Malicious cyber actors have been exploiting the COVID-19 crisis, warn the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) in a joint release issued April 8. Bad actors have done so in two main ways: first, by grafting COVID-19-related themes onto standard cyberattack practices; second, by exploiting vulnerabilities in services that have seen increased use since the pandemic began.

Standard Practices with COVID-19-Related Themes

Phishing Emails

• Phishing emails have contained subject lines like “2020 Coronavirus Updates.” These emails often purport to come from sources entities, such as the World Health Organization (WHO), individuals titled “Dr.,” (including Dr. Tedros Adhanom, the actual director-general of the WHO), or their company’s HR department.
• Emails have also included subject lines related to technologies that users have begun employing since COVID-19, such as Zoom or Microsoft Teams.
• Phishing emails have both sought sensitive information (e.g., financial information, usernames, and passwords) by directing users to spoofed websites, and deployed malware by duping users into opening malicious files.
  • Spoofed websites often contain COVID-19-related wording, resemble actual websites (including increasingly popular communications platforms), or are customized for the intended victim.
  • Malicious files have COVID-19-related filenames, or filenames related to popular communications platforms such as Zoom or Microsoft Teams.
• Tip: Users should always check the URL of websites they visit or consider visiting. They should be especially vigilant, as some spoofed websites’ URLs have contained “coronavirus” or similar terms.
• Tip: Users should be especially vigilant when downloading software their company has recommended for teleworking. They should download software only from sources recommended by their organization’s IT department.

Phishing via SMS

• UK users have received phishing text messages promising them a COVID-19-related government rebate by clicking a link to a phishing website.
• Tip: US users should expect similar scams given the passage of the CARES Act, which includes such a rebate. As the IRS has indicated, people who qualify for the rebate will receive it by direct deposit, and those who have provided the IRS with direct deposit information in the past two years need take no action.

Vulnerabilities in Newly-Deployed Technologies

Teleworking Infrastructure

• Hackers have been exploiting vulnerabilities in virtual private networks (VPNs) and other remote working tools, such as Citrix.
• Guidance on these vulnerabilities have been provided by CISA for Citrix and certain VPNs, and the NCSC for Citrix, and other VPNs.

Communications Platforms

• Malicious actors have spoofed popular communications platforms, such as Zoom and Microsoft Teams.
• Bad actors have also hijacked online meetings. Colin Zick’s recent blog post shares helpful tips on securing Zoom meetings.

Hackers have successfully exploited individuals’ curiosity about COVID-19 and their relative unfamiliarity with teleworking technologies. Users should be especially careful when interacting with COVID-19-related topics and new technologies, and IT departments should make them aware of the unique threats they pose.