By April 13, 2020

How Remote Workers Can Beat Crafty Cyber Criminals During The Coronavirus Crisis

By April 13, 2020

It’s no longer news that internet fraudsters and cyber criminals alike are resorting to some tactics to milk the COVID-19 pandemic for what it’s got. As such, businesses who majorly operate online are at risk of attack. Indeed, there’s no better time than now for firms to become super conscious and diligent about their cybersecurity

Even the World Health Organization (WHO) has made it quite clear that these times are a great opportunity for internet desperadoes. In their stance, hackers and scammers are taking advantage of the pandemic by sending fraudulent email and WhatsApp messages to trick people into clicking malicious links or opening attachments. Some even pose as the WHO. 

Cyber Crusade

Just 2 days after the WHO launched the Solidary Response Fund, cyber thieves were asking for Bitcoin-based donations in the pretence that they run the charity. They went as far as implying that donations are fully tax-deductible in the United States or Europe. 

In spite of different ethical frameworks, cyber criminals are sparing no avenue to capitalize on human fears and pandemic. The emotional stress of the crisis has left many people less vigilant. Not all cyber criminals are equipped to capitalize on the ongoing epidemic, but that does not stop them from trying. 

WeeTracker asked Singapore-based cybersecurity firm Group-IB about the state of things. The company said it detects COVID-19-related phishing emails each new day. Most of these mails are disguised as alerts or notifications allegedly sent by international healthcare organizations—like the WHO—local authorities and even pharmacies. 

Group-IB says the emails can contain links or attachments. By clicking, expecting to learn something new about the virus, users may inadvertently open up their devices to quick spyware and  ransomware installations. 

“The potential success of such cyber attack attempts is much greater as employers in various professional fields worldwide are transferring their staff to remote work and artificially expanding the corporate security perimeters,” the firm said. 

Attacks

In South Africa, there was a sharp spike in network attacks between the 15th and 21st of March, 2020. The number of affected devices increased from a 30,000 average to an approximate peak of 310,000 in the few days stretch. Interestingly, the attacks happened at a time when remote work in the country is one of the best responses to a national lockdown. 

Nevertheless, Moscow-based cybersecurity firm Kaspersky told WeeTracker that South Africa is not the only country under the cyber assault microscope. Its findings are that Africa is seeing an increase in attempts to break into organizational systems to gain control, sabotage and access their sensitive data. 

Notably, remote work provides cyber criminals a prime opportunity to target especially devices lacking sufficient IT security measures. Such a spike, although temporary, leads Kaspersky to believe that cybercriminals have keenly been focused on Africa given the current rapid increase in remote working protocols. 

“The attack types used varied, yet a third of them were attempting to penetrate the network with the brute-forcing of passwords (repetitive attempts at various password combinations). This technique is very common and often works well with weak or repetitively used passwords or poorly configured systems,” Kaspersky said.

Sophistication

Cybersecurity attacks are only as sophisticated as the entities they are trying to break into. For example, there is the infamous Ginp banking Trojan. In March, it acquired the ability to insert fake text messages into the inbox of a regular SMS app that now takes advantage of the pandemic. 

Once downloaded on a victim’s phone, Ginp can receive a command from the attacker to open a Web page titled ‘Coronavirus Finder’. The said finder claims there are people nearby infected with the virus. In order to learn where these individuals are, the victim is asked to pay a small sum of money. 

If the victim agrees, he or she is transferred to a payment page. Once the payment details have been entered, the victim is neither charged this sum nor does he or she receive any information about those ‘infected’. Instead, their credit card information has just been handed over to cybercriminals.

Cybercriminals have, for months, attempted to take advantage of the coronavirus crisis by launching phishing attacks and creating coronavirus-themed malware. However, this is the first time we have seen a banking Trojan attempting to capitalise on the pandemic. It is alarming since Ginp is such an effective Trojan. 

False Hope

Cybercriminals are seeking to exploit people’s concerns for their health and the safety of their loved ones in an attempt to pressure them into falling into a trap. During the past few weeks, cyber researchers have detected malicious files that were masked under the guise of pdf, mp4 and docx files about the Coronavirus. 

The names of files imply that they contain video instructions on how to protect yourself from the virus, updates on the threat, and even virus detection procedures, which is not actually the case. In fact, these files contained threats to users’ devices.

Cybercriminals recognise the important role of the World Health Organisation (WHO) in providing trustworthy information about the Coronavirus. To this end, an Excel file distributed via email under the guise of a list of Coronavirus victims allegedly sent from the WHO was in fact a Trojan-Downloader. 

This secretly downloads and installs another malicious file, a Trojan-Spy designed to gather various data, including passwords, from the infected device and send it to the attacker. Another email also allegedly from the WHO leads to a phishing website that gathers victims’ personal data.

Kaspersky is also detecting emails offering products such as masks leading to phishing websites or fake offerings of vaccines. Some spam emails contain fake information about wondrous vaccines developed for the Coronavirus.

Protecting Remote Work

Working away from the four walls of an office or organization is very new to some people. As such, they are likely to be visited by internet cracksmen. WeeTracker asked both cybersecurity firms—Group-IB and Kaspersky—how remote workers can always be on their guard and avoid falling prey to the designs of on-hacking criminals. 

Speaking about specific examples, Group-IB believes that financial institutions, telecom operators, and IT companies are at particular risk, since cyber criminals might go ahead with attacks on their employees working remotely to steal money or personal data.

“The universal shift to remote work indeed poses certain threats, which companies, however, can remedy bearing in mind the potential risks that this change might pose to their security perimeters and investing their resources in awareness-raising work with their staff who took on some new responsibilities in terms of securing corporate cybersecurity,” Group-IB submits. 

Some of mandatory measures include protection of remote access to the organization’s network with two-factor authentication, transfer of all connected hosts to a separate isolated zone from which they will access required services, as well as the installation of the latest security updates  on the devices used for remote work.

Cybersafety

Other recommendations from the privately held cyber intelligence firm include some requirements for the operating system of devices used by employees for remote work, the conduct of RDP sessions and preconditions for the use of mobile devices in distance working. 

For ordinary staff members, whose role in securing corporate cybersecurity is seeing growth in light of the ongoing pandemic, using company computers instead of personal devices for work is advised. Also, ensure that two-factor authentication  is installed for all messengers and services used for work. 

Moreover, one should always pay attention to the equipment used for establishing online connection. Users should change the default password on their home router to prevent attackers from accessing their network by simply bruteforcing the password. 

It also goes without saying that employees should secure the right settings of remote access tools and VPN connection with the help of corporate IT specialists.

In a bid to help companies adapt to the new developments on the cyberthreat landscape, Group-IB has set up the StayCyberSafe portal and developed comprehensive recommendations for both information security experts organizing remote work and ordinary employees working from home. 

Bigger Picture

Now home-based employees do not pose any risks on the company network if the organisational approach to cybersecurity is comprehensive. However, there are two major potential risks that need to be kept in mind.

“Employees’ usage of unprotected devices when connecting to the corporate network, and connection via unsecure Wi-Fi and 4G/5G networks,” Bethwel Opil, Enterprise Sales Manager at Kaspersky in Africa told WeeTracker. 

The best practice would be to use a corporate device, instead of a personal one. The biggest mistake any company can make is to consider an employee device insignificant and ignore the fact that it might be the entry point of a cyberattack. 

Last year, Kaspersky research found that a third of cyber incidents started from employees’ devices. In 34 percent of cases, it was either a download of a malicious file from an e-mail or a malicious website.

So, the more potentially contaminated or unprotected machines are connected to the corporate network, the larger the potential risk of infection. Kaspersky research shows that most threats are not targeted, but instead come from mass-campaigns that rely on human errors or holes in outdated software.

More Precautions

If businesses are to mitigate the risks of an attack during these uncertain times, they should follow these basic precautions:

  • Provide a VPN for all staff to connect securely to the corporate network.
  • All corporate devices (including smartphones and laptops) must be protected with appropriate security software. 
  • Furthermore, the software must provide the functionality for data to be wiped from devices that are reported lost or stolen, segregate personal and work data, and restrict which apps can be installed.
  • Be sure to implement the latest updates to operating systems and apps.
  • Restrict the access rights of people connecting to the corporate network based on the need-to-know and least privilege principles.
  • Remind employees about basic cybersecurity rules. For example, do not follow links in emails from strangers or unknown sources, use strong passwords, and so on. 
  • Staff must be made aware of the dangers of responding to unsolicited messages. Also, it is essential to agree on rules of work: whether all questions are asked in protected chats and conference calls are made via secured channels.

Image Courtesy: Brookings Education