Fending off threats begins by understanding what they look like and then planning ahead while the situation rapidly evolves. What criminal tactics, techniques and procedures should you be watching for right now?
1. Misinformation as a weapon of mass confusion
Misinformation means exactly that: information that is either false or inaccurate, and deliberately disseminated with the aim of deceiving audiences. COVID-19 misinformation is spread primarily over social media platforms and is amplified by people resharing it through private messenger platform applications.
At first glance, misinformation may not seem to have a tangible financial impact on an organization’s or individual’s bottom line, but rest assured that the rhetoric misinformation employs is damaging. Fear and confusion can, among other issues, drive equipment and supply shortages, and incite hatred. While governments are working to slow the spread of false messaging, by calling out examples of fraudulent social media posts, individuals and businesses can support those efforts by pitching in to do their part.
How can you curb the flow of misinformation to help dial down the risks?
- Stick to credible guidance from official health organizations (e.g., Public Health Agency of Canada, National Health Service, Centers for Disease Control and Prevention (CDC), World Health Organization (WHO)) to counter the negative ripple effect of misinformation.
- Fact-check any social media claims that feel potentially dubious.
- Watch for unsolicited correspondence that contains alarmist messaging or appears to be impersonating official health and safety institutions.
2. Phishing through social engineering
It is widely believed that cybercriminals across geographies and sectors are using COVID-19 as a phishing lure. But there is also evidence of state-sponsored actors following suit. Such activities are expected to rise in line with the number of new COVID-19 cases as the pandemic continues to lead headlines and social media dialogue.
Newly registered domains related to COVID-19 are rising in direct proportion with the outbreak’s spread, as threat actors create new infrastructure to support malicious campaigns. The number of references to COVID-19 has seen a significant uptick over the last three months, and country-specific phishing lures are using the trusted names of widely known organizations to trick their way into a potential victim’s world.
What can you do to deflect phishing scams and help keep them at bay?
- Be wary of any email or other communication claiming to originate from the Public Health Agency of Canada, National Health Service, CDC or WHO – even if the address looks legitimate.
- Watch out for language that creates a sense of urgency and asks you to click attachments or links said to contain additional information.
- Do not click or open links in emails directly. Instead, type the main URL into your browser or search the brand/company in your preferred search engine.
- Disable macros in Microsoft Office for any users who don’t absolutely require it.
As an organization’s security team:
- Ensure anti-virus and other security software on all systems are up to date.
- Search for existing signs of the indicated indicators of compromise (IOCs) in your environment.
- Block all URL- and IP-based IOCs at the firewall, intrusion detection and prevention systems, web gateways, routers or other perimeter-based devices
- Ensure applications and operating systems are kept up to date and most recently available security updates are installed.
- Increase awareness and education activities around the heightened risk environment.
3. Offering access through the sale of fraudulent goods
Phishing offerings are a big topic in cybercriminal forums right now. In February, analysts at Digital Shadows identified a thread on well-known Russian-language cybercriminal forum Cross Site Scripting (XSS) advertising a new way to deliver malware. The method works via an email attachment disguised as a supposed distribution map of the virus’s outbreak that’s said to contain real-time data from the WHO. The map itself impersonates a legitimate one created by the Johns Hopkins Center for Systems Science and Engineering that’s already appeared across social media platforms. The deal? A “private build” of the product listed at $200, or a version complete with a “Java Codesign certificate” for $700.