Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Beware of Sick Behavior Masquerading as Coronavirus

Cybercriminals Are Seeing the Pandemic as a Huge Business Opportunity

Cybercriminals Are Seeing the Pandemic as a Huge Business Opportunity

Food delivery services and Netflix are not the only ones profiting from the coronavirus outbreak.  It has also been a bonanza for cybercriminals, seeking to cash in on the anxiety and confusion resulting from COVID-19. Photon, the research arm of my company, has undertaken a deep dive into the shadowy, cyber world of those whose work involves abusing others online through trickery, extortion, fraud, and theft. Here is some of what we found as well as ways that you can mitigate the threat: 

Crappy apps

As early as January, phishing emails containing phony COVID-19 public health warnings were circulating in Japan. They used the coronavirus scare as its email campaign hook. Recipients were warned about the virus’ rapid spread and instructed to download an attached notice that allegedly contained preventive measures. In fact, when downloaded, it installed Emotet, a form of malware used to deploy ransomware and other types of malicious software that steal user credentials, browser history, and sensitive documents. That data can then be used to send spam to other email accounts. 

Other forms of cyberattack, including a denial of service attack against the U.S. Department of Health and Human services on March 15, and a fraudulent website distributing a new variant of ransomware named “CoronaVirus” identified a few days later, also occurred.  And misleading mobile apps began to proliferate. Altogether, we uncovered 376 Android mobile apps related to COVID-19. Many of them, it turned out, were benign. But others contained spyware to collect sensitive user data and insisted on receiving dangerous permissions.  

We discovered multiple apps that demanded access to perform account authentication, to capture and collect photos, to receive packets not directly addressed to the device, to create network sockets, remove accounts, delete passwords, request authentication tokens, and write to the phone’s embedded sim card.  Seeking the ability to access a user’s contact list is a particularly dangerous form of permission because, among other things, it enables someone who secures that information to impersonate you and anyone else on that list in malicious ways. 

We also found a number of app download links that claimed to be specific to COVID-19 but which actually served up entirely different applications, some of which were rigged with malicious files requiring an extensive number of dangerous permissions.  The files they would download included riskware, adware, potentially unwanted programs, contact collection tools, and SMS management capabilities.  One, which masqueraded as a legitimate coronavirus application associated with Johns Hopkins Medical Center, was actually a tool used to vacuum up photos, media files, device location, and the user’s camera, while installing spyware device management capabilities. 

Importantly, almost all of this malware was downloaded from sources other than the Google Play or Apple App stores – both of which rigorously vet software before allowing it on their sites.  Downloading from these trusted app stores offers significant protection against malware. 

Advertisement. Scroll to continue reading.

Third-party perils

In their haste to prepare themselves for a predominantly remote workforce in response to the coronavirus, many organizations have sought the help of third-party vendors.  That’s understandable; outside vendors can help a company maintain some semblance of business continuity during challenging times. But it also brings new risk of unwelcome intrusion.  

Third parties sometimes offer a path of least resistance to determined intruders. They provide the added benefit of allowing the cybercriminal to remain undetected and even the possibility of attacking multiple target organizations at once. Last August, for example, malicious actors were able to use a third-party vendor to spread ransomware to 22 cities in Texas.  In addition, virtual workspaces require increased use of third-party online channels, expanding the potential attack surface way beyond the company’s traditional network.

That’s not just theoretical; a 2018 study by the Ponemon Institute found that nearly 60 percent of the companies surveyed had suffered a data breach at the hands of third-party vendors, while only about a third had even kept a comprehensive inventory of the third-party suppliers their company had worked with. 

Mitigating risks

There are three major categories of risk presented by third-party apps and vendors: Operational risk resulting from errors or failures in the system; Transaction risks related to problems with the service or delivery, and Compliance risks which put the organization in the crosshairs of liability for security breaches or other regulatory failings. While these risks are not unique to the use of third parties, involving them considerably amplifies the risk opportunities. 

At the same time, though, there are common sense strategies available to minimize and mitigate those risks.  

1. Create a pandemic response team capable of assessing third party risk 

2. Build a comprehensive inventory of third-party vendors

3. Analyze third party vendors for risk

4. Track security incidents that could affect your vendors

5. Include data exposure incidents in third party monitoring

6. Only download apps from trusted sites

7. Remain skeptical of apps requesting permissions

8. Confirm that the app is created by a legitimate developer

Related: COVID-19 Apps: Effective Virus Risk Management Tools or Privacy Nightmare?

RelatedApple and Google Team Up on Virus ‘Contact Tracing’ by Smartphone

RelatedNation-backed Hackers Tune Attacks to COVID-19 Fears: Google

RelatedAndroid Surveillance Campaign Leverages COVID-19 Crisis

RelatedSpike in Company Compromises Correlates With Lockdowns

Written By

Alastair Paterson is the CEO and co-founder of Harmonic Security, enabling companies to adopt Generative AI without risk to their sensitive data. Prior to this he co-founded and was CEO of the cyber security company Digital Shadows from its inception in 2011 until its acquisition by ReliaQuest/KKR for $160m in July 2022. Alastair led the company to become an international, industry-recognised leader in threat intelligence and digital risk protection.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.