A year after the COVID-19 crisis was officially found to be a pandemic, the way people live & work has radically changed & so have “the methods & tactics used by criminals on the internet looking to exploit the massive increase in online traffic,” according to a report from Kaspersky, issued on Mon.
COVID-19-related phishing emails, brute-force attacks on remote workers, & a focus on exploiting or abusing collaboration platforms are the hallmarks of cyber-criminal enterprise as the coronavirus marks its 1st anniversary of going global.
Phishing Scams – COVID-19
Email scamming (& phishing particularly) is still one of the most effective types of attacks in the coronavirus era, explained Kaspersky, since fear & anxiety are 2 of the most-exploited emotions for this kind of social-engineering attack.
Campaigns such as those pretending to offer N95 masks or hand sanitiser (which prompted people to put in their payment details) became common over the course of the year. Impersonating COVID-19 authorities was also popular, with cyber-criminals offering “important” updates. Really, all they were offering was malware.
“In 2020, criminals launched a variety of scams that exploited the pandemic topic from just about every angle, from advertisements to masks when they were in short supply to special refunds from the govt.,” outlined the report.
“Scammers often imitated leading authority figures on the pandemic, like the CDC & the World Health Organisation, to give their emails additional authority & increase the chances that users would click a malicious link.”
Cyber-criminals also used lures involving delayed shipments, i.e., taking advantage of the fact that ordering by mail sky-rocketed during lockdowns.
In 2020, delivery services entered the top 10 most-spoofed organisations for these types of attacks, observed Kaspersky.
New Delivery Information
“They would send emails claiming that, due to COVID, an important delivery had been delayed & that the target must verify the new delivery information (easy to believe in a pandemic) in order to receive it,” said the report.
“However, upon clicking the attachment, the users would download trojans ranging from spyware to backdoors.”
As millions of employees were sent home to work remotely in 2020, cyber-security measures were an after-thought for many organisations. Cyber-criminals, thinking this, targeted employees logging in to corporate resources from personal devices & on unsecured home networks, according to this analysis.
Specifically, brute-force attacks (where attackers try random usernames & passwords against accounts) on Remote Desktop Protocol (RDP) connections ramped up globally, surging 197% from 93.1m worldwide in Feb. to 277.4m in March. RDP is Microsoft’s proprietary protocol that enables users to access Windows workstations or servers.
“RDP is one of the most popular remote-access protocols used by companies, making it a favourite target for attackers,” states the report. “In Spring of 2020, the number of brute-force attacks against the RDP protocol sky-rocketed across almost the entire planet.”
A year later, the number of attacks has still not returned to pre-pandemic levels, Kaspersky noted: In Feb., there were 377.5m brute-force attacks.
Cyber-attackers have also targeted users of cloud services, especially collaboration services like Flock, GotoMeeting, HighFive, Join.me, Lifesize, MS Teams, Slack, Webex & Zoom. Kaspersky found that by May 2020, the average daily number of attacks on these services seen in its telemetry had jumped 25% just since Feb. 2020.
These, too, have not really ceased.
“The no. of web attacks, after displaying a decline in the summer of 2020, reached a new peak in Dec. as much of the world was facing a 2nd wave of the pandemic,” according to Kaspersky.
“A large portion of users’ time spent online was dedicated to meeting & collaborating virtually. That is why meeting & messenger apps, like Zoom & Teams, became a popular lure for distributing cyber-threats.”
The majority of these attacks use malicious files being spread under the disguise of these apps’ names, Kaspersky found that in Jan., there were 1.15m such files detected — the highest no. since lockdown began.
“These files are often bundled as part of seemingly legitimate application installers, which can be encountered in several ways: Through phishing emails claiming to have notifications or special offers from their platforms or through phishing web pages,” outlines the report.
With the pandemic moving into a new phase involving vaccinations, there’s also a new range of topics for phishers & scammers to use, e.g. health passports for travel or vaccine distribution, Kaspersky warned.
“Chances are they will exploit them,” predicts the report. “It is important that users view any email or website referencing the pandemic with a sceptical eye. What is more, recent events have shown how willing criminals are to take advantage of crisis, and, while this pandemic will subside, it certainly will not be the last crisis.”
The report also noted that remote working will likely remain in place even post-pandemic.
Usage of RDP
“RDP is not going anywhere & neither are attacks against the protocol,” the report concluded. “That means businesses need to re-evaluate their usage of RDP & learn how to secure remote access. If there is has ever been a time for companies to re-evaluate and bolster their security strategy, that time is now.”
Microsoft’s investigation comes alongside news that ransomware gangs are starting to aim at the Exchange Server vulnerabilities, adding a new sense of urgency to the need for organisation to apply patches & disinfect backdoors from networks.