Various threat actors – from script kiddies to state-sponsored hackers – are taking full advantage of Covid-19 through a myriad of notable scams, including ransomware and phishing campaigns. Unsurprisingly, the combination of people spending more time online and their uncertainty surrounding this pandemic has played right into the hands of cybercriminals. As long as Covid-19 precautions remain in place and pervade almost every aspect of our lives, we must continue to increase our cybersecurity safeguards and remain on high alert for suspicious activity.
My firm, 4iQ, recently published its Covid-19 Threat Report, which explores the uptick in cyber-threats during the coronavirus and their impact on consumers and businesses worldwide. Throughout our research, we observed trends in terms of the most common threats, the most active threat actors behind these attacks, and how this is all reflected in the deep and dark web.
Most common threats
Sextortion email scams, where cybercriminals try to extort money from victims by threatening to reveal salacious information, are on the rise. In one specific example we found, the email contained the victim’s alleged username and password, which may have been acquired from a data breach, and demanded a payment via a Bitcoin transfer in exchange for not revealing “dirty little secrets.” The attack scheme exploited the Covid-19 crisis – the scammer claimed to have the capability to “infect [the victim’s] whole family with Coronavirus.”
Fake news – false information or propaganda published under the guise of legitimate news – has also proliferated in the wake of the pandemic. We found messages touting fraudulent products that “cure, treat, or prevent Covid-19.” Similarly, conspiracy theories are prevalent: we found social media campaigns claiming Covid-19 is a hoax and spreading rumours about the origin of the pandemic. One fake news campaign claimed that the Covid-19 virus was stolen out of a Canadian lab.
Despite several prominent hacker groups pledging to stop attacking healthcare organisations during the pandemic, not all threat actors have ceased attacks on the healthcare sector, specifically ransomware campaigns. Ransomware is a type of malware that prevents or limits users from accessing their systems either by locking the screen or the users' files until a ransom is paid. During this lockdown period, we detected a slew of attacks, including: REvil/Sodinokibi, which actively exploits gateway and VPN vulnerabilities to gain a foothold into target organisations; Clop Ransomware, which infects only Microsoft Windows and encrypts the entire computer network instead of individual workstations; and Locky Ransomware, which used a coronavirus lure to deliver a downloader to a target’s computer.
Another widespread method of attack observed in our research was phishing campaigns. Cybercriminals spoofed credible organisations, such as the World Health Organisation (WHO) or Centres for Disease Control and Prevention (CDC) to lure recipients to click malicious links or attachments. Phishing emails are often easy to spot (i.e. poor grammar, threatening call to action, suspicious sender), but it is easy to act out of hysteria and go to sites you wouldn’t otherwise visit during these uncertain times. At 4iQ, we found a significant increase in coronavirus-themed domains. These malicious sites commonly use terms related to protective gear, test kits, and vaccines.
Most active threat actors
Moving forward, in addition to understanding the nature of the attack, it is also important to understand who is behind the attack and their motives. We broke the most common threat actors down into three categories: script kiddies, professional hackers, and state-sponsored hackers. Script kiddies are unskilled individuals who make use of existing malware. The creators of the MBRLocker malware, which has reportedly resurfaced during this crisis, are believed to be script kiddies.
Sophisticated threat actors are relying on phishing as an initial attack vector. For instance, some of these cybercriminals used details from the WHO, such as logos and images, to create phishing emails that appeared genuine. However, they would direct victims to a fake landing page in attempts to solicit usernames and passwords associated with the individual’s email. Ransomware gangs are a significant threat to businesses as well. Maze and Doppelpaymer, two of the more prominent ransomware groups, have stated they will avoid targeting healthcare organisations, but other professional hackers are still active and looking to wreak havoc.
Lastly, state-sponsored hackers in China, Vietnam, North Korea, and other countries are using this crisis to create phishing emails targeting public officials and government employees with the goal of disseminating malware. With the 2020 U.S. presidential election right around the corner, we may see more activity from these nation-state threat actors.
The deep and dark web
On deep and dark web forums we saw a significant increase in the number of threads, items offered for sale, and hacking information related to Covid-19. Coronavirus masks, tests, and even “vaccines” are commonly sold items, with the prices varying per market.
As more people started staying at home, there was a surge in downloaded social media applications, creating a lot of activity in underground forums. In March 2020, TikTok was the most downloaded non-game app worldwide, followed by WhatsApp and Zoom. With millions of individuals working from home and relying on teleconferencing software, we analysed various forum activities and uncovered a number of exposed Zoom application credentials, including email addresses, passwords, and usernames.
The bottom line is cybercriminals will persistently capitalise on the pandemonium from Covid-19. Global entities have a lot on their plates, juggling employee safety with business continuity efforts and in most cases decreased revenue, however, we cannot neglect cybersecurity.
Encouragingly, a May 2020 report from LearnBonds found that nearly 70 per cent of major organisations are planning to increase their spending on cybersecurity due to Covid-19. Most importantly, at this time, individuals must remain vigilant for suspicious Covid-19-related activity. If you are on the receiving end of a suspicious email, promptly notify your company’s security team and report it to the Anti-Phishing Working Group or Federal Trade Commission. There are many resources that organisations and individuals can take advantage of to combat these threats. Cybercriminals are not pausing, so neither can we.
Claire Umeda, Vice President, 4iQ