There has been a steady rise in COVID-19 scams and attacks since the novel coronavirus pandemic went global in February. Traditional cybercriminals, as well as new groups, have been exploiting the situation and will likely continue until COVID-19 is no longer a front-page news item. The attack techniques look familiar: phishing, phone calls, malicious apps, malicious domains, and crafty SEO techniques, along with social engineering techniques designed to entice people to click on links or attachments to install malware or steal login credentials.

Considering the rapid increase of remote workers, businesses are more vulnerable to these types of scams and attacks. Don't get scammed or compromised on your work systems, which could and lead to a data breach or lost data at your organization.

Malicious COVID-19 “informational” Websites

Since the beginning of the pandemic, criminals have turned to creating fraudulent websites to trick people to download malware. As cybersecurity investigative reporter Brian Krebs wrote last month, several active attacks are using interactive dashboards that resemble legitimate COVID-19 information sites, including those being sold in several online forums.

According to Krebs, "Late last month, a member of several Russian language cybercrime forums began selling a digital Coronavirus infection kit that uses the Hopkins interactive map as part of a malware deployment scheme." 

“It loads [a] fully working online map of Corona Virus infected areas and other data,” the seller explains. The “map is resizable, interactive, and has real time data from World Health Organization and other sources. Users will think that PreLoader is actually a map, so they will open it and will spread it to their friends and it goes viral!”,” Krebs reported.

In a joint advisory from the U.K.'s National Cyber Security Centre (NCSC) and the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), the agencies announced that there has been an increasing number of scammers attempting to exploit the COVID-19 pandemic. “In the U.K., the NCSC has detected more U.K. government branded scams relating to COVID-19 than any other subject. 

COVID-19 phishing scams are on the rise

In recent weeks COVID-19 related phishing emails have been circulating everywhere. Some try to trick people into providing purchase order information; others are related to government aid related to the financial impact of the pandemic.

Not all of these emails are easy to identify. Some of these phishing attacks will prove costly this year, especially with all of the confusion and change in routines due to so many workers going remote.

Of course, every time there is some major public event, criminals set out to take advantage, and COVID-19 is no exception. And we are seeing attacks that are targeting parents, attacks using official government agencies to attempt to scare people into action, and other social engineering techniques. These include claims that children have been exposed to novel coronavirus and that they may need to be quarantined, and seek personal information that can be used for identity theft.

COVID-19 Charity Scams

Whenever there’s a humanitarian crisis of any kind, scammers come out with text messaging, voice, and phishing scams.  The FTC has warned about potential novel coronavirus charity scams as the scamsters set out to take advantage of those with a desire and ability to help financially.

To help consumers avoid getting scammed, independent charity evaluator Charity Navigator provides some tips to help avoid such crooks. They include checking the status of the charity’s registration, something that can be done by looking up their 501(c3) status (if based in the U.S.). They also suggest investigating the charity's history and background, as well as searching Google for potential clues. Charity Navigator's advice is available here. The FTC provides guidance here. They are worth sharing with staff and contractors.

Healthcare and Government Assistance Scams

Scammers are angling themselves to get a piece of peoples' novel coronavirus relief checks, something the FTC is also warning users about. The FTC provides a series of steps they can take to avoid such scams, including not giving anyone any "sign-up" information for the relief check, or setting up the relief check with anyone but the IRS, and to ignore claims that are too good to be true, such as anyone claiming to have early access to the cash. They don’t. The FTC’s full guidance is available here.

Covid Testing and Treatment Scams

There have been many reports of scams that claim to offer testing for the Corona Virus.  Currrently there are not any reliable home test kits available.  Scammers also claim to have a "cure" or treatment for Covid-19 that they will gladly sell to you.  The CDC, says that there are no magic cures or treatments available yet for Covid-19.  Another version of these scams involves selling personal protective equipment or PPE, such as gloves, masks, face shields, or gowns.  There have been reports of people selling these items through legitimate sites like Amazon, Ebay, Etsy, etc, but not ever delivering the product.  So be careful and check out the seller.

Business Email Compromise Scams

Coronavirus will also be used as a central part of Business Email Compromise (BEC) scams.  Recently, the FBI, the CDC, and the FTC also issued warnings about phone scams and phishing attacks from fraudsters who pretended to be charity workers or workers from some government agency. They sent emails with links to websites with malicious downloads and attachments so that they can take control of the user endpoints.

As Sulviu Stahie wrote in FBI Issues Warning about BEC Scams Using Cloud-based Email Services, such attacks have netted $2.1 billion in the past five years.  Over the last few years, we have taught in our training classes that  using "free email" services put you and your business at risk.  You need to be using a proper business class email service that can scan for these various types of attacks.

Unlike standard phishing attacks, BEC attacks target business users specifically, typically business users that conduct fund transfers. In these schemes, attackers claim to be with a vendor or other organization affiliated with the organization and try to socially engineer financial information or login credentials from their targets.

The FBI recently shared several incidents of BEC attacks, including a financial institution that received an email from the CEO of a company that had previously scheduled a $1 million transfer. They requested the transfer be made sooner than originally planned: "due to the Coronavirus outbreak and quarantine processes and precautions." The email used by the attackers was almost identical to the CEO's actual email address. Only one letter changed.

In an earlier alert, the FBI advised that the best way staff can avoid being tricked by a BEC attack is by getting personal and “verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone,” Special Agent Martin Licciardo said. "Don't rely on email alone."

While COVID-19 remains in the news and a large number of new remote workers continue working remotely, scammers are going to continue to try to exploit fear, confusion, and a desire for information.  Organizations need to deploy all of the mitigating security controls they reasonably can. But they also keep employees aware so that they maybe reconsider before they act on the next phishing, phone, or text messaging attack, tempting malicious app download, or social engineering techniques attackers use to trick them. 

As always, contact Ultimate IT Guys if you need help with your computers, network or security.