COVID-19, a gift for cybercriminals
The COVID-19 pandemic has largely inspired people to come together to help fight against a once-in-a-generation threat. The same is also true of the technology sector, with some of its biggest companies collaborating to help organisations in both the public and private sectors in their efforts to contain and ultimately eradicate the virus.
But in times of trouble, there will always be a minority looking to use the situation for their own nefarious means, and coronavirus is no different. Ever quick to jump on new opportunities, cybercriminals have turned their attention to large-scale phishing scams related to COVID-19.
Between the months of January and March, researchers at cybersecurity firm Mimecast saw an increase of 27.85% in detections, with a total of 118.7 million in March alone. There is no evidence that it is a subsiding trend, with phishing threats being highly adapted and tailored to the COVID-19 pandemic and increasingly following what is topical in the news agenda.
Among the most common attacks are scams purporting to be from the World Health Organization, phishing emails offering government advice on safety measures and airline refund scams for those who have booked holidays but are now unavailable to travel.
“The development of the COVID-19 epidemic into a global pandemic has presented a unique once-in-a-lifetime opportunity for fraud and predation which cyber threat actors, both criminal and otherwise, have been quick to exploit to the fullest,” says Dr. Kiri Addison, Head of Data Scientist for Threat Intelligence & Overwatch at Mimecast.
“From furlough phishing campaigns, financial and tax refund scams to guidance on how to return to work safety, these are just some of the attacks that have been and still do have the potential to catch people out. It’s important that employers educate their staff on the threats that are out there and that they are in constant communication with their workforce.”
But educating teams of employees represents a huge challenge for enterprise at present, with the number of people working remotely at an unprecedented level. Recent research from the Chartered Institute of Personnel and Development (CIPD) reported the average proportion of the workforce conducting their roles from home continuously was more than half, at 54%.
“Generally, when people are not in the office, they tend to be more relaxed, the comfort of home settings can lead to people letting their guards down – which is exactly what cyber actors are looking to exploit,” Addison comments.
“That’s why it’s important that enterprises focus on cybersecurity awareness training. Our research shows that enterprises that don’t utilise awareness training are five times more likely to click on malicious links than to those companies that do. The most effective training tends to be short, fun and engaging in order to help change security culture.”
There are many who now feel like the genie is out of the bottle when it comes to home working. So often viewed with suspicion, there is now a large-scale use case that shows most employees perform just as efficiently, if not more so, from home, leading many companies to reconsider rigid working arrangements and expensive commercial rent agreements.
Many of the major tech giants have indicated that its staff, where possible, can continue to work from home indefinitely if they wish. Additional figures from the CIPD show that employers expect the proportion of people working from home on a regular basis to increase to 37% once the pandemic is over, rising from 18%, while the percentage of employees that exclusively work from home is set to jump from 9% to 22%.
“The lockdown has radically transformed our relationship to work: there is no separation between the home and the office; personal and professional laptops and phones are substitutable. Although workers shouldn’t be sharing sensitive data over WhatsApp or personal email accounts, the fact that their personal and business devices are interchangeable makes preventing this much harder,” Addison states.
“IT teams need to consider which communication services they want to sanction for secure work at home. They should strongly consider deploying a cloud-based web gateway as this plays the important role of integrating crucial security functions such as URL filtering, malware protection and data leak prevention.
“The cloud-based gateway is also especially useful as they are quick to deploy, easy to operate, infinitely scalable and perfectly designed to fit around distributed workforces. They keep employees secure.”
A direct result of the WFH trend has been an enormous spike in video conferencing tools, as teams have scrambled to keep the lines of communication open. Once again, it is a pattern that is expected to endure; a report from Global Markets predicts that the video conferencing market will increase significantly in value over the next three years, from $14 billion this year to $50 billion in 2026, representing 50% year-on-year growth.
But such rapid adoption has tested the security and infrastructure capabilities of these platforms. Zoom saw its number of daily users jump from 10 million in December to 200 million in March. But the platform was hit by a number of security and privacy issues, leading to its CEO, Eric Yuan, issuing a public apology, admitting that the pandemic had resulted in “challenges we did not anticipate when the platform was conceived.”
“Mimecast has observed a number of phishing attacks purporting to be from popular video conferencing tools,” says Addison. “Techniques used by a hacker may include receiving a meeting invite from a spoofed co-worker and once the link is clicked the malware is launched.
“On top of being extremely vigilant and cautious about such links, users typically hover the URL link without clicking it and see the actual links to see where they lead or what they are launching. Video conferencing tools weren’t designed with security measures at the forefront of their mind, so the scope for malicious actors to infiltrate such platforms is heightened. Always make sure any meeting is password enabled.”
Many security technologists will find themselves in increasingly challenging positions in recent months, with IT spending set to be cut at many companies – worldwide IT spending is expected to reach $3.5 trillion this year, a 7.3% drop from 2019, according to Gartner. Over the same period, the spread of cyber threats is almost certain to grow, meaning many will have to make some difficult decisions.
Considering where CISOs should be thinking about prioritising their spending over the coming year, Addison states: “Brand spoofing is on the rise, so this is one area that needs more attention and resources dedicated to it. According to our State of Email Security Report, 48% of CISOs hold the budget for securing their organisation’s corporate brand from web or email spoofing, exploitation and impersonation and so it’s critical that CISOs look to put effective measures in place to prevent such attacks happening, especially when reputation is everything in this day and age.
“Our research shows that the typical enterprise has an average of 75 solutions active at any one time. So, there is an issue around there about the return of investment and getting value for money for the solutions bought. It’s important that CISOs look to declutter their security environment and make sure they are getting the most out of solutions that they have invested in and that might require doing a full audit.
“CISOs will always have an important role to play but it’s true that the pandemic has highlighted their importance more than ever. CISOs need to consider themselves guardians of their company’s brand image, especially at a time when brand spoofing is so prominent.”
In recent months, we have seen hackers successfully target public sector institutions and private businesses alike with the goal being to receive ransom payments to hand back or unencrypt data. And while official advice is never to cave to demands, some organisations feel it is the lesser of two evils compared with losing vast datasets, or having them made public and risking huge levies by regulators.
In June, the University of California San Francisco School of Medicine paid a portion of the $1.14 million ransom that the attackers demanded in order to regain access to the encrypted servers. Addison believes that these successes will ultimately fuel copycat attacks.
“Cybercriminals generally try to do the most minimum they need to, we still see quite often criminals trying to exploit old vulnerabilities that should have been patched up a long time ago. Organisations should proceed in auditing and reviewing their existing security infrastructure.
“We expect to see an increase and evolution of ransomware attacks, so now rather than encrypting or destroying your data, cybercriminals will be looking to make copies of your data and may threaten to release it and so we’ll see more of that as this is a current attack vector which is working well for them at the moment.
“Also, the continuation and evolution of malware as a service, making malware more widely available. They have skilled developers that are available to make rapid updates for the techniques that they are using.”
Concluding, Addison says that enterprise must take a multi-dimensional approach, blending best practice in training, technology and governance.
“With the volume of threats that are coming in, unless you have huge teams of analysts, it won’t be possible for a human to analyse everything and detect everything – it will be massively important to invest in machine learning and AI to keep up with the latest threats.
“And as important as it is for businesses to think of alternative ways of tackling the problem, it’s also pivotal that enterprises look to layer up their solutions, making sure that they have coverage across all areas so that includes protection inside the perimeter and also securing outside of the perimeter. Organisations might consider pen-testing to see which solutions work best for them.
“As always, investing in education and upskilling your current workforce will prove to be crucial for effective defence and a deterrent of cyber attacks.”