COVID-19 phishing attacks spike, aided by lagging network defences

The Australian government’s passage of new coronavirus-era financial regulations and massive social-welfare programs are giving cyber criminals a whole new playbook to draw from — and creating new risks for CSOs — as they ramp up their targeting of anxious citizens in home isolation.

With the COVID-19 pandemic likely to persist for many months yet, CSOs should assume that their companies will face increased levels of themed phishing attacks — particularly as successive Australian government policies drive further surges in exploitation of COVID-19 fears. By leveraging existing and emerging security tools to bolster corporate defences, CSOs can build up a corporate immunity to last through these challenging times.

Latest scams prey on COVID-19 relief legislation

So many phone and phishing scammers have been actively exploiting recent changes to superannuation policies — which allow citizens to take out $10,000 from their superannuation retirement savings early without penalty — that the Australian Competition & Consumer Commission (ACCC) was forced to issue a formal warning about the rapidly escalating practice.

Some 87 scam reports had been formally lodged with the government’s ScamWatch service since mid March, the ACCC said, but actual volumes would likely be orders of magnitude higher as COVID-19 related scamscontinue to spread.

“For most people, outside of their home, superannuation is their greatest asset and you can’t be too careful about protecting it,” ACCC deputy chair Delia Rickard said. “The Australian Taxation Office is coordinating the early release of super through myGov and there is no need to involve a third party or pay a fee to get access under this scheme.”

Superannuation is regularly targeted by scammers and cyber criminals, with more than $6 million lost to such scams last year alone.

Another major policy change is likely to see a similar resurgence in policy-related scams after legislation for the unprecedented JobKeeper program — which will pay employers the funds to keep their staff in jobs for the next six months — passed Australia’s Parliament earlier this month in an extraordinary session that saw MPs recalled to Canberra from around the country.

Amidst a flood of new information about entitlements and obligations, CSOs should already be working proactively to warn employees — most of whom are likely now working from home and may be outside of the normal protections of email spam filters — about the likelihood of increased scams, phishing emails, and extortion attempts.

COVID-19 threats “continue to represent a significant portion of the threat landscape,” Proofpoint Australia and New Zealand country head Crispin Kerr said in a statement. “We’ve already seen threat actors use the promise of COVID-19 payments to target consumers.”

Proofpoint, like other security firms, has been observing targeted phishing campaigns such as a series of phishing emails purporting to be from a major Australian newspaper — but actually sent by a Romanian address and containing a PDF file with Microsoft OneDrive branding that requests OneDrive credentials.

Another campaign purports to come from a World Health Organisation (WHO) and International Monetary Fund (IMF) ‘relief compensation’ organisation but also contains an Excel attachment that collects user emails and passwords.

Cyber criminals “know people are looking for COVID-19 information out of concern for their safety and financial wellbeing,” Kerr said, “and that consumers are more likely to click on potentially malicious links, download nefarious attachments, or provide their personal information if related to the pandemic.”

CSOs need to implement DMARC on their network gateways

CSOs in Australia and elsewhere should “be more aggressive in blocking potentially malicious emails and websites from their network gateway,” Australian Cyber Security Centre (ACSC) acting head Karl Hanmore said in recently issuing an extensive warning about the need to be more vigilant against COVID-19 related exploitation.

Recent weeks have seen thousands of COVID-19 related websites being registered — one study by Atlas VPN placed the number at more than 35,500 — with the ACSC flagging concerns about efforts by malicious European, Asian and African cyber actors “seeking to exploit Australians during this difficult time.”

A proactive response has seen the ACSC reaching out to domain registrars here and overseas, as well as telecommunications providers, to block or disrupt their activities — but the cyber criminals were rapidly responding, moving to new malicious websites or adopting new personae such as emulating the Australian government’s core myGov digital-government site.

Heavy spoofing of the World Health Organisation (WHO), which Sophos among others has been observing for many weeks already, has led the organisation to post a warning for users to be careful — and security researchers at firms like Valimail to note that the WHO has still not implemented Domain-based Message Authentication, Reporting and Conformance (DMARC) technology that can block a high level of domain spoofing.

DMARC — which has been explicitly recommended for all organisations in a how-to guide published by the Australian Signals Directorate — has been slowly adopted in Australia as elsewhere.

Despite being around for many years, a of ASX100 companies found that just 39 had yet implemented DMARC — a steep increase over previous years but still far short of ubiquity.

Surges in exploitation of IP addresses and domain names has driven the launch of proactive new security tools from the likes of Heficed, which this month supplemented its managed services with a fast-tracked abuse-prevention capability that can shut down cyber crime-related IP addresses as soon as they are reported.

Even more evil acts on the dark web

The explosion of new attacks is about much more than just Australianised scams and phishing emails, however: Darknet data analysis firm DarkOwl, for one, has observed online dark web markets claiming offering to sell virus-infected blood, facemasks, and other products. More recently, the firm observed offers of an Israel-developed ‘coronavirus vaccine’ of which ten 20mL vials were supposedly available.

Cyber criminals have become so enthusiastic about planting malware on fake coronavirus sites — and luring unsuspecting victims with promises of vaccines — that some domain-name registrars have banned registration of new domains containing the words ‘coronavirus’ and ‘vaccine’.