The manager of the cybersecurity service at the FCCN unit of the Foundation for Science and Technology (RCTS CERT), Carlos Friaças, explains the dangers of various phishing campaigns during the pandemic.
We are living in exceptional times, but, contrary to what some people may think, there are no signs that malicious activity on the Internet has diminished during this troubled period. On the contrary, we have observed an exploitation of these circumstances to launch new campaigns, exploiting the fears of others and the great degree of uncertainty of the general population about the immediate future.
In recent weeks, there have been increasing reports of phishing campaigns associated with the COVID-19 issue. The delivery industry is already typically heavily affected by this type of threat, and in this time of isolation, more people rely on deliveries to minimize their trips away from home. The higher volume of orders and deliveries provides a more plausible context for attackers if they resort to impersonating a service or brand that targets are expecting to hear about. It is therefore necessary, as end consumers, that our care is redoubled. All so that we do not expose our personal data or allow our devices to be compromised.
Taxpayer fraud
The tax return filing season is also something that, every year, gives rise to campaigns that try to defraud taxpayers. In other countries, there have already been cases of campaigns designed to exploit possible state support (resulting from the pandemic) to infect victims' systems. Here, too, we need to be suspicious, making sure that the information we receive and the actions we are asked to take come from the competent authorities.
Universities and Hospitals
In recent days, it was also reported the observation of a campaign targeting US universities and their students, aiming to control the victims' devices. The attack made use of malicious code already used in campaigns that took place a few years ago. This seems to show that there are some recycling concerns in this industry for malicious purposes. The central goals of these attacks appear to be, in some cases, to exfiltrate personal data and, in other cases, to pay ransoms to make the captured information accessible again.
Entertainment and teleworking
The entertainment industry was also targeted with phishing campaigns, making use of the pandemic context and causing reputational damage to leading brands in the streaming content platform segment. A children's entertainment content platform was one of those targeted.
The explosion of the teleworking context is something that is also offering a new angle to the emergence of frauds whose first vector is phishing. There have been several reported cases of abuse of the image of recruitment companies to reach more victims and even cases of attempts to usurp the identity of people from Human Resources departments to ensnare workers from some companies. These cases are closer to what is usually considered as "spear phishing", which is a phenomenon mainly directed to previously identified people, and where there is a specific goal already defined.
What to do?
This period will certainly not see significant progress against phishing. The infrastructures that support this type of fraud and crime continue to operate transnationally, which makes it very difficult for the authorities of various countries to combat them.
From the point of view of FCCN, the volume of messages relating to phishing campaigns has not changed significantly. We continue to receive multiple messages every day to institutional email addresses, service support boxes or even individual employee addresses. In line with the news mentioned above, we have some cases that use the COVID-19 theme, although this is not a significant percentage compared to the total number of campaigns we have seen in the last two months.
Finally, it is necessary to warn that we should all take the necessary time to assess the reliability of each message received. It is not enough to analyze only its provenance, as the interlocutors we know may also have already been compromised. The sophistication of campaigns is variable, but one rarely finds a campaign close to perfection, and there is always some detail in the narrative that will help identify a probable fraud.
When in doubt, don't let social distancing contribute to compromising your devices or your personal data. When in doubt, ask other people you trust for their opinion about the dubious message you received. Ultimately, you can always turn to your cybersecurity team or hub.
If you belong to the RCTS communication, and want support, send email to info@cert.rcts.pt
*The author chooses not to adopt the new spelling agreement
