Skip to main content

Steering a cyber-course through Covid-19’s troubled waters

(Image credit:

As Covid-19 drives a higher volume of transactions online, the dance between cyber-criminals and security professionals has stepped up a beat. Enterprises are re-assessing the robustness of their systems, while bad actors are on the look-out for vulnerabilities to exploit.

Under lockdown measures, organisations have been forced to reassess their physical environments. Now they must re-evaluate their digital ones.

At Shape Security, we process billions of transactions every week on behalf of some of the world’s biggest banks, retailers, government agencies, and airlines.

Since early March, when the shelter-in-place and lockdown guidelines started coming into force, we noticed major spikes and collapses in online activity across a range of verticals. Traffic to online grocery delivery providers in our network was up 400 per cent, and investment account logins rose by 53 per cent. Correspondingly, online travel bookings were down 75 per cent, new payroll account registrations have been cut in half. Furthermore, international money transfers fell by 35 per cent.

These are unsurprising trends, as some sectors experience unprecedented demand while others remain in lockdown. Less clear is whether the volume of attacks and malicious activity has increased in the wake of Covid-19, and indeed if there is any direct link between the two. The data isn’t yet definitive and, in our experience, there are too many variables in each case to be sure (i.e. the application in question, the countermeasures in place, the monetisation scheme being pursued).

Nevertheless, it is important for any organisation that relies on applications to both understand how attackers are operating in the current circumstances, and to reconsider if security measures are sufficient. Whether or not attack volumes are on the rise, we are seeing a definite evolution in the behaviour of cyber-criminals. It is vital that organisations are aware of these trends.

Cybersecurity evolution

As one example of new cybercriminal behaviour, attackers have been targeting portals that allow people to access Government finance and assistance schemes under the US Coronavirus Aid, Relief, and Economic Security (CARES) Act. Every applicant needs to enter a Taxpayer Identification Number (TIN) to proceed. As a result, attackers have been tapping into the workflow to run automated programs that allow them to endlessly fish for, and then validate, real TINs, for sale or malicious use elsewhere.

Another prevalent act of fraud we are seeing is targeted at the quick service restaurant (QSR) industry. Here, fraudsters pose as discount providers on social media to place real orders with QSRs using stolen credit cards. The transaction proceeds as normal through their system and that of the delivery provider. Only when the chargeback occurs weeks later does the fraud become apparent, by which time it is too late to trace or recoup. The cost of this scam has run into hundreds of thousands of dollars per month for some companies in the industry.

What these examples demonstrate is the relentless adaptability of cyber-attackers. When there are major shifts in consumer behaviour, such as the recent spike in online food orders, they quickly change their playbooks to take advantage.

Protecting critical operations is, therefore, more important than ever. Across the world, cybercriminals are gearing up to prey on fear, uncertainty, and an increased reliance on digital tools. Indeed, the World Economic Forum has stated that cybersecurity “matters more than ever during the coronavirus pandemic.”

So, how can companies be equally agile in their response?

Shoring up defences

The first step is to acknowledge the extent of the problem. One Fortune 100 customer came to us with the assumption that about 20-30 per cent of their traffic was malicious. Our analysis showed that the real figure was 98 per cent. This is a common problem; a security operations centre (SOC) will often focus on the noisiest IPs and miss the long tail of those contributing small volumes of malicious traffic.

The second point is to leverage technology that can collect signals from your network, users, and environment to identify automated and potentially malicious traffic. For instance, if you are looking at how users navigate an online workflow, signals will easily distinguish the keystrokes and mouse movements of a human user from the overly precise behaviour of a bot. They can also tell the difference between a legitimate user and a manual fraudster. The latter, having become familiar with the workflow, will typically navigate it more quickly – a very subtle, but vital differentiation to make.

Organisations need to remember that attackers are a moving target. They will usually retool after countermeasures are taken, and shift between web, mobile, and API interfaces to seek out new vulnerabilities. As such, security teams need to watch closely how attackers respond to countermeasures to determine their next move. Some don’t even recognise that they are being blocked. Others quickly adapt.

The flexibility of attackers also highlights the dangers of relying too much artificial intelligence (AI) and machine learning (ML). While these are essential elements of any security toolkit, it is also important to recognise their limitations. The raw signals detected by AI and ML systems will be full of both false positives and false negatives. You need trained people poring over that data as a crucial second line of defence, watching for anomalies and observing how attackers retool.

Finally, don’t forget the user experience. A customer-facing business shouldn’t depend too much on tools like CAPTCHA that can inconvenience real customers more than prospective attackers. When push comes to shove, businesses are still serving real-life people. If cybersecurity tools are worsening the customer’s experience of a service, it’s probably time to re-consider your strategy.

This is a time of constant adaptation for everyone, cybercriminals included. Security is, therefore, a clear priority that demands rigorous attention. At every possible juncture, attackers are evolving fast in this new environment. Organisations across the world need to do the same to protect both themselves and their customers.

Dan Woods, Vice President of the Shape Security Intelligence Centre, F5

Dan Woods is Vice President of the Shape Security Intelligence Center at F5. Previously, he has served as Assistant Chief Special Agent of Special Investigations at the Arizona Attorney General's Office. Dan also worked with US law enforcement and intelligence units, including the FBI and CIA, for 20 years.