infected with ransomware, the backups can help restore the files so that you do not have to worry about paying the ransom or losing the files.

Contact T&M’s Cyber Incident Response Team in the event you have fallen victim to cyber-attack during this global pandemic.

646.445.7811 | CIRT@tmprotection.com