Months ago, the Firewall warned that cybercriminals were taking advantage of the anxiety and insecurity from COVID-19 to promulgate phishing schemes, malware, and other schemes.  Interpol recently released a report (click here to download PDF from Interpol) warning of these dangers and other cybercriminal activity that exploits the current COVID-19 environment. As the Firewall advised in April, Interpol’s report notes that cybercriminals are taking advantage of the increased security vulnerabilities arising from the sudden shift to remote work.

Interpol groups the recent COVID-related cybercriminal activity into five categories.

  1. Online scams and phishing. Interpol warns that cybercriminals are deploying COVID-19 phishing emails to trick victims into providing their personal data, such as user credentials and passwords, or downloading malicious content. Specifically, Interpol warns of Business Email Compromise (BEC), whereby a threat actor can spoof supplier and client email addresses to send scam emails. Threat actors also impersonate government entities or global health authorities such as the World Health Organization. Typically, these phishing schemes will involve:
    • False government orders and financial support initiatives
    • Fake payment requests and money reimbursements
    • Offers of a phony COVID vaccine or medical supplies
    • Malicious COVID-19 tracking apps for mobile phones
    • Investments and stock offers
    • COVID-related charity and donation requests
  1. Disruptive Malware (Ransomware and DDOS). Interpol reports that disruptive malware campaigns have shifted from individuals and small businesses to government agencies and the healthcare sector, where they can obtain greater ransoms.  Threat groups that had been relatively dormant have revived themselves to launch ransomware—especially ransomware in the CERBER, NetWalker, and Ryuk families—or DDoS attacks. (Similarly, the FBI recently warned of Netwalker ransomware attacks on U.S. and foreign government organizations, education entities, private companies, and health agencies.) In particular, these cybercriminals have attacked critical infrastructure of government organizations, hospitals, and medical centers that the pandemic has already stressed.

Additionally, Interpol reports that ransomware attacks have grown more sophisticated. The attackers conduct a thorough reconnaissance of the networks of targeted organizations sufficient to enable them to estimate accurately the maximum ransom they can extract. (This sophisticated reconnaissance is a hallmark of Advanced Persistent Threats, which the Firewall has discussed previously; many of the cybercriminals Interpol discusses may be APTs.) Cybercriminals deploy the ransomware along strategic locations in an organization’s network to maximize disruption, and they often exfiltrate sensitive information—tactics that effectively pressure the targets to pay the ransom.

  1. Malicious/Copycat Domains. Not surprisingly, domain name registrations including “COVID” or “Corona” have exploded during the pandemic. Equally unsurprising are reports that 36 percent of these new domains were deemed either “high-risk” or outright malicious. From February to March 2020, an Interpol partner detected a 569 percent growth in malicious registrations and a 788 percent growth in high-risk registrations. By June, Interpol had identified 200,000 malicious domains in more than 80 member countries. The malicious domains either host data harvesting malware or try to obtain personally identifiable information through emails, text messages, or cold calls. Many of these websites mimic official public services such as government portals, telecommunication companies, banks, and similar institutions. Other websites purport to sell healthcare equipment, such as surgical masks or test kits, and either provide counterfeit equipment or none at all after accepting payment. (In June, the Firewall discussed invoice scamming and other cyber imposter tactics.)
  2. Data-Harvesting Malware. Cybercriminals have also increased their use of data harvesting malware. Hackers are using fake interactive coronavirus maps, thematic applications, and fraudulent websites to trick people into downloading malware. Specifically, hackers use the Emotet or Trickbot malware through phishing emails purporting to contain COVID-19 prevention measures or free COVID-19 tests, and this malware can open the door to later ransomware attacks.
  3. Misinformation. Echoing the World Health Organization’s warning in February, Interpol advised that the pandemic has brought with it an “infodemic” of misinformation. This misinformation is spread through social media sites and text messaging.

Interpol predicts that this cybercriminal activity will increase as COVID-19 persists. In particular, Interpol notes that the vulnerability created by teleworking will attract additional criminal activity. Interestingly, Interpol also notes that, because shut-down orders have generally decreased the crime rate, criminals are searching for new revenue streams, and cybercrime seems to offer “easy entry.”

Interpol’s report highlights the need for companies and other organizations to increase their vigilance. Specifically, organizations should (1) train (or re-train) their employees to recognize and avoid phishing attempts; (2) review their data security protocols to ensure that they account for the current work-from-home environment; and (3) ensure that their vendors are doing the same.

For more information regarding this article, please contact Sean Griffin.

For information regarding Dykema’s Privacy and Data Security Team, please contact Cindy Motley.

To sign up for Dykema’s Privacy and Data Security Blog e-mail updates, please click here.

As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. ©2020 Dykema Gossett PLLC.