Cyber-Attackers Exploiting Coronavirus Fears to Infect Computers

As the coronavirus pandemic intensifies its grip around the world, it may be difficult for people who constantly seek new information about it online to recognize that cyber-attackers have no compunctions about exploiting popular fear and uncertainty for their own benefit.  Two recent reports indicate that malicious actors are actively exploiting people’s concerns about coronavirus to infect computers with malicious code.

On March 5, software firm Check Point reported that since January 2020, there have been more than 4,000 coronavirus-related domains registered globally.  For example, according to CheckPoint data, weekly coronavirus-related domain registrations rose rapidly from approximately 100 as of January 13 to nearly 1,000 as of January 27 and nearly 1,000 as of February 10.  Check Point found that of those 4,000 registered domains, 3 percent were found to be malicious and an additional 5 percent are suspicious.  CheckPoint also concluded that coronavirus- related domains are 50 percent more likely to be malicious “than other domains registered at the same period, and also higher than recent seasonal themes such as Valentine’s day.”

In addition, CheckPoint reported that “a widespread targeted coronavirus themed phishing campaign was recently spotted targeting Italian organizations.”  That campaign reached 10 percent of all organizations in Italy “with the aim of exploiting concerns over the growing cluster of infections in the country.”

On March  11, The Next Web reported that a security researcher at Reason Labs found that hackers are exploiting organizations that have created dashboards to track the spread of coronavirus “to inject malware into computers” and steal users’ information such as user names, passwords, credit card numbers that are stored in users’ browsers.  The researcher found that hackers are designing websites that “pose as genuine maps for tracking coronavirus, but have a different URL or different details from the original source.”

Note:  As more and more employees are working from home during the pandemic, they are likely to be using their computers for extended periods for both work and personal purposes.  For that reason, information-security officers in all types of organizations should bring these reports to the attention of all corporate employees, and provide the following directions:

  • Do not use your work computers to search for information about coronavirus developments. Even a single point of entry for a cyber-attacker can potentially result in compromise of an entire network.
  • When you use your personal computer to seek out coronavirus information, do not click on every site that purports to offer virus-tracking or -reporting information, as “lookalike” domains are highly likely to be malicious. Instead, use only dashboards that you have verified come from the actual organizations presenting those dashboards.
  • Ignore any websites, emails, posts, or texts that promise information about coronavirus “cures” or vaccines – there are none, according to the Centers for Disease Control and Prevention.
  • If you see purportedly coronavirus-related emails, websites, or domains that appear suspicious, do not click on any of those links, but report them to a designated email address in your organization for reporting spam and fraudulent emails.

Dubai Manager Sentenced to Five Years’ Imprisonment for Taking Bribes

On March 9, according to Gulf News, the Dubai Court of First Instance sentenced a Dubai manager at an unnamed government entity to five years’ imprisonment, a fine of Dh1.85 million (US $503,587), and repayment of that amount “for taking more than Dh1 million [US$ 272,209] in bribes to facilitate unauthorised payments and procedures.”

The Court of First Instance reportedly stated that the unnamed defendant “sought a Dh1 million bribe from a contracting company in return for facilitating a payment of Dh50 million [US$13.6 million] on a project the company had won with a government entity,” and “accepted Dh856,000 [US$233,000] in bribes from three other companies in return for helping them be listed as service providers with the government entity, between November 9, 2017 and July 5, 2018.”  Records showed that Emirati police received information about the manager’s bribe-taking, and authorities arrested him “after setting a trap for him.”

In addition to the manager, four other unnamed defendants, all Indian nationals, were convicted and sentenced in the case.  One of those defendants, who “was convicted of mediating between the Emirati defendant and the bribing companies,” was sentenced to five years’ imprisonment, a Dh100,000 (US$27,220), and deportation.  The three other defendants, “who worked at the companies which paid the bribes,” were convicted of offering bribes and were each sentenced to three years’ imprisonment and deportation.  In addition, each of those three defendants were fined and ordered to repay the same amount as their respective fines to the government entity: one was fined Dh250,000 (US$68,052), a second Dh100,000 (US$27,220), and the third Dh500,000 (US$136,105).

Note: These prosecutions are the latest in a series of criminal sentences since November 2019 that Dubai courts have imposed on managerial-level staff (both Emirati and foreign nationals) for bribery and other corruption-related conduct.  While reports of aggregate prosecution statistics are always instructive, reports about specific criminal prosecutions, particularly for financial crimes such as bribery and corruption, are even more useful in demonstrating the capacity and willingness of prosecutors to pursue complex criminal cases and of courts to impose appropriate sentences for such cases.

United Kingdom to Announce Economic Crime Levy to Raise Funds for Anti-Money Laundering Measures

On March 7, Reuters reported that United Kingdom Chancellor of the Exchequer Rishi Sunak is expected to announce next week that the United Kingdom Government will impose an Economic Crime Levy “on banks and other firms regulated for anti-money laundering to raise up to 100 million pounds ($130 million)” for anti-money laundering (AML) measures.

The new Levy – expected to be included in the Chancellor’s first budget on March 11 – would be used “to generate cash for new technology for law enforcement and to hire more financial investigators.”  The United Kingdom Treasury is expected to do a public consultation this spring about which financial institutions would be asked to contribute to the new Levy.  That Levy reportedly would come into force in 2022-23.

Note: The Government’s Economic Crime Plan for 2019-2022 estimated that the scale of money laundering affecting the United Kingdom annually “is likely to be tens of billions of pounds.”  Measures such as the Joint Money Laundering Intelligence Taskforce (JMLIT), which has provided an important vehicle for public-private sector information-sharing, and use of Unexplained Wealth Orders and Account Freezing Orders have improved the Government’s capacity to combat money laundering effectively.

After years of severe funding cutbacks under the Conservatives’ “austerity” budgets, however, law enforcement has needed an infusion of fiscal resources for proper staffing and technological support to deal with, among other issues, the adaptability and sophistication of money laundering organizations.  While the planned levy for that purpose would be welcome, the timeframe for effecting it is far too extended.   As money launderers will not wait another two to three years to refine their methods and techniques, neither should the Government wait to provide critical resources to combat the threat they pose.

APWG Issues 4th Quarter 2019 Phishing Activity Trends Report

On February 24, the APWG (formerly the Anti-Phishing Working Group) released its report for the 4th quarter of 2019 on phishing activity trends.  Key points in the report include:

  • Number of Phishing Sites: The number of unique phishing sites fluctuated substantially during 4Q2019, from 76,804 in October to 39,580 in November to 45,771 in December. (3)
  • Number of Brands Targeted: The number of brands targeted by phishing attacks remained highly consistent, averaging 333 per month. (3)
  • Phishing Targets: Software-as-a-service (SaaS) and webmail sites remained the most frequent targets of phishing, accounting for 30.8 percent of targeted sectors. “Phishers continue to harvest credentials to those kinds of sites, using them to perpetrate business e-mail compromises (BEC) and to penetrate corporate SaaS accounts.” The next most-targeted sectors were payment (19.8 percent) and financial institutions (19.4 percent). Attacks against the cryptocurrency, logistics/shipping, gaming, insurance, energy, government, and healthcare sectors were negligible during the quarter, as each accounted for less than 1 percent of all phishing attacks detected. (5)
  • Business Email Compromise: In business email compromise (BEC) schemes, criminals used gift cards most frequently (62 percent) to cash out, perpetrating Business Email Compromise (BEC) attacks used gift cards to cash out during the holiday shopping season. The report indicated that cybercriminals may have been seeking to launder money by using the cards to buy physical goods that they can then sell.  (6-7)
  • SSL Protection: 74 percent of all phishing sites use Transport Layer Security (TLS) or Secure Socket Layer (SSL) protection. This percentage – the highest recorded since the start of 2015 – provides yet another indication that users cannot rely on SSL alone to determine whether a site is safe or not. (11)
  • Brazilian Trends: In Brazil, the number of phishing incidents in Brazil increased dramatically, from 3,230 in 1Q2019 to 8,872 in 4Q2019. (9-10)

Note:  This Report, like the other APWG phishing trends reports, demonstrates the ubiquity and adaptability of sophisticated cybercriminals.  Information security officers should disseminate the Report to their teams, and share it with their financial-crimes compliance teams as well.

Local Prosecutors Forced to Dismiss Criminal Cases Because of Ransomware Attack

On February 21, television station WPTV in West Palm Beach, Florida reported that because of a 2019 ransomware attack that locked Stuart (Florida) Police Department officers out of their computers, the local State Attorney’s Office found it necessary to dismiss 11 narcotics cases involving alleged drug dealers because of the loss of evidence.

According to a Stuart Police Department spokesman, the cyberattackers used a “spear phishing” attack to disseminate the Ryuk ransomware, which was in the Stuart Police computers for approximately two months before the attackers sent the Department a ransom note demanding $300,000 in Bitcoin.  When the City of Stuart refused to pay the ransom, the Police Department was unable to recover 1 ½ years of digital evidence that included photographs and videos.

WPTV also reported that losing data (or evidence in the Stuart Police Department’s case) “is highly common when an agency is hit by hackers. In the words of the Stuart Police Department spokesman, “I can’t recall, in speaking to my federal partners, that there has been a case where data has not been lost.”

The report said that the Stuart Police Department “has changed the way they save and store evidence, and city officials are now aggressively training employees to identify phishing emails.”

Note: This report should be of substantial concern to law enforcement officers and prosecutors across the country.  Any ransomware attacks directed at government agencies are cause for concern, but ransomware attacks like the Stuart attack that result in loss of evidence in criminal prosecutions represent a significant threat to the rule of law and the justice system.

Prosecutive, police, and law enforcement agencies cannot depend solely on cybersecurity software to safeguard the evidence they need for criminal prosecutions.  As the Stuart Police ransomware attack demonstrated, even a single individual who negligently clicks on a malicious link can compromise an entire computer network.  For that reason, if they are not already doing so, those agencies need to initiate procedures for frequent backups of potential evidence in their cases to offline repositories, and to be able, if necessary at trial, to prove to courts that those data have not been altered or damaged in any way.  The cost of providing such offline storage will be far less than the cost of admitting publicly that viable prosecutions had to be dismissed because police and prosecutors failed to take simple measures to protect their evidence.