COVID-19: From the Mindset of the Attacker

April 24, 2020

COVID-19: From the Mindset of the Attacker

The goal of this paper is to inform and educate. During these trying times, these types of attacks and methods of attack are more directed to COVID-19 world, but the theory is still applicable to the non-COVID-19 world.

The driving force of most of the attacks we have seen and will continue to see in the COVID-19 and post-pandemic world will be for economic gain through fraud. Other drivers may creep up, but the vulnerable state of society makes fraud an easy end.

The rapid onset of the COVID-19 pandemic has forced the mass adoption of a remote workforce for business continuity. Businesses have had to make rapid decisions to increase VPN licensing, provide corporate devices for home use to those who would not ordinarily have them and adopt new applications without really assessing risk. Over the past few weeks we have read posts like tips for working at home or risk associated with work-from-home (WFH), but how has it affected the attacker?

This is an interesting question. From what has been published on BleepingComputer and other sites it seems that there may be a degree of moral code under certain Ransomware groups. Several of the groups that BleepingComputer reached out to pledged not to hit hospitals or pharmaceuticals until the COVID-19 situation improved. https://www.bleepingcomputer.com/news/security/ransomware-gangs-to-stop-attacking-health-orgs-during-pandemic/ However, as noted in the same article and in https://www.technadu.com/ransomware-infections-are-still-a-thing-amid-coronavirus-crisis/97028/ some malware groups are still actively targeting hospital systems to exploit the situation.

The example above is an attack on an industry, but as an attacker, how could I take advantage of the situation as it relates to the average work-from-home user?

The current conditions of stay-at-home orders are changing our work and personal life behavior. These changes in behavior create an opportunity for adversaries.

In this post the attacker is not targeting a specific company or industry but taking more of an opportunistic approach to cast a wide net. Let’s consider two avenues of attack. We’ll talk about social engineering tactics¹ (including phishing) and drive-by malware downloads and how these attacks can be used with changes due to the global pandemic.

All of these attacks, both real and hypothetical, can truly impact everyone’s life. What is the impact to your security posture and risk to your business? This is the critical question to ask yourself.

Social Engineering

Social engineering attacks, in times of disruption, have been happening since the dawn of time. There are many tools at the disposal of the social engineer. Manipulating the social paradigm shifts in work-from-home situations allows attackers to social engineer people who have let their guard down and accept more risk than normal. With more WFH scenarios, all facets of social engineering need to be defended against.

Fraud and disinformation campaigns are happening at an increased pace to take advantage of the global pandemic. The tools which social engineers use are varied to include physical social engineering, vishing, smashing, and our favorite friend, phishing.

Physical Social Engineering – Getting Aggressive

Social engineers can be physical (in-person). Though in the COVID-19 pandemic world, one would think this is a difficult attack vector. The only exception for this is what local, state, and federal governments deem as essential service workers. Novel attacks through physical social engineering may increase depending on the essential service and depending on the target.

Recently, law enforcement imposters² have been stopping people in multiple states for violations of quarantine/shelter-in-place orders. This is one example of physical social engineering to get to an end.

Vishing – The Voice of the Social Engineer

There is an increase of this type of social engineering in the COVID-19 world. With the ready availability of burner apps and the ease to spoof caller IDs (CIDS), these types of social engineering attacks are easy to execute and are unfortunately highly successful, depending on the demographic of the victim. The main objectives are fraud and identity theft.

Smishing – These Messages Stink!

Smishing, or SMS phishing, is on the rise, especially with the 2020 “Coronavirus Aid, Relief, and Economic Security Act” or CARES Act recently being passed. Smishing links are the way to entice vulnerable victims. Attackers are sending SMS messages for members of society to preemptively receive stimulus³ as shown in Figure 1 below.⁴

Fig 1 Smushing Messages

Figure 1 - Smishing Messages

Additionally, fake COVID-19 smishing is occurring where the intended victim has been in contact with someone who is infected.⁵ This is especially dangerous as the U.S. government and private partnerships are ramping up contact tracing as an important part of restoration to a normal society.

Phishing – Luring Those Who Are Vulnerable

Here is an example of an attack using phishing and/or potential waterhole attack that could be.

There a lot of non-technical folks communicating over Zoom. During Zoom meetings and virtual happy hours users are changing their backgrounds to lighten the mood. This is an opportunity for an attacker. An attacker can easily create a website that promises and maybe even includes downloadable Zoom backgrounds while delivering malware at the same time.

Another example of COVID-19 changing our behavior is in the amount of home delivery orders being placed. These delivery orders have become a necessity as of late and companies like Amazon have mentioned that the increased demand can impact the timeliness of the delivery. This creates a big opportunity for an attacker. There is a higher degree of probability that users who receive phishing emails regarding Amazon or FedEx packages being delayed Amazon actually have open orders. This would increase the likeliness a user will click the link.

These are just two phishing examples of how attackers take advantage in the change in behavior that has come with COVID-19. Many other phishing scenarios are becoming more prevalent and more damaging, and with the pandemic situation rapidly changing there will be more hypothetical information to phish against, and I’m sure new techniques, tactics and procedures for more advanced phishing campaigns.

As an additional note, Optiv is producing additional Zoom, and other video teleconference (VTC) related information to be published soon.

There are steps that can be taken to ensure remote workers are being vigilant during this time.

References

“Security Tip (ST04-014).” Avoiding Social Engineering and Phishing Attacks | CISA.
Hughes, Trevor. “Fake Cops Are Stopping Drivers for Violating Coronavirus Stay-at-Home Orders.” USA Today, Gannett Satellite Information Network, 9 Apr. 2020, www.usatoday.com/story/news/nation/2020/04/08/coronavirus-stay-home-orders-see-fake-cops-go-after-motorists/5099762002/.
Leonhardt, Megan. “Coronavirus $1,000 Relief Check Plan Not Even Final Yet and Experts Say Fraudsters Are Already Looking to Cash In.” CNBC, CNBC, 19 Mar. 2020, www.cnbc.com/2020/03/19/what-to-know-about-scams-looking-to-cash-in-on-….
“Coronavirus Fake Websites and Phishing Emails: IdentityForce^®.” We Aren't Just Protecting You from Identity Theft. We Protect Who You Are., www.identityforce.com/identity-theft/coronavirus-scams.
Dreier, Natalie, and Cox Media Group National Content Desk. “Coronavirus: Text Scam Claims Exposure to COVID-19.” WFTV, 17 Apr. 2020, www.wftv.com/news/trending/coronavirus-text-scam-claims-exposure-covid-….

By:

Dan Kiraly

Senior Research Scientist | Optiv

Dan Kiraly is senior research scientist on Optiv’s R&D team. In this role he's responsible for use case development and the vetting of security products for Optiv.