MS Risk Blog

COVID-19: Cybercriminals are Profiting from the Pandemic

Posted on in Uncategorized title_rule

On March 11, the World Health Organisation (WHO) declared the outbreak of COVID-19, a respiratory disease caused by the novel coronavirus, a global pandemic. On March 13, WHO Director-General Tedros Adhanom stated that Europe had become the “epicentre” of the outbreak and that, apart from China, Europe had more reported cases and deaths than the rest of the world combined. In response, most countries declared a state of emergency and enacted emergency laws in order to limit the spread. Among other things, measures introduced included closing borders; banning large public gatherings; and giving police powers to fine and arrest those violating these measures.

This biological threat naturally distracts from the prospect of virtual threats. As Europe’s focus is drawn towards containing the spread of COVID-19 infections, cybercriminals take advantage of the distraction to spread online infections and scams to profit from the public’s fear. Europol has received reports of intensifying cyber-attacks in almost all 27 member states. Spokesman Jan Op Gen Oorth said they had seen an increase in malware and ransomware attacks seeking to profit from the global crisis. According to Romanian cybersecurity leader Bitdefender, there was an increase of more than 475 percent in the number of malicious reports related to COVID-19 by March 16, as compared to February. In addition, we have seen an increase in the creation of COVID-related domains. Fitspatrick, director of HPCsec, said that as much as 650 domain names associated with the coronavirus were identified in the small period of March 19-23. The majority were considered very likely to be used in phishing messages.

During the crisis cybercriminals are taking advantage of people’s desire to keep up to date with new developments. Many criminals are therefore impersonating entities such as the WHO, NATO, or UNICEF. Their “phishing” e-mails specifically mention COVID-19 related information to encourage people to click on links or files that download malware. For instance, an e-mail might claim to have a list of pharmacies that distribute protective drugs where anyone opening the attachment has their computer infected with viruses. Some viruses, like spyware, can steal information like usernames and passwords, and even turn on your microphone and camera. Other viruses, like ransomware, can be used to blackmail you by locking down your computer. It encrypts files which render the data they contain inaccessible until a ransom is paid for the decryption key. If you don’t pay you lose all your data.

Over the coming weeks and months, attackers are expected to continue to exploit the pandemic to launch ransomware attacks. Targets range from individuals, to small and medium businesses, to larger organisations. Almost one-third of attacks related to COVID-19 target public authorities and healthcare institutions. Health organisations are especially vulnerable. Because they are under significant time constraints and find themselves pressed at capacity due to COVID-19 they are more likely to pay the required ransoms. This is exactly what the hackers are counting on. In addition, many hospitals lack the necessary cyber security to ward off such attacks.

The consequences of these attacks can be particularly devastating for the health sector. For instance, these attacks can lock down computers that hold electronic medical records. This leaves doctors and nurses without access to critical information about their patients’ medical histories and dosages of drugs required. One example is the recent cyber-attack launched at the Brno University Hospital, which has one of the largest COVID-19 testing facilities in the Czech Republic. The attack caused an immediate computer shutdown which forced the hospital to cancel surgeries and relocate patients. A week later, the hospital still had no means of storing data which slowed processes and potentially endangered lives. In this way, the attacks do not only have economic consequences but can actually put lives at risk.

The private sector is also at risk. By analysing previous attacks during global epidemics and contemporary phishing campaigns based on COVID-19, security firm RiskIQ predicts that attackers will target large corporations relying on markets and supply chains that originate in coronavirus-affected regions. “Personnel at these organisations have heightened interest in news and developments related to the virus, potentially making them more susceptible to social engineering that tricks them into clicking on malicious links,” the company says. In this way, cybercriminals rely on people to make a mistake. They take advantage of human traits such as curiosity and concern about the ongoing emergency situation.

Some of the best protective measures are therefore to prevent them from getting to you in the first place. Firms like Autostore use antivirus software, which looks for abnormal activity and removes malicious software, and web filter, which can filter out suspicious e-mails. In the event that a phishing e-mail still somehow finds its way into their inbox, employees know what to look for as the firm regularly conducts awareness training. For instance, Autostore has conducted simulated phishing attacks to help employees distinguish these e-mails from authentic ones.

In terms of what to look for, the National Cyber Security Centre recently gave the following examples of phishing e-mail subject lines: “2020 Coronavirus Updates”, “2019-nCov: Coronavirus outbreak in your city (Emergency), “2019-nCov: New confirmed cases in your City”.  Another red flag is poor spelling and grammar. These e-mails will also often imply a sense of urgency to scare a person into downloading a file or clicking the link. For instance, it might say that the attachment has urgent information about the coronavirus. It is also a common tactic to put two very similar looking characters by each other so that you don’t spot the mistake. The link might for example start with https; instead of https:. In addition, if you hover over the link without clicking on it, you’ll be able to see that the real address it leads to is different than what it first appears to be.

Managing the real-life virus is difficult enough without having to worry about cyber “viruses”. Indeed, that is what hackers are counting on. “In the past, cybercriminals have found success using disasters and global epidemics in ransomware and other malware attacks and developed a pattern we expect will continue with the coronavirus,” says Aaron Inness, Protective Intelligence Analyst at RiskIQ. The cost to attackers is low and the gain potentially high. Consequently, the risk of cyber-attacks is now higher than usual. It is therefore important that both individuals and organisations remain vigilant and practice good cyber hygiene throughout the pandemic.