Cyberwarfare / Nation-State Attacks
Businesses Asked to Report COVID-19-Themed Crime to Police
As cybercriminals and nation-states take advantage of the COVID-19 pandemic to further their own aims, authorities are calling on victims to report online attacks as quickly as possible to help them better disrupt such activity.
See Also: Targeted vs. Automated Account Takeover Attacks
“We know that cybercriminals are opportunistic and will look to exploit people’s fears, and this has undoubtedly been the case with the coronavirus outbreak,” says Paul Chichester, director of operations at the U.K.’s National Cyber Security Center. NCSC, the public-facing arm of British intelligence service GCHQ, coordinates national incident response. This week, it published a home-working guide for organizations to help them best prepare for protecting their staff and operations (see: 9 Cybersecurity Takeaways as COVID-19 Outbreak Grows).
“Our advice to the public is to follow our guidance, which includes everything from password advice to spotting suspect emails,” he says. “In the event that someone does fall victim to a phishing attempt, they should look to report this to Action Fraud as soon as possible.”
Reporting recommendations vary by country. In the U.K., the national fraud and cybercrime reporting center is Action Fraud, which is run by the City of London Police, the nation’s lead force for investigation of fraud. In the U.S., the contact point is the FBI’s Internet Complaint Center, or IC3 (see: FBI: Global Business Email Compromise Losses Hit $12.5 Billion).
Security experts and law enforcement officials regularly warn that only a small fraction of victims ever alert authorities after they’ve been hacked or have experienced fraud or some other type of online-enabled crime. Because law enforcement budgets – and priorities – get set based on crime levels, under-reporting crime can mean sufficient resources don’t get brought to bear to try to disrupt criminals’ efforts.
UK: $1 Million in Scams and Fraud
Action Fraud warns that it’s running a reduced service at the moment, meaning any victims waiting to report crime may face longer wait times.
On Friday, Action Fraud reported that since Feb. 1, it’s received 105 reports of crime with a coronavirus or COVID-19 theme, with reported losses reaching nearly £970,000 ($1.14 million). “The majority of reports are related to online shopping scams where people have ordered protective face masks, hand sanitizer and other products, which have never arrived,” it says.
Criminals Continue to Capitalize on COVID-19
Since last month, security experts have charted a rise in online attacks – phishing, malware and nation-state campaigns – that attempt to play on COVID-19 fears. As the pandemic continues and individuals are increasingly required to minimize social contact or even shelter in place to help blunt the impact of the virus, many workforces have become remote virtually overnight. And many corporate IT and security departments are still rushing to get the right tools and defense in place.
Attackers have been using COVID-19-themed malware, social engineering and phishing messages that include links leading to malicious sites or have attached Microsoft Office documents with malicious macros designed to download and execute malware on a victim’s system. Some of these messages appear to come from the World Health Organization or U.S. Center for Disease Control, exploiting individuals’ obvious need to know more about the pandemic.
Dark Web Chatter
In the past month, threat-intelligence firm Digital Shadows has seen a massive increase in cybercrime forum chatter about COVID-19. It says that since Feb. 19, dark web search activity for COVID-19 increased more than seven-fold, just as it has on the clear web, with individuals searching for information via Google.
Despite cybercrime forum users talking about COVID-19, however, not all of them appear to be trying to profit from it. In particular, Digital Shadows says that forum posters asking for ways to exploit the pandemic are often met with a barrage criticism from their fellow cybercrime aficionados.
Unfortunately, this hasn’t blunted attempts to turn COVID-19 to some criminals’ advantage. Meanwhile, two ransomware gangs – Maze and DoppelPaymer – have promised to provide free decryptors to any hospital they hit, Bleeping Computer reports.
But such promises, even if true, belie the fact that it takes time to unlock systems. Any interruption of healthcare facilities or their suppliers creates unnecessary delays and will could lead to more people dying.
While cybercrime is a fact of life, incident responders have been calling on criminals to avoid contributing to the disruption caused by COVID-19, a disease that in many countries is proving to have an exponentially increasing fatality rate.
“We ask for your empathy. If you attack a healthcare organization, you are taking lives – not money,” says ransomware incident response firm Coveware in a blog post addressed to cybercriminals. “If you encrypt a healthcare provider unintentionally, please provide them with the decryption key at no cost as soon as possible. If this sounds strange to read, it is even weirder for us to write. Times have changed, and it is time for plain talk.”
Coveware and security firm Emsisoft have also promised free help for any healthcare organization hit by crypto-locking ransomware (see: Fighting Coronavirus-Themed Ransomware and Malware).
Talk is Cheap for Criminals
Whatever criminals’ promises, unfortunately, talk is cheap. As Robert McArdle, who heads Trend Micro’s cybercrime research unit, notes all cybercrime gangs such as Maze are promising “https://www.bankinfosecurity.com/”exclusive discounts” for everyone hit by their ransomware and pledging to not target medical organizations – while at the same time their website features a long list of healthcare victims.
This is what a Ransomware gang “helping out” during #COVID1 looks like. “Exclusive Discounts” for everyone facing their product + a promise to not targeted medical orgs (hint: their site lists medical victims). These people need to re-read the definition of Wheaton’s Law. pic.twitter.com/KzngU4pD6l
— Robert McArdle (@bobmcardle) March 19, 2020
Indeed, Tobias Büttner, head of claims for Germany’s Munich Reinsurance Co., on Thursday said as Maze was promising to back off, it infected one of his clients – Hammersmith Medicines – which runs early stage clinical trials.
Data Breach Notification Remains in Effect
In the meantime, organizations must still fulfill their regulatory and compliance requirements, including data breach rules in effect across the U.S. and many other countries, as well as the EU’s General Data Protection Regulation rules. That’s why it’s essential that organizations ensure they correctly lock down remote employees’ home workplaces, says attorney Ian Birdsey, a partner at Pinsent Masons who specializes in cyber risk.
“If a business mailbox that is compromised is synchronized and contains personal data, the organization might be required to notify the applicable data protection authority – such as the Information Commissioner’s Office in the U.K. – in line with the data breach notification provisions set out in the General Data Protection Regulation,” he says. “Regulated businesses, such as those in financial services and energy, may also be obliged to notify their sectoral regulator in such cases.”