OTTAWA—COVID-19 scammers are changing tactics as the pandemic stretches on, offering their Canadian targets “help” with previous pandemic data breaches.
Scott Jones, the head of the Canadian Centre for Cyber Security, said criminals are using “far more effective” lures to convince Canadians to hand over personal and sensitive information, like banking credentials.
Jones told the Star that while early in the pandemic scammers were targeting Canadians with offers of supplies like masks and hand sanitizer, they’re now capitalizing on some high-profile data breaches and suggesting to their marks their information has already been compromised.
Jones points to the common telephone scheme of an automated voice identifying itself as the “legal department of social development Canada.”
“They know that people have gotten enough of that scam. Now they’re talking about ‘we want to talk to you about the data breach.’ So now they’re using a cyber security incident to lure you to give more (personal) information,” Jones said in an interview Monday.
“We’re seeing the threat actors really pivoting quickly based on what’s happening in the news media.”
On Aug. 15, the Canadian government announced that 5,500 Canada Revenue Agency accounts were compromised in what is known as a “credential stuffing” attack — where hackers took user names and passwords from previous data breaches to gain access to CRA accounts.
The best defence against that kind of attack, Jones said, is to ensure using strong passwords or passphrases — and not reusing passwords across multiple accounts, like your email and banking services.
“This is one of those rare times in a cyber security incident where you can do something that will immediately protect you,” Jones said.
“Go on, take this action, change your password to something unique, and it will immediately make it harder (to compromise the account).”
On Tuesday, the Communications Security Establishment (CSE), Canada’s electronic spying and cyber defence agency, confirmed it has “contributed to the removal” of approximately 3,000 websites and fraudulent email addresses impersonating federal government departments involved in the COVID-19 response, like the CRA and the Public Health Agency of Canada.
The Canadian Center for Cyber Security is a new division of the CSE. The centre sends out information on vulnerabilities and cyber attacks to the public and private sector.
The cyber threats facing Canadians — individuals, businesses, and public institutions — have changed, like everything else, during the pandemic. The Cyber Centre has put a special emphasis on basic “digital hygiene” and individual actions people can take without the benefit of an IT department to make sure systems are more secure.
Jones acknowledges that it’s been an uphill battle to bring industry and the public onside. For much of the past 70 years, CSE has operated as a highly secretive agency within the Canadian security community. Outside of that community, few Canadians know what CSE does.
But Jones said that when the CSE took the extraordinary step of publicly naming Russia for backing cyber attacks against Canadian COVID-19 research, the health research industry’s ears perked up.
“The change that I can talk about (after the statement) is the industry is really collaborating with us on proactively addressing any threats and any vulnerabilities,” Jones said.
“If that attribution statement did only one thing, and I think it did a few, but the most important for me was it helped us show that this was serious activity targeting the entire industry rather than a few victims.”
Neil Desai, a senior fellow at the Centre for International Governance Innovation and an executive with digital investigations firm Magnet Forensics, said CSE has made some promising first steps in pushing out unclassified threat warnings and information about vulnerabilities.
But Desai, a former civil servant at Global Affairs Canada and the Prime Minister’s Office, said he’d like to see the agency be even more proactive — and strategic — in partnering with industry to counter cyber security threats.
“We have to start having a better interchange in that declassified space on a regular basis on what can be shared,” Desai said in an interview.
“But it’s a two-way street. I think they have to get closer to industry, but I think industry also has to put its hand up to say ‘I’m willing to do this and I’m willing to show up quarterly to talk about these issues.’”
Get your CompTIA A+, Network+ White Hat-Hacker, Certified Web Intelligence Analyst and more starting at $35 a month. Click here for more details.