Threat Intelligence Briefing: Increasingly Sophisticated Coronavirus Cyberattacks Exploit Lapses in User Awareness
 

We highlighted these trends in Mimecast’s Global Cyber Threat Intelligence weekly briefing on April 7, 2020, the third in a continuing series of interactive web sessions designed to help customers and the general public protect themselves from cyber threats as the broader coronavirus pandemic wreaks havoc worldwide.

Spam Deluge Continues

Overall, we’re continuing to see a deluge of coronavirus-related spam, which is a key indicator of the high level of malicious activity. Coronavirus-themed spam accounted for up to 15% of all blocked spam during the past week, in line with our expectations and similar to the level we’ve seen throughout the pandemic. “Both legitimate and malicious actors are leveraging the pandemic and feeding upon the anxiety that we are seeing globally—not only for businesses but also for other users, as we retreat to our homes to weather the storm,” said Thom Bailey, Sr. Director, Product/Strategy at Mimecast.

Users Click on More Unsafe Links

One concerning trend is that users are increasingly clicking on the unsafe links delivered by malicious campaigns. We have detected and blocked a rising number of unsafe clicks by users responding to malicious campaigns, including COVID-19 related attacks.

This suggests a combination of more sophisticated attacks together with a decline in user awareness and diligence. Many people are under heightened levels of stress due to coronavirus-related fears, such as concern about being infected or financial anxiety. That stress tends to distract users, making them more likely to click on bad links.

As the pandemic has spread, malicious actors have developed increasingly sophisticated and targeted attacks that are more likely to deceive users into clicking on bad links, said Michael Madon, Mimecast SVP & GM, Security Awareness and Threat Intelligence. That reflects a common pattern during campaigns, in which attackers generally start with a “shotgun” approach, then refine their weaponry and targeting approach over time to maximize the success of their attacks. “The criminals are getting smarter and the attacks are getting increasingly more sophisticated and targeted. They have had time to build up social profiles on who they want to attack, and they begin to attack specific places within an organization,” Madon said.

Attacks Target the Soaring Use of Videoconferencing Platforms

Coronavirus has transformed the way businesses communicate, since millions more people are now working at home. Accordingly, there’s been a dramatic rise in the use of videoconferencing platforms such as Zoom, Skype, and Microsoft Teams. 

Where users go, malicious actors soon follow. We’ve seen an increase in threats seeking to exploit the popularity of the most widely used and trusted video conferencing platforms by creating phishing campaigns and fake websites. In addition, the fact that information for many videoconferences is publicly available has facilitated the growth of so-called “Zoom-bombing,” in which unauthorized users attempt to disrupt or take over online meetings. These platforms are now responding with updated security features and best practices, but users should still exercise caution.

Phishing emails often use social engineering techniques to apply pressure on users to click on email links, such as subject lines that suggest their CEO is inviting them to a meeting. Clicking on links may take users to a fake sign-in page designed to steal their credentials. Malicious actors may use those credentials to disrupt meetings or simply to participate silently, capturing confidential information. In addition, because people often reuse the same credentials for multiple sites, attackers may be able to use the credentials to get access to email or other resources.   

Given the rise in attacks, it’s even more important to take steps to protect business and personal meetings from unauthorized access:

• Make meetings private to prevent unauthorized access, including using passwords as often as possible.
• Don’t share meeting links on social media, where they may be seen by people you don’t want in your meeting.
• Manage your screen sharing options during each meeting, so that only the host can share information. That prevents unauthorized participants taking over the meeting.
• Secure devices and your home network. Use strong passwords for your network and attached devices to close off access paths for attackers.
• Stay aware. Check that links in meeting invitations are valid before you click on them. If you receive a meeting invite, confirm that it’s genuine by checking that the meeting is in your online calendar.

Protecting videoconferences requires that all users maintain security, Madon said. “This is a community effort. If you get a meeting invitation that doesn’t have a password, don’t be afraid to ask the organizer to resend it with a password—even if it feels a little awkward. Say that we should secure the conference for the company’s benefit. Nine times out of ten they’ll agree.”

Targeting Charities to Exploit People’s Generosity

Throughout the pandemic, we’ve seen attackers continuously adjust their tactics to home in on users’ latest fears and shifts in online behavior. Now, we’re seeing a growing number of fake websites and phishing emails mimicking charities addressing coronavirus, with the goal of stealing donations that users intended to benefit those impacted by the pandemic. “We’re seeing a particularly nasty set of malicious activities focused on charities around the globe who are looking for donors, either to help frontline responders or provide assistance to families who may be out of work,” said Bailey.

Notably, we uncovered malicious activity that may have been triggered by a widely read New York Times article, which listed charities to which readers could contribute. When Mimecast researched malicious activity focused on those charities, it found that most of them had suffered massive attacks. “The article did a great service by providing a list of charities, but it seems that the hacking community may have read the same article and used it as a target list,” Bailey said.

Malicious actors registered new domains with names very similar to those registered by prominent legitimate organizations such as Save the Children, GlobalGiving, the CDC Foundation and Charity Navigator, said Elad Schulman, Mimecast VP for Brand Protection. They created fake websites that were almost identical to the websites of real charities, with the goal of collecting and diverting financial donations intended for the people who really need help. They also created phishing email campaigns to bring users to those sites. “We are seeing more and more of these attacks,” Schulman said.” We were able to cross-correlate information and determine that many of them probably came from the same malicious actor—we see the same foundation and infrastructure being used for multiple attacks.”

Though such coordination within the malicious cyber community has been seen in the past, there’s a key difference this time, according to Bailey. “There appears to have been a playbook published within the malicious community that allows them to stand up nearly identical types of attacks for the charity community as a whole,” he said.

Maintaining user awareness is essential to avoid falling into the traps set by the attackers, Schulman added. That includes closely examining email links and website addresses, and reporting suspicious items to the organization’s security team. “Pay close attention to who is sending the message and how you got to each website—make sure you are giving money to the people that really need it instead of to those who are taking advantage.”

The Bottom Line

Malicious actors are developing more sophisticated attacks and shifting tactics to take advantage of users’ latest fears as the COVID-19 pandemic continues to wreak havoc worldwide. Mimecast is continuing to provide updated security information to help organizations and their employees stay cyber safe during the pandemic, including free videos and information that security professionals can share with employees to increase security awareness.

We’ll continue to hold our weekly threat intelligence briefings to help you maintain the security of your organization and your employees. You can help us shape those briefings to make sure they’re most valuable to you. Please take a moment to let us know what topics you’d like us to cover during the briefings.