While consumers are aware of increased risks and scams via the internet, they still plan to do more shopping online – and earlier – this holiday season, McAfee reveals.
Thirty-six percent of Americans note they are hitting the digital links to give gifts and cheer this year, despite 60% feeling that cyber scams become more prevalent during the holiday season.
While more than 124 million consumers shopped in-store during the 2019 Black Friday to Cyber Monday holiday weekend, the survey indicates consumers have shifted direction due to global events this year, opening their risk to online threats as they live, work, play, and buy all through their devices.
The survey shows shopping activity in general has increased, with 49% stating they are buying online more since the onset of COVID-19. 18% of consumers are even shopping online daily, while 34% shop online 3-5 days a week.
Online cybercrime continues to increase
The research team recently found evidence that online cybercrime continues to increase, observing 419 threats per minute in Q2 2020, an increase of almost 12% over the previous quarter.
With activity set to rise from both consumers and criminals, there is an added concern of whether consumers are taking security threats as seriously as they should – with key differences seen across generational groups:
- 79% of those 65+ in age believe there is a greater cyber risk due to COVID-19 while 70% of those 18-24 state the same
- 27% of respondents ages 18-24 report checking if emailed or text messaged discounts and deals sent to them are authentic
“Many are wondering what this year’s holiday season will look like as consumer shopping behaviors continue to evolve and adapt to the challenges faced throughout 2020,” said Judith Bitterli, VP of Consumer Marketing, McAfee.
“With results showing the growing prevalence of online shopping, consumers need to be aware of how cybercriminals are looking to take advantage and take the necessary steps to protect themselves- and their loved ones- this holiday season.”
This juxtaposition of increased online activity from both consumers and cybercriminals serves as the perfect catalyst for misdeeds, especially as 36% of consumers note that while they are aware of risks, they plan to increase their holiday online shopping. This less-than-cautious approach is further seen when respondents are offered deals or discounts, with 43% checking to see if Black Friday or Cyber Monday emails and text messages sent are authentic and trustworthy.
Consumers purchasing more online gift cards this year
Additionally, as the National Retail Federation (NRF) reports 54% of consumers wish to receive gift cards this holiday season, the survey proved that 35% of respondents plan to fulfill this request by purchasing more online gift cards this year.
With this alignment set to occur, there are potentially negative implications as 25% of respondents automatically assume gift card links are safe and don’t always take the necessary steps to ensure legitimacy.
In order to stay safe this holiday season, it is advised to:
- Employ multi-factor authentication to double check the authenticity of digital users and add an additional layer of security to protect personal data and information.
- Browse with caution and added security using a tool to block malware and phishing sites via malicious links.
- Protect your identity and important personal and financial details using an identity theft protection tool, which also includes recovery tools should your identity be compromised.
Research paper: Rick Wash, “How Experts Detect Phishing Scam Emails“:
Abstract: Phishing scam emails are emails that pretend to be something they are not in order to get the recipient of the email to undertake some action they normally would not. While technical protections against phishing reduce the number of phishing emails received, they are not perfect and phishing remains one of the largest sources of security risk in technology and communication systems. To better understand the cognitive process that end users can use to identify phishing messages, I interviewed 21 IT experts about instances where they successfully identified emails as phishing in their own inboxes. IT experts naturally follow a three-stage process for identifying phishing emails. In the first stage, the email recipient tries to make sense of the email, and understand how it relates to other things in their life. As they do this, they notice discrepancies: little things that are “off” about the email. As the recipient notices more discrepancies, they feel a need for an alternative explanation for the email. At some point, some feature of the email — usually, the presence of a link requesting an action — triggers them to recognize that phishing is a possible alternative explanation. At this point, they become suspicious (stage two) and investigate the email by looking for technical details that can conclusively identify the email as phishing. Once they find such information, then they move to stage three and deal with the email by deleting it or reporting it. I discuss ways this process can fail, and implications for improving training of end users about phishing.
In today’s world, most external cyberattacks start with phishing. For attackers, it’s almost a no-brainer: phishing is cheap and humans are fallible, even after going through anti-phishing training.
Patrick Harr, CEO at SlashNext, says that while security awareness training is an important aspect of a multi-layered defense strategy, simulating attacks during computer-based training sessions is not an effective way to learn, because people don’t necessarily retain the information.
“Working from home, where there are more distractions, makes it even less likely that people really pay attention to these trainings. That’s why it’s not uncommon to see the same people who tune out training falling for scams again and again,” he noted.
That’s why defenders must preempt attacks, he says, and reinforce a lesson during a live attack. When something gets through and someone clicks on a malicious URL, defenders must be able to simultaneously block the attack and show the victim what the phisher was attempting to do.
Latest phishing trends
Harr, who has over 20 years of experience as a senior executive and GM at industry leading security and storage companies and as a serial entrepreneur and CEO at multiple successful start-ups, is now leading SlashNext, a cybersecurity startup that uses AI to predict and protect enterprise users from phishing threats.
He says that most CISOs assume phishing is a corporate email problem and their current line of defense is adequate, but they are wrong.
“We are detecting 21,000 new phishing attacks a day, many of which have moved beyond corporate email and simple credential stealing. These attacks can easily evade email phishing defenses that rely on static, reputation-based detection. That’s why we typically see 80-90% of attacks evading conventional lines of defense to compromise the network,” he told Help Net Security.
“Magnify this by 150,000 new zero-hour phishing threats a week, almost double the number of threats versus a year ago, and we can safely say, ‘Houston we have a problem!’”
They are seeing:
- More text-based phishing, with no actual links, across SMS, gaming, search services, ad networks, and collaboration platforms like Zoom, Teams, Box, Dropbox, and Slack, as well as attacks on mobile devices
- A proliferation of phishing payloads beyond credential stealing scams which have been around for ages
- An increase in scareware, where phishers attempt to scare people into taking an action, such as sharing an email
- Rogue software attacks embedded in browser extensions and social engineering schemes like the massive Twitter bitcoin scam that happened in July
“Finally, we’re seeing cybercriminals trying out innovative ways to evade detection. For example, bad actors may register a domain that lays dormant for months before going live,” he added, and noted that they’ve witnessed a 3,000% increase in the number of phishing attacks since everyone began working and learning from home, and they expect this growth trend will continue.
Advice for CISOs
His main advice to CISOs is not to be complacent and to be diligent: near term, mid-term, and long term.
“You’ve got to take a comprehensive, multi-layer phishing defense approach outside the firewall, where your biggest user population is working remotely, and inside the firewall for your internal users. You need to protect mobile devices and PC/Mac endpoints, with end-to-end encryption (E2EE) deployed,” he opined.
“You also have to be mindful of corporate users’ personal side as their personal and business lives have converged, and many people use the same devices and same credentials across personal and business accounts.
Thirdly, this type of attacks need to be prevented from happening. “Use AI-enabled defenses to fight AI-enabled attacks. Fight machines with machines and adopt a preemptive security posture.”
Finally: some attacks inevitably breach all defenses and they must be prepared to quickly detect and respond to attack, and perform the necessary cleanup.
Email attacks have moved past standard phishing and become more targeted over the years. In this article, I will focus on email impersonation attacks, outline why they are dangerous, and provide some tips to help individuals and organizations reduce their risk exposure to impersonation attacks.
What are email impersonation attacks?
Email impersonation attacks are malicious emails where scammers pretend to be a trusted entity to steal money and sensitive information from victims. The trusted entity being impersonated could be anyone – your boss, your colleague, a vendor, or a consumer brand you get automated emails from.
Email impersonation attacks are tough to catch and worryingly effective because we tend to take quick action on emails from known entities. Scammers use impersonation in concert with other techniques to defraud organizations and steal account credentials, sometimes without victims realizing their fate for days after the fraud.
Fortunately, we can all follow some security hygiene best practices to reduce the risk of email impersonation attacks.
Tip #1 – Look out for social engineering cues
Email impersonation attacks are often crafted with language that induces a sense of urgency or fear in victims, coercing them into taking the action the email wants them to take. Not every email that makes us feel these emotions will be an impersonation attack, of course, but it’s an important factor to keep an eye out for, nonetheless.
Here are some common phrases and situations you should look out for in impersonation emails:
- Short deadlines given at short notice for processes involving the transfer of money or sensitive information.
- Unusual purchase requests (e.g., iTunes gift cards).
- Employees requesting sudden changes to direct deposit information.
- Vendor sharing new.
This email impersonation attack exploits the COVID-19 pandemic to make an urgent request for gift card purchases.
Tip #2 – Always do a context check on emails
Targeted email attacks bank on victims being too busy and “doing before thinking” instead of stopping and engaging with the email rationally. While it may take a few extra seconds, always ask yourself if the email you’re reading – and what the email is asking for – make sense.
- Why would your CEO really ask you to purchase iTunes gift cards at two hours’ notice? Have they done it before?
- Why would Netflix emails come to your business email address?
- Why would the IRS ask for your SSN and other sensitive personal information over email?
To sum up this tip, I’d say: be a little paranoid while reading emails, even if they’re from trusted entities.
Tip #3 – Check for email address and sender name deviations
To stop email impersonation, many organizations have deployed keyword-based protection that catches emails where the email addresses or sender names match those of key executives (or other related keywords). To get past these security controls, impersonation attacks use email addresses and sender names with slight deviations from those of the entity the attacks are impersonating. Some common deviations to look out for are:
- Changes to the spelling, especially ones that are missed at first glance (e.g., “ei” instead of “ie” in a name).
- Changes based on visual similarities to trick victims (e.g. replacing “rn” with “m” because they look alike).
- Business emails sent from personal accounts like Gmail or Yahoo without advance notice. It’s advisable to validate the identity of the sender through secondary channels (text, Slack, or phone call) if they’re emailing you with requests from their personal account for the first time.
- Descriptive changes to the name, even if the changes fit in context. For example, attackers impersonating a Chief Technology Officer named Ryan Fraser may send emails with the sender name as “Ryan Fraser, Chief Technology Officer”.
- Changes to the components of the sender name (e.g., adding or removing a middle initial, abbreviating Mary Jane to MJ).
Tip #4 – Learn the “greatest hits” of impersonation phrases
Email impersonation has been around for long enough that there are well-known phrases and tactics we need to be aware of. The emails don’t always have to be directly related to money or data – the first email is sometimes a simple request, just to see who bites and buys into the email’s faux legitimacy. Be aware of the following phrases/context:
- “Are you free now?”, “Are you at your desk?” and related questions are frequent opening lines in impersonation emails. Because they seem like harmless emails with simple requests, they get past email security controls and lay the bait.
- “I need an urgent favor”, “Can you do something for me within the next 15 minutes?”, and other phrases implying the email is of a time-sensitive nature. If you get this email from your “CEO”, your instinct might be to respond quickly and be duped by the impersonation in the process.
- “Can you share your personal cell phone number?”, “I need your personal email”, and other out-of-context requests for personal information. The objective of these requests is to harvest information and build out a profile of the victim; once adversaries have enough information, they have another entity to impersonate.
Tip #5 – Use secondary channels of authentication
Enterprise adoption of two-factor authentication (2FA) has grown considerably over the years, helping safeguard employee accounts and reduce the impact of account compromise.
Individuals should try to replicate this best practice for any email that makes unusual requests related to money or data. For example:
- Has a vendor emailed you with a sudden change in their bank account details, right when an invoice is due? Call or text the vendor and confirm that they sent the email.
- Did your manager email you asking for gift card purchases? Send them a Slack message (or whatever productivity app you use) to confirm the request.
- Did your HR representative email you a COVID resource document that needs email account credentials to be viewed? Check the veracity of the email with the HR rep.
Even if you’re reaching out to very busy people for this additional authentication, they will understand and appreciate your caution.
These tips are meant as starting points for individuals and organizations to better understand email impersonation and start addressing its risk factors. But effective protection against email impersonation can’t be down to eye tests alone. Enterprise security teams should conduct a thorough audit of their email security stack and explore augments to native email security that offer specific protection against impersonation.
With email more important to our digital lives than ever, it’s vital that we are able to believe people are who their email says they are. Email impersonation attacks exploit this sometimes-misplaced belief. Stopping email impersonation attacks will require a combination of security hygiene, email security solutions that provide specific impersonation protection, and some healthy paranoia while reading emails – even if they seem to be from people you trust.
The global COVID-19 pandemic that hit every corner of the world forced us to reimagine our societies and reinvent the way we work and live. The Europol IOCTA 2020 cybercrime report takes a look at this evolving threat landscape.
Although this crisis showed us how criminals actively take advantage of society at its most vulnerable, this opportunistic behavior should not overshadow the overall threat landscape. In many cases, COVID-19 has enhanced existing problems.
Europol IOCTA 2020
Social engineering and phishing remain an effective threat to enable other types of cybercrime. Criminals use innovative methods to increase the volume and sophistication of their attacks, and inexperienced cybercriminals can carry out phishing campaigns more easily through crime as-a-service.
Criminals quickly exploited the pandemic to attack vulnerable people; phishing, online scams and the spread of fake news became an ideal strategy for cybercriminals seeking to sell items they claim will prevent or cure COVID-19.
Encryption continues to be a clear feature of an increasing number of services and tools. One of the principal challenges for law enforcement is how to access and gather relevant data for criminal investigations.
The value of being able to access data of criminal communication on an encrypted network is perhaps the most effective illustration of how encrypted data can provide law enforcement with crucial leads beyond the area of cybercrime.
Malware reigns supreme
Ransomware attacks have become more sophisticated, targeting specific organizations in the public and private sector through victim reconnaissance. While the pandemic has triggered an increase in cybercrime, ransomware attacks were targeting the healthcare industry long before the crisis.
Moreover, criminals have included another layer to their ransomware attacks by threatening to auction off the comprised data, increasing the pressure on the victims to pay the ransom.
Advanced forms of malware are a top threat in the EU: criminals have transformed some traditional banking Trojans into modular malware to cover more PC digital fingerprints, which are later sold for different needs.
Child sexual abuse material continues to increase
The main threats related to online child abuse exploitation have remained stable in recent years, however detection of online child sexual abuse material saw a sharp spike at the peak of the COVID-19 crisis.
Offenders keep using a number of ways to hide this horrifying crime, such as P2P networks, social networking platforms and using encrypted communications applications.
Dark web communities and forums are meeting places where participation is structured with affiliation rules to promote individuals based on their contribution to the community, which they do by recording and posting their abuse of children, encouraging others to do the same.
Livestream of child abuse continues to increase, becoming even more popular than usual during the COVID-19 crisis when travel restrictions prevented offenders from physically abusing children. In some cases, video chat applications in payment systems are used which becomes one of the key challenges for law enforcement as this material is not recorded.
Payment fraud: SIM swapping a new trend
SIM swapping, which allows perpetrators to take over accounts, is one of the new trends. As a type of account takeover, SIM swapping provides criminals access to sensitive user accounts.
Criminals fraudulently swap or port victims’ SIMs to one in the criminals’ possession in order to intercept the one-time password step of the authentication process.
Criminal abuse of the dark web
In 2019 and early 2020 there was a high level of volatility on the dark web. The lifecycle of dark web market places has shortened and there is no clear dominant market that has risen over the past year.
Tor remains the preferred infrastructure, however criminals have started to use other privacy-focused, decentralized marketplace platforms to sell their illegal goods. Although this is not a new phenomenon, these sorts of platforms have started to increase over the last year.
OpenBazaar is noteworthy, as certain threats have emerged on the platform over the past year such as COVID-19-related items during the pandemic.
VP for Promoting our European Way of Life, Margaritis Schinas, who is leading the European Commission’s work on the European Security Union, said: “Cybercrime is a hard reality. While the digital transformation of our societies evolves, so does cybercrime which is becoming more present and sophisticated.
“We will spare no efforts to further enhance our cybersecurity and step up law enforcement capabilities to fight against these evolving threats.”
EU Commissioner for Home Affairs, Ylva Johansson, said: “The Coronavirus Pandemic has slowed many aspects of our normal lives. But it has unfortunately accelerated online criminal activity. Organised Crime exploits the vulnerable, be it the newly unemployed, exposed businesses, or, worst of all, children.
Fraudsters are decreasing their schemes against businesses, but increasing COVID-19 focused scams against consumers online, according to TransUnion.
Fraudsters less targeting businesses
The percent of suspected fraudulent digital transactions against businesses worldwide decreased 9% from the beginning of the pandemic (“phase 1,” March 11-May 18) to when businesses began reopening (“phase 2,” May 19-July 25). In contrast, consumers targeted by digital COVID-19 schemes increased 10% from the early days of the pandemic (week of April 13) to more recently (week of July 27).
“With the rush for businesses to go digital as many were forced to go completely online almost overnight, fraudsters tried to take advantage,” said Shai Cohen, senior vice president of Global Fraud Solutions at TransUnion.
“They were most likely unsuccessful in their attempts and took their scams elsewhere as those businesses ramped up their digital fraud prevention solutions while providing a friction-right consumer experience. Conversely with consumers, fraudsters are increasingly using COVID-19 to prey on those persons who are facing mounting financial pressures.”
In contrast to the recent suspected fraud decrease against businesses, when comparing phase 1 (March 11-May 18) to right before the pandemic (Jan. 1-March 10), there was a 6% rise in suspected digital fraud against businesses.
Fraudsters shifting industries
When comparing digital transactions pre-pandemic to during the pandemic (March 11-July 25), suspected fraud against businesses remained relatively flat, increasing 1%.
“It appears fraudsters assume travel & leisure companies are scrutinizing transactions less in order to capture more revenue as the pandemic continues to severely negatively impact their business,” said Melissa Gaddis, senior director of customer success, Global Fraud Solutions at TransUnion.
“Another interesting note is that telecommunications, e-commerce and financial services companies – all industries that have fared relatively well during the pandemic – were targeted with the most digital fraud early in the pandemic but are now among the least targeted. This shows us that fraudsters initially targeted the hottest industries with the most money to be had early in the pandemic in order to hide behind the rush of transactions but have now made an obvious shift.”
Globally across industries, the countries with the highest percentage of suspected fraudulent transactions were: 1) Kazakhstan, 2) Greece and 3) Cyprus. In the U.S. overall, the cities with the highest percent of suspected fraudulent transactions were: 1) Livonia, Mich. 2) Akron, Ohio and 3) Jackson, Miss.
Consumers targeted by COVID-19 schemes
To better understand the impacts of COVID-19 on consumers, 8,265 adults in Canada, Colombia, Hong Kong, South Africa the U.K. and the U.S. were surveyed the week of July 27.
32% of respondents said they had been targeted by digital fraud related to COVID-19, with Gen Z (age 18-25) being the most targeted at 36%. Among consumers reporting being targeted with digital COVID-19 schemes globally, the top pandemic-themed scam is phishing with 27% saying they were hit with it.
Despite the survey showing Baby Boomers were the generation least targeted with digital COVID-19 scams, among consumers reporting being targeted they were the age group saying they faced the highest percentage of COVID-19 themed phishing scams.
“Phishing shows fraudsters aren’t after a quick hit, but rather looking for the long haul,” said Gaddis. “Once a fraudster steals consumer credentials, the wave of disruption they can cause with a stolen or synthetic identity is endless from compromising multiple online accounts to significantly impacting credit scores.”
RiskIQ released a research report revealing a large-scale digital scam advertisement campaign spread through fraudulent news sites and affiliate ad networks that cater to highly partisan audiences.
Scammers are taking advantage of COVID-19 to spread fake news
The report details how misleading, false, and inflammatory news stories about the COVID-19 pandemic are developed on a massive scale by “content farms,” which monetize through ads served by ad networks targeting highly partisan readership. Some of these ads are purpose-built to lure readers into misleading ‘subscription traps’ for products billed as remedies or cures for the virus.
How does a subscription trap work?
A subscription trap works by offering a free or deeply discounted trial of a product while hiding clauses in the terms of service that sign victims up for costly payments remitted on a repeated basis, usually monthly. These subscriptions are often difficult, if not impossible, to escape.
The report clearly defines an ecosystem between partisan content farms that monetize through ad revenue, ad networks that take a cut of the profit, and advertisers that use the generated traffic to ensnare victims in subscription traps. These traps fraudulent subscriptions are for products such as dietary supplements or beauty products, and more recently, supposed remedies to COVID-19 in the form of CBD oil.
“Scam ads leading to subscription traps seem to be endemic to content farm sites, but there’s a particular network of companies and individuals using the COVID-19 pandemic for financial gain,” said Jordan Herman, threat researcher, RiskIQ.
“We wanted to do a deep dive into this ecosystem to expose how these shady practices are taking advantage of people on a massive scale and making the schemers a lot of money in the process.”
Leveraging fear, anxiety, and uncertainty around COVID-19
These content farms generate traffic by creating politically charged articles leveraging the fear, anxiety, and uncertainty around COVID-19 and gearing them toward a specific audience. These articles, often misleading or patently false, target readers the creators have assessed will likely read, share, and engage with them.
The content farm operators publish these articles on their websites, which use social media accounts and spam email campaigns to further their reach and generate more traffic they can monetize.
Cybercriminals are increasingly registering accounts with legitimate services, such as Gmail and AOL, to use them in impersonation and BEC attacks, according to Barracuda Networks.
BEC attacks impact thousands of organizations
In their most recent threat spotlight report, Barracuda researchers observed that 6,170 malicious accounts that have used Gmail, AOL and other email services, have been responsible for over 100,000 BEC attacks which have impacted nearly 6,600 organizations. What’s more, since April 1, these ‘malicious accounts’ have been behind 45% of all BEC attacks detected.
Essentially, cybercriminals are using malicious accounts to impersonate an employee or trusted partner, and send highly personalized messages for the purpose of tricking other employees into leaking sensitive information, or sending over money.
Cybercriminals prefer Gmail
The preferred choice of email service for malicious accounts is Gmail, which accounts for 59% of all email domains used by cybercriminals. Yahoo! is the second most popular, accounting for just 6% of all observed malicious account attacks.
Researchers also observed that 29% of malicious accounts are used for less than 24-hour periods – most likely to avoid detection and suspensions from email providers. However, it’s not unusual for cybercriminals to return and re-use an email address for an attack after a long break.
Having analyzed attacks on 6,600 organizations, Barracuda researchers found that in many cases, cybercriminals used the same email addresses to attack different organizations. The number of organizations attacked by each malicious account ranged from one, to a single mass scale attack that impacted 256 organizations — 4% of all the organizations included in the research.
Similarly, the number of email attacks sent by a malicious account ranged from one to over 600 emails, with the average being only 19.
“The fact that email services such as Gmail are free to set up, just about anyone can create a potentially malicious account for the purpose of a BEC attack. Securing oneself against this threat requires organizations to take protection matters into their own hands – this requires them to invest in sophisticated email security that leverages artificial intelligence to identify unusual senders and requests,” said Michael Flouton, VP Email Protection, Barracuda Networks.
“However, no security software will ever be 100% effective, particularly when the sender appears to be using a perfectly legitimate email domain. Thus, employee training and education is essential, and workers should be made aware of how to manually spot, flag and block any potentially malicious content.”
An INTERPOL assessment of the impact of COVID-19 on cybercrime has shown a significant target shift from individuals and small businesses to major corporations, governments and critical infrastructure.
With organizations and businesses rapidly deploying remote systems and networks to support staff working from home, criminals are also taking advantage of increased security vulnerabilities to steal data, generate profits and cause disruption.
In one four-month period (January to April) some 907,000 spam messages, 737 incidents related to malware and 48,000 malicious URLs – all related to COVID-19 – were detected by one of INTERPOL’s private sector partners.
“Cybercriminals are developing and boosting their attacks at an alarming pace, exploiting the fear and uncertainty caused by the unstable social and economic situation created by COVID-19,” said Jürgen Stock, INTERPOL Secretary General.
“The increased online dependency for people around the world, is also creating new opportunities, with many businesses and individuals not ensuring their cyber defences are up to date. The report’s findings again underline the need for closer public-private sector cooperation if we are to effectively tackle the threat COVID-19 also poses to our cyber health,” concluded the INTERPOL Chief.
Online scams and phishing
Threat actors have revised their usual online scams and phishing schemes. By deploying COVID-19 themed phishing emails, often impersonating government and health authorities, cybercriminals entice victims into providing their personal data and downloading malicious content. Around two-thirds of member countries which responded to the global cybercrime survey reported a significant use of COVID-19 themes for phishing and online fraud since the outbreak.
Cybercriminals are increasingly using disruptive malware against critical infrastructure and healthcare institutions, due to the potential for high impact and financial benefit. In the first two weeks of April 2020, there was a spike in ransomware attacks by multiple threat groups which had been relatively dormant for the past few months. Law enforcement investigations show the majority of attackers estimated quite accurately the maximum amount of ransom they could demand from targeted organizations.
Data harvesting malware
The deployment of data harvesting malware such as Remote Access Trojan, info stealers, spyware and banking Trojans by cybercriminals is on the rise. Using COVID-19 related information as a lure, threat actors infiltrate systems to compromise networks, steal data, divert money and build botnets.
Taking advantage of the increased demand for medical supplies and information on COVID-19, there has been a significant increase of cybercriminals registering domain names containing keywords, such as “coronavirus” or “COVID”.
These fraudulent websites underpin a wide variety of malicious activities including C2 servers, malware deployment and phishing. From February to March 2020, a 569 per cent growth in malicious registrations, including malware and phishing and a 788 per cent growth in high-risk registrations were detected and reported to INTERPOL by a private sector partner.
An increasing amount of misinformation and fake news is spreading rapidly among the public. Unverified information, inadequately understood threats, and conspiracy theories have contributed to anxiety in communities and in some cases facilitated the execution of cyberattacks. Nearly 30 per cent of countries which responded to the global cybercrime survey confirmed the circulation of false information related to COVID-19. Within a one-month period, one country reported 290 postings with the majority containing concealed malware.
There are also reports of misinformation being linked to the illegal trade of fraudulent medical commodities. Other cases of misinformation involved scams via mobile text-messages containing ‘too good to be true’ offers such as free food, special benefits, or large discounts in supermarkets.
A further increase in cybercrime is highly likely in the near future. Vulnerabilities related to working from home and the potential for increased financial benefit will see cybercriminals continue to ramp up their activities and develop more advanced and sophisticated modi operandi.
Threat actors are likely to continue proliferating coronavirus-themed online scams and phishing campaigns to leverage public concern about the pandemic. Business Email Compromise schemes will also likely surge due to the economic downturn and shift in the business landscape, generating new opportunities for criminal activities.
When a COVID-19 vaccination is available, it is highly probable that there will be another spike in phishing related to these medical products as well as network intrusion and cyberattacks to steal data.
Among consumers reporting being targeted with digital COVID-19 schemes globally, 27% said they were hit with pandemic-themed phishing scams.
“From the impacts of phishing and other well documented COVID-19 scams like unemployment fraud, it’s clear that fraudsters have the data and increasing opportunities to create synthetic identities and utilize stolen identities,” said Shai Cohen, senior vice president of Global Fraud & Identity Solutions at TransUnion.
“Identity fraud is a primary way fraudsters leverage stolen consumer data from phishing and other social engineering schemes. It can have long-term impacts for consumers such as the compromise of multiple online accounts and bringing down credit scores, which we anticipate will increase during pandemic reconstruction.”
To better understand the impacts of COVID-19 on consumers, 7,384 adults in Canada, Colombia, Hong Kong, South Africa, the U.K., and the U.S. have been surveyed between June 30 and July 6, 2020.
It asked the consumers if they had been targeted by digital COVID-19 fraud and if so, which digital fraud scheme(s) related to COVID-19 were they targeted with. Globally, 32% said they had been targeted by digital fraud related to COVID-19 with the below being the top types of COVID-19 fraud they faced:
Top global online COVID-19 scams targeting consumers
Online COVID-19 scams targeting consumers by country
“Although the schemes may vary by country, a new approach to identity verification that supplements traditional authentication methods is needed to defend against their impact,” said Cohen. “The key is creating a friction-right experience where consumers are confident they are dealing with a legitimate organization or business.”
Attackers are trying to trick web administrators into sharing their admin account login credentials by urging them to activate DNSSEC for their domain.
Scam emails lead to fake login pages
The scam was spotted by Sophos researchers, when the admin(s) of their own security marketing blog received an email impersonating WordPress and urging them to click on a link to perform the activation (see screenshot above).
The link took them to a “surprisingly believable” phishing page with logos and icons that matched their service provider (WordPress VIP), and instructed them to enter their WordPress account username and password to start the update.
“The scam then shows you some fake but believable progress messages to make you think that a genuine ‘site upgrade’ has kicked off, including pretending to perform some sort of digital ‘file signing’ at the end,” Sophos’s security proselytiser Paul Ducklin explained.
Finally, either intentionally or by mistake, the victim is redirected to a 404 error page.
Customized phishing pages
The malicious link in the email contained encoded banner and URL information that allowed researchers (and attackers) to customize the scam phishing page with different logos, to impersonate numerous different hosting providers.
“We didn’t even need to guess at the banner names that we could use, because the crooks had left the image directory browsable on their phishing site. In total, the crooks had 98 different ripped-off brand images ready to go, all the way from Akamai to Zen Cart,” Ducklin noted.
The attackers check HTTP headers for information about the target’s hosting provider and customize the scam email and the phishing site accordingly:
Users who fall for the scam, enter their login credentials into the phishing site and don’t have 2-factor authentication turned on are effectively handing control of their site to the scammers.
Ducklin advises admins never to log in anywhere through links sent via email, to urn on 2FA whenever they can, and to use a password manager.
“Password managers not only pick strong and random passwords automatically, but also associate each password with a specific URL. That makes it much harder to put the right password into the wrong site, because the password manager simply won’t know which account to use when faced with an unknown phishing site,” he noted.
31% of Americans are concerned about their data security while working from home during the global health crisis, according to a Unisys Security survey.
Consumer security concerns
The survey found that overall concerns around internet security (including computer viruses and hacking) have plunged in the last year, falling 13 points from 2019 and ranking the lowest among the four primary areas of security surveyed for the first time since 2010.
According to the FBI, online crimes reported to the IC3 have increased by 400% as a result of the pandemic, with as many as 4,000 incidents per day.
The survey also found that most Americans (70%) are not concerned about the risk of being scammed during or about the health crisis. This lack of concern was even more stark compared to the rest of the world, as Americans were 24% less likely to report concern about a data breach during the pandemic as compared to the global average.
Americans were much more likely to be concerned about their country’s economic stability, with 60% registering serious concern (extremely or very concerned), and the stability of the country’s health infrastructure, with 55% extremely or very concerned.
Personal safety concerns rise to the top
The survey also asked U.S. respondents about their concerns related to personal security, national security and financial security.
Not surprisingly, concerns around personal safety and natural disasters and epidemics increased by 17% and 6% from 2019, respectively; however, that was met with a stark drop in concerns over national security, which saw a 19% decrease from 2019.
“It’s not surprising to see people’s level of concern for their personal safety jump in light of the global health crisis. However, the fact that it is not only matched by, but exceeded by, a drop in concerns around hacking, scamming or online fraud reflects a false sense of consumer security,” said Unisys CISO Mat Newfield.
“Hackers target healthcare and essential services organizations looking to steal intellectual property and intelligence, such as details on national health policies and COVID-19 research.
“And hackers are relying on tricks like ‘password spraying,’ which involves an attacker repeatedly using common passwords on many accounts to gain access, putting our most critical infrastructures at risk potentially from the click of a single working-from-home employee.
“This underscores the need for businesses to ensure they are placing a clear and concerted emphasis on proper training for their employees working from home and adopting a zero trust security architecture that leverages best practices like encryption and microsegmentation.”
Demographic differences take shape
More than 15,000 consumers in 15 countries were surveyed, including more than 1,000 in the U.S., in March and April 2020. On a scale of zero to 300, with 300 representing the highest level of concern, the U.S. index is now at 159, a serious level of concern and the second-highest among the nine developed countries surveyed.
Notably, the survey found that security concerns in all countries are higher among women, younger people and those with lower incomes. In the U.S., the survey found concern was 12 points higher among women than men and 13 points higher among 18-to-24-year-olds than respondents aged 55 to 65.
The level of concern for U.S. respondents with lower incomes was 14 points higher than higher-income respondents.
“The survey shines a spotlight on the significant ways that COVID-19 has impacted everyone, especially women, young adults and those with lower incomes,” said Unisys CMO Ann Sung Ruckstuhl.
“According to the U.S. Census Bureau, nearly half of adults 18 and over have either lost employment income or another adult in their household has lost employment income since the beginning of the pandemic.
“For many women, particularly those with children at home, the pandemic has only magnified the challenges they have long been facing as they juggle career and family.”
The increased use of mobile banking apps due to the COVID-19 pandemic is sure to be followed by an increased prevalence of mobile banking threats: fake banking apps and banking Trojans disguised as those apps, the FBI has warned.
The pandemic and the resulting social distancing brought about many changes. Among them is a preference for using payment cards and electronic funds transfers instead of cash and an increased use of mobile devices to conduct banking activities.
“Studies of US financial data indicate a 50 percent surge in mobile banking since the beginning of 2020. Additionally, studies indicate 36 percent of Americans plan to use mobile tools to conduct banking activities, and 20 percent plan to visit branch locations less often,” the FBI pointed out.
Cyber criminals go where the money goes, so the agency expects them to increase their efforts to surreptitiously deliver information-stealing apps and banking Trojans to mobile users.
Banking Trojans are usually disguised as other popular apps – mobile games, utility apps, contact-tracing apps, etc. – while fake banking apps are apps that are made to look like the real deal. Both will harvest login credentials and, increasingly, second authentication factors (one-time passcodes) delivered via SMS or authenticator apps.
The FBI advises users to be careful when installing new apps. Third-party app stores should be avoided, but even official ones like Google Play can harbor malicious apps that have made it through the vetting process by employing different tricks to hide their malicious nature.
If you want to be sure that you’ll download the right mobile banking app, your best bet is to visit you bank’s website and download the app from there or follow the link they provide to the official app store where it’s hosted.
When downloading any new app, users should check the reviews and the provided developer info. They should also critically evaluate the permissions the app requests and ditch it if it asks for permissions it shouldn’t have (e.g., a wallpaper app that wants to access the user’s contacts or SMS messages).
The FBI also advises users to choose unique, strong passwords for banking apps, a password manager or password management service to “remember” them, and to enable two-factor or multi-factor authentication on devices and accounts where possible.
“Use strong two-factor authentication if possible via biometrics, hardware tokens, or authentication apps,” the agency urged, and warned not to give two-factor passcodes to anyone over the phone or via text.
“If you encounter an app that appears suspicious, exercise caution and contact that financial institution. Major financial institutions may ask for a banking PIN number, but will never ask for your username and password over the phone,” the FBI added.
“Check your bank’s policies regarding online and app account security. If the phone call seems suspicious, hang up and call the bank back at the customer service number posted on their website.”
There was a 37 percent increase worldwide in enterprise mobile phishing encounter rate between the fourth quarter of 2019 and the first quarter of 2020, according to Lookout.
The cost of enterprise mobile phishing
The report also shows that unmitigated mobile phishing threats could cost organizations with 10,000 mobile devices as much as $35 million per incident, and up to $150 million for organizations with 50,000 mobile devices.
“Cybercriminals are exploiting the ability to socially engineer victims on their mobile device in order to steal their credentials or sensitive private data.”
Today, the number of people working away from the office is at a record high. In order to stay productive, employees have turned to their smartphones and tablets.
Mobile devices make it harder to spot tell-tale signs of a phishing link
Phishing has been the most commonly used method for cybercriminals to infiltrate an organization, and businesses have deployed user training and email phishing security to combat them. But with mobile devices, phishing risks no longer simply hide in email, but in SMS, messaging apps, and social media platforms.
In addition, with a smaller form factor and simplified user experience, mobile devices also make it harder to spot the tell-tale signs of a phishing link – enabling a higher success rate for the cybercriminals attacking mobile compared to desktop devices.
“Phishing has evolved into a massive problem that expands far beyond the traditional email bait and hook,” said Phil Hochmuth, program vice president of enterprise mobility at IDC.
“On a small screen and with a limited ability to vet links and attachments before clicking on them, consumers and business users are exposed to more phishing risks than ever before. In a mobile-first world, with remote work becoming the norm, proactive defense against these attacks is critical.”
Phishers are impersonating companies’ IT support team and sending fake VPN configuration change notifications in the hopes that remote employees may be tricked into providing their Office 365 login credentials.
Yet another Office 365 phishing campaign
“The sender email address is spoofed to impersonate the domain of the targets’ respective organizations. The link provided in the email allegedly directs to a new VPN configuration for home access. Though the link appears to be related to the target’s company, the hyperlink actually directs to an Office 365 credential phishing website,” Abnormal Security explained.
The phishers are betting on the high possibility that the recipients are working from home and need to use VPN for work-related tasks. They hope the targets will be concerned about the possibility of losing access to company resources and that that concern will override their good sense and anti-phishing training.
The original email headers show that the email has not been sent from the recipients’ organization, but the sender email has been spoofed to say it has.
The phishing Office 365 login page is hosted on a Microsoft .NET platform, with a valid Microsoft certificate, which might be enough to fool some targets.
“Numerous versions of this attack have been seen across different clients, from different sender emails and originating from different IP addresses. However, the same payload link was employed by all of these attacks, implying that these were sent by a single attacker that controls the phishing website,” the researchers noted.
“Should the recipient fall victim to this attack, the user’s credentials would be compromised. Information available with the user’s Microsoft credentials via single-sign on are at risk as well.”
Ransomware gangs targeting businesses are currently getting more public attention, but scammers trying to trick employees into performing fraudulent wire transfers are once again ramping up their efforts, US-headquartered law firm BakerHostetler has warned.
BEC scams and fraudulent wire transfers
The same tactics have been employed by BEC scammers for years, but businesses of all sizes continue to fall for them.
The scam is usually discovered when the accounting department of a company starts seeing an increase in accounts receivable for one or more customers, then follows up on the outstanding invoices.
The customer reports that they have already paid the invoices and provides proof of the wire transfer, but the document shows that the money transfer was made to the worn bank account. The customer says they’ve followed the accounting department’s instructions, after receiving an email with “new” wire instructions from them.
“The email, of course, is not from the accounting department but from a fraudster,” the lawyers explained.
“Sometimes the bad actor compromised an accounting department employee’s email account to find customers, steal invoices and gain an understanding of the cadence and manner of billing emails. Sometimes the bad actor compromised the customer’s email account for the same purpose and then used an email that looked enough like the vendor’s accounting department email address to trick the customer. But whatever the method of access and communication, the two entities share the same outcome: Money has been paid to bad actors, and it is highly unlikely that it will be recouped, even with law enforcement intervention.”
The worst thing about these schemes is that they are easily thwarted by setting up certain policies and low-cost technical measures.
For example: companies should consider enabling multi-factor authentication for web-based email access so that scammer can’t exploit phished credentials to take over business email accounts.
Blocking access to company email accounts from internet provider addresses that resolve to countries where the company does not have employees is also a good idea, and so is setting up alerts that are triggered when the email account is accessed from two locations within a time span that would not allow for travel between the two locations, the lawyers advise.
On the other hand, scammers may choose not to compromise legitimate business email accounts but set up rogue ones that are made to look like they are owned by the business.
Employees who deal with payments should be taught about the danger presented by these emails, instructed on how to spot red flags, and regularly reminded to always verify all requests to change bank account information by calling a known telephone number for that customer, vendor or business partner (definitely not a phone number included in the email!).
Finally, a business might be wise to these tricks, but it costs them nothing to raise awareness and educate customers and business partners by sending an email delineating all this information and good advice.
You’ve been scammed, now what?
Recouping the fraudulently transferred funds once an employee falls for the scam might end up to be a challenging endeavor.
The sooner the company discovers the incident, the better for your chances of getting back the money. You have to notify your bank immediately and report the incident to law enforcement.
If you’re in the US and the fraudulent wire transfer has been made to a domestic bank account, the FBI’s Internet Crime Complaint Center (IC3)’s Recovery Asset Team might be able to get it back for you. “During its inaugural year, the team assisted in the recovery of over $300 million lost through on-line scams, boasting a 79% return rate of reported losses,” the FBI boasted earlier this year.
It’s also important to find out whose email account was compromised by the scammers.
Not only is this important to decide who will “eat” the loss if the money can’t be recovered, but also because companies whose email account(s) have been compromised might have more to lose than just money: the scammers might have accessed personal and business information residing in the account and might use it to perpetrate additional fraud.
Also, the lawyers noted, “the business whose email was compromised may have additional legal obligations based on state or federal data breach notification laws or contractual clauses with other business partners.”
Cybercriminals have been using the COVID-19 pandemic as a central theme in all kinds of crisis-related email phishing campaigns. But because of the dramatic rise of the number of at-home workers, one method that has become increasingly common over the past few months are vishing attacks, i.e., phishing campaigns executed via phone calls.
Rising success rates are the reason why vishing has become more common, and there are several factors driving this trend:
- People are actually at home to receive calls, giving threat actors more hours to connect with live targets
- Everyone is on high alert for information about the pandemic, stimulus checks, unemployment compensation, ways to donate to charitable organizations, and other COVID-related topics, providing attackers with an endless supply of vishing social engineering options
- Cybercriminals conduct research and use personal information – the last four digits of a social security number, for example – to build credibility and fool their victims into thinking they are speaking with legitimate sources.
Let me expand on this last point. Modern vishing attacks use research-based social engineering to attack targets with convincing scams. How do these attackers know so much about their targets? Typically, cybercriminals obtain personally identifiable information in one of three ways:
1. Social media
Many social media profiles are not protected from public view and they serve as a treasure trove of personal information that can be used for building attacks. For example, listing your place of employment with an employee badge not only lets an attacker know where you work, but what the company badge looks like for replication purposes.
“About You” sections of social media accounts often reveal personal information that can be used for password reset fields – your favorite color, your dog’s name, or the city you were born. And detailed posts outlining work projects, professional affiliations and technologies you’re using all help build a valid pretext scenario.
2. Password dumps
There has been no shortage of public data breaches that have resulted in extensive password dumps containing usernames, email addresses and passwords of compromised accounts. Individuals often reuse passwords across different accounts, which makes it easy for attackers to hack their way in through “credential stuffing.” For example, a LinkedIn password and user email address exposed in a breach could be used to access bank or e-commerce accounts.
3. Search engines
An individual’s name, address and photo of signature can often be found online via local government public records sites. In addition, paid services exist for individuals who want to obtain additional information, such as a target’s date of birth or marital status.
Many people don’t realize how much personal information can be found via a simple online search. As a result, when an attacker uses things like the last four digits of their social security number, the town in which they live, or the names of their children, victims assume the person they are speaking to is a credible source, and they don’t think twice about divulging information that they would otherwise keep private.
Vishing is a business problem, too
On the surface, it might seem like vishing attacks are a consumer problem only. But, in reality, businesses can be impacted too – especially now, as a significant portion of employees across the country are working from home.
These employees not only have corporate information stored on their personal devices, but they also generally have remote access to internal corporate resources. Vishing attacks are designed to build relationships with employees, eventually convincing them to give away confidential information, or to click on malicious links that are sent to them by the visher, who has earned confidence as a “trusted source.” As with other social engineering attacks, the ultimate goal is to gain access to corporate networks and data, or to get other information that can be used to commit fraud.
Tips for mitigating COVID-19 vishing attacks
Mitigating the risk of vishing attacks requires a multi-faceted approach, but it should start with end user awareness and education.
As soon as possible, businesses should roll out employee training sessions (even if they’re virtual) that explain what vishing is, how cybercriminals obtain personal information, and how they’re exploiting the COVID-19 pandemic to trick victims.
They should provide basic security tips, such as keeping social media accounts private and using different passwords for different accounts, as well as best practices for responding to a real-world attack. Incorporating attack simulations into training programs can also be a great way to teach employees how to respond to a vishing campaign using defined internal processes.
Technical controls are another key component of a layered security strategy to protect employees and your business from vishing threats. Web filters, antivirus software, and endpoint detection and response solutions are examples of the types of standard security controls that should be implemented. In addition, password policies must be defined and communicated to employees. And, last but not least, multi-factor authentication can be effective in thwarting attacks, as it forces cybercriminals to crack more than one user credential to gain access to corporate systems.
Defending against vishing during the pandemic and beyond
Even though COVID-19-prompted shelter-in-place orders are lifting across the country, many organizations are maintaining work-at-home policies for the safety of their employees and because they realize the operational and financial benefits that come along with telecommuting programs. This means that protecting the remote workforce should continue to be a top priority for businesses of all sizes and defending against vishing attacks should be a core component of security strategy.
Vishers will continue to come calling long after the COVID-19 pandemic comes to an end, so it’s important to make sure remote workers – and all employees – know how to identify suspicious callers, just like they should know how to identify suspicious emails. Supplementing employee education with the proper security controls is a good starting point to keep your staff and your business safe regardless of who’s on the other end of the line.
“Should recipients fall victim to this attack, their login credentials to their LogMeIn account would be compromised. Additionally, since LogMeIn has SSO with Lastpass as LogMeIn is the parent company, it is possible the attacker may be attempting to obtain access to this user’s password manager,” Abnormal Security noted.
The fake LogMeIn security update request
The phishing email has been made to look like it’s coming from LogMeIn. Not only does the company logo feature prominently in the email body, but the sender’s identity has been spoofed and the phishing link looks, at first glance, like it might be legitimate:
“The link attack vector was hidden using an anchor text impersonation to make it appear to actually be directing to the LogMeIn domain,” Abnormal Security explained.
“Other collaboration platforms have been under scrutiny for their security as many have become dependent on them to continue their work given the current pandemic. Because of this, frequent updates have become common as many platforms are attempting to remedy the situation. A recipient may be more inclined to update because they have a strong desire to secure their communications.”
Advice for users
This LogMeIn-themed phishing campaign is a small one, but users should know that the company has seen an “incredible uptick” in collaboration software impersonations in the past month.
Be careful when perusing unsolicited email, even if it looks like it’s coming from a legitimate source. If you have to enter login credentials into a web page, make sure you landed on that page by entering the correct URL yourself or by opening a bookmark – and not by following a link in an email.
In this particular case, you can be sure that if LogMeIn asks you to update something, the request/reminder will be shown once you access your account, so you’re not losing anything by ignoring the email and the link in it.
The telecommunications, retail and financial services industries have been increasingly impacted by COVID-19 online fraud, according to TransUnion.
From a consumer perspective, Millennials have been most targeted by fraudsters using COVID-19 scams.
Overall, the percent of suspected fraudulent digital transactions rose 5% from March 11 to April 28 when compared to Jan. 1 to March 10, 2020. More than 100 million risky transactions from March 11 to April 28 have been identified.
“Given the billions of people globally that have been forced to stay at home, industries have been disrupted in a way not seen on this massive of a scale for generations,” said Shai Cohen, Senior VP of Global Fraud & Identity Solutions at TransUnion.
“Now that many transactions have shifted online, fraudsters have tried to take advantage and companies must adapt. Businesses that come out on top will be those leveraging fraud prevention tools that provide great detection rates and friction-right experiences for consumers.”
Examining fraud types and their impact on industries
“Our data shows that as social distancing changes shopping patterns, fraudsters have taken notice and targeted the more digital forward industries while following the money,” said Melissa Gaddis, senior director of customer success for TransUnion Global Fraud & Identity Solutions.
“For instance, although we found online gaming increased 64% as people stay home, it isn’t immediately lucrative to target those companies since financial information isn’t generally shared there.
“However, telecommunications, e-commerce and financial services all have large digital adoption, financial information and payments at the center of their online experience, and fared relatively well compared to other industries during the pandemic.”
Globally across industries, TransUnion found the countries with the highest percent of suspected fraudulent transactions were: 1) Yemen, 2) Syria and 3) Kazakhstan. In the U.S. overall, TransUnion found the cities with the highest percent of suspected fraudulent transactions were: 1) Springfield, Mass., 2) Akron, Ohio, and 3) Louisville, Ky.
Consumers targeted by COVID-19 schemes
To better understand the impacts of COVID-19 on consumers, 9,215 adults in the U.S., Canada, Colombia, Hong Kong, India, South Africa and the U.K. have been surveyed during the week of April 13.
Nearly three out of 10 respondents (29%) said they had been targeted by digital fraud related to COVID-19, with Millennials (those persons between the ages 26-40) being the most targeted at 34%.
Furthermore, consumers who said their household income is being negatively impacted by the COVID-19 pandemic are more likely to experience digital fraud with 32% reporting being targeted by online COVID-19 scams compared to 22% of people not financially impacted.
“A common assumption is that fraudsters target older generations who are perceived to be less digitally capable,” said Gaddis.
“Our data showed the opposite with younger generations, Millennials and Gen Z (those born in or after 1995), being the most targeted. Adding insult to injury, our survey found Millennials are being financially challenged the most during the pandemic.”
There has been an exponential growth in phishing and website scams in Q1 2020, according to a Bolster analysis of over 1 billion websites. 854,441 confirmed phishing and counterfeit pages and 4M suspicious pages were detected.
COVID-19 cybercriminal activity
Of the total number of confirmed phishing and counterfeit pages, 30% were related to COVID-19 – that is over a quarter of a million confirmed malicious websites.
Daily phishing creation soars
Over 3,142 phishing and counterfeit pages went live every day in Jan. with that number increasing to 8,342 in March — due to the COVID-19 pandemic. Over 25,000 pages were created on 3/19 — a record for the quarter.
SaaS, telecoms, and finance suffer the most from phishing
SaaS and telecoms were the industries most impacted by phishing scams, followed by finance, retail, and streaming.
COVID medical scams play on a cure
In the month of March alone, 102,676 websites related to medical scams were found, with 1,092 websites either selling Hydroxychloroquine or spreading misinformation about using it to cure COVID-19.
Stimulus checks and loans brought out the hackers
There were over 145,000 suspicious domain registrations with ‘stimulus check’ in them. The number of scam websites that claim to offer small business loans jumped 130 percent from February to March. Hackers spun up 60,707 banking websites to attempt to siphon off stimulus funds.
Hackers target remote workers and those quarantined
Collaboration and communication phishing sites saw a 50% increase from Jan to March, as a large majority of the workforce began working from home.
Streaming phishing sites saw an 85% increase from Jan to March, with over 209 websites being created per day — attempting to capitalize on those looking for entertainment during lockdowns.
Bolster discovered multiple phishing websites peddling fake COVID-19 cryptocurrencies and crypto wallets that aim to siphon data for future phishing, targeted malware, or credential stealing.
One COVID-19 cryptocurrency bills itself as “The World’s Fastest Spreading Crypto Currency” and attempts to get visitors to download suspicious files off GitHub. Another site prompts visitors to register to find out more information about a COVID coin that “gains value as more people die and get infected”.
“We anticipate phishing site creation will continue to increase, especially as we proceed further into a COVID-minded world. The phishing lures and tactics of cybercriminals will consistently evolve to keep up with the rapidly changing threat landscape, but the underlying credential theft will not,” said Abhishek Dubey, CEO, Bolster.
“Cybersecurity conscious organizations will need to work together and leverage AI, automation and security training to effectively combat phishing and online fraud during this surge and beyond.”
We believe we are less likely than others are to fall for phishing scams, thereby underestimating our own exposure to risk, a cybersecurity study has found. The research also reports that this occurs, in part, because we overlook data, or “base rate information,” that could help us recognize risk when assessing our own behavior yet use it to predict that of others.
Together, the results suggest that those who are not informed of the risk that, for instance, work-from-home situations pose to online security may be more likely to jeopardize the safety of themselves and those they work for.
COVID-19 wreaking havoc on cyber health
COVID-19 has had a devastating impact on the physical and mental health of people around the globe. Now, with so many more working online during the pandemic, the virus threatens to wreak havoc on the world’s “cyber health,” the researchers note.
“This study shows people ‘self-enhance’ when assessing risk, believing they are less likely than others to engage in actions that pose a threat to their cyber security–a perception that, in fact, may make us more susceptible to online attacks because it creates a false sense of security,” says Emily Balcetis, an associate professor in New York University’s Department of Psychology, who authored the study.
“This effect is partially explained by differences in how we use base rate information, or actual data on how many people are actually victimized by such scams,” adds co-author Quanyan Zhu, a professor at NYU’s Tandon School of Engineering.
“We avoid it when assessing our own behavior, but use it in making judgments about actions others might take. Because we’re less informed in assessing our actions, our vulnerability to phishing may be greater.”
Through March, more than two million U.S. federal employees had been directed to work from home – in addition to the millions working in the private sector and for state and local governments. This overhaul of working conditions has created significantly more vulnerabilities to criminal activity – a development recognized by the Department of Homeland Security.
Its Cybersecurity and Infrastructure Security Agency issued an alert in March that foreshadowed the specific cyber vulnerabilities that arise when working from home rather than in the office.
How people perceive their own vulnerabilities in relation to others
In their study, the researchers sought to capture how people perceive their own vulnerabilities in relation to others’.
To do so, they conducted a series of experiments on computers screens in which subjects were shown emails that were phishing scams and were told these requests, which asked people to click links, update passwords, and download files, were illegitimate.
To tempt the study’s subjects, college undergraduates, they were told complying with the requests would give them a chance to win an iPad in a raffle, allow them to have their access restored to an online account, or other outcomes they wanted or needed.
Half of the subjects were asked how likely they were to take the requested action while the other half was asked how likely another, specifically, “someone like them,” would do so.
On the screen that posed these questions, the researchers also provided the subjects with “base rate information”: The actual percentage of people at other large American universities who actually did the requested behavior (One, for instance, read: “37.3% of undergraduate students at a large American university clicked on a link to sign an illegal movie downloading pledge because they thought they must in order to register for classes”).
The researchers then deployed an innovative methodology to determine if the subjects used this “base rate information” in reporting the likelihood that they and “someone like them” would comply with the requested phishing action.
Using eye-tracking technology, they could determine when the subjects actually read the provided information when reporting their own likelihood of falling for phishing attempts and when reporting the likelihood of others doing the same.
Subjects less likely to rely on “base rate information”
Overall, they found that the subjects thought they were less likely than are others to fall for phishing scams – evidence of “self-enhancement.” But the researchers also discovered that the subjects were less likely to rely on “base rate information” when answering the question about their own behavior yet more likely to use it when answering the question about how others would act.
“In a sense, they don’t think that base rate information is relevant to their own personal likelihood judgments, but they do think it’s useful for determining other people’s risk,” observes Balcetis.
“The patterns of social judgment we observed may be the result of individuals’ biased and motivated beliefs that they are uniquely able to regulate their risk and hold it at low or nonexistent levels,” Blair Cox, the lead researcher on the paper and scientist in NYU’s Department of Psychology, adds. “As a result, they may in fact be less likely to take steps to ensure their online safety.”