Technologists everywhere have been dealing with a tidal wave of frantic emails ever since the COVID-19 pandemic began, especially if they’re in a support or infrastructure role. That accelerated pace leads to distraction—which makes it easier for even the most sophisticated employee to potentially fall victim to phishing.
In April, the Cybersecurity & Infrastructure Security Agency (CISA) issued an advisory suggesting that “cyber criminals and other malicious groups online are exploiting the COVID-19 outbreak for their own personal gain.” These COVID-19 phishing scams have become increasingly insidious, taking advantage of users’ natural curiosity and fear about the disease. For example, one recently described by Wired involves a pandemic-related email sent by “John Hopkins Center” with an Excel attachment that downloads a macro to the victim’s computer when opened; that macro, in turn, downloads malware to the system.
It’s worth noting, however, that CISA hasn’t seen the overall level of cyber-attacks increase; rather, bad actors are tailoring their existing attack patterns to take advantage of the pandemic. Specifically:
As with the Johns Hopkins Center phishing attempt, many of these attacks are sent by what appears to be a trustworthy, COVID-related sender, such as a local hospital or an organization like the World Health Organization (WHO).
The subject line will cite the COVID-19 pandemic and lockdown (‘2020 Coronavirus Updates,’ ‘2019-nCov: New confirmed cases in your City,’ etc.), and the accompanying text will suggest clicking on a link or downloading an attachment in order to find out more information or register for a related service (such as contact tracing).
Searching for Work-From-Home Vulnerabilities
Cybercriminals are scanning more often for vulnerabilities in remote-working tools and software, in order to better exploit the millions of workers who are now conducting business from home. “This includes exploitation of the increased use of video conferencing software,” CISA explained, “such as Microsoft Teams, where phishing emails with attachment names such as ‘zoom-us-zoom_##########.exe’ and ‘microsoft-teams_V#mu#D_##########.exe’ aim to trick users into downloading malicious files.”
Current Attack Campaigns
For cybersecurity experts, sysadmins, and others tasked with keeping businesses secure, CISA has also come up with a handy list of resources that detail the current round of COVID-related phishing and cybersecurity attacks (most updated on a fairly regular basis). They are:
- Recorded Futures’ report: Capitalizing on Coronavirus Panic, Threat Actors Target Victims Worldwide.
- DomainTools’ Free COVID-19 Threat List - Domain Risk Assessments for Coronavirus Threats.
- GitHub list of IOCs used COVID-19-related cyberattack campaigns (by GitHub user Parth D. Maniar).
- GitHub list of Malware, spam, and phishing IOCs that involve the use of COVID-19 or coronavirus (by SophosLabs).
- Reddit master thread of intelligence relevant to COVID-19 malicious cyber-threat actor campaigns.
- MISP project’s dedicated #COVID2019 MISP instance to share COVID-related cyber threat information.
For cybersecurity professionals tasked with keeping organizations safe, the first step to dealing with phishing is good communication: You must instruct employees early and often in the dangers of opening emails from unknown senders, and clicking on suspicious links. Many browsers and email platforms now offer anti-phishing toolbars and alerts; for example, some tell recipients when an email has been sent from outside the organization, which helps prevent attackers from disguising themselves as the target's colleagues.
In addition to warning employees to "think before they click," cybersecurity experts and sysadmins must keep systems up-to-date. While this won't block all possible attacks, many modern platforms and tools include countermeasures designed to prevent phishing and other attacks.
“We urge everyone to remain vigilant to these threats, be on the lookout for suspicious emails and look to trusted sources for information and updates regarding COVID-19. We are all in this together and collectively we can help defend against these threats,” Bryan Ware, the CISA’s Assistant Director for Cybersecurity, wrote in a statement.
Visit our COVID-19 Resource Center, which aims to provide the tech community with the best, most up-to-date information on the novel coronavirus.