As the WHO has declared COVID-19 to be a global pandemic, we have seen a large increase in the exploitation of this theme by threat actors, cybercriminals and nation-state alike, to attack networks and users.
At LIFARS, we have, so far, seen three main “themes”:
- Click-bait type: “the truth about Coronavirus”, “the five things doctors don’t want you to know about COVID-19”, “WHO is about to take these steps to stop the pandemics”;
- Coverage-related type: “your insurance may not cover COVID-19”, “Check if you plan covers Corona virus”;
- Proximity-related type: “find who is infected in your neighborhood”, “COVID-19 tracker”.
When the vector is an email, we have seen either a link or an attached document, often a Word document. The link opens a site that installs or runs malicious code on the computer, the document exploits a vulnerability, which results in the download and execution of malicious code. From official reports, it seems the threat actors also exploit the COVID-19 theme to distribute malware applications for mobile devices using the official Play Store and Apple Store.
Once the link is clicked or the document opened, based on our recent cases, either a ransomware or a data stealer malware is started. In most cases, we have seen Trickbot being deployed, however, there are reports of other tools being used as well.
In the last few days, we have also seen an increase in the wire fraud attempts with the cybercriminals requesting a donation for the victims or pretending to be able to provide goods not available somewhere else, such as medications or vaccines.
How to prevent an infection
As usual: be smart. Anything that plays on the urgency, has over-dramatic tones, or claims to reveal a truth hidden from the public is to be considered as suspicious. In the same way, any communication that prompts you to open a document “that contains important information” or to click on a link should be considered as a threat.
Before opening a document attached to an email or clicking on a link, follow this routine.
- Check the sender – Is it someone you know? Is it a customer or a colleague? Is that person expected to send you a document or a link? If you do not know the sender, consider the email as malicious.
- Check the context – Does the sender usually communicate with me using email? Does the sender usually attach documents or links? If this is unusual, consider the email as malicious.
- Check the language – Are there obvious spelling or grammatical mistakes? Does the tone strike you as unlikely for the sender to use? Is the content stressing the urgency or an immediate action? If any of this is a “yes”, consider the email as malicious.
What if you open one of these?
Do not panic and, more importantly, do not try to fix the issue yourself: call your IT department for help and let them know that you think your machine has been compromised. Do not turn off your computer thinking that it will solve the issue.
LIFARS Can Help You During Prevent Infection
Invest in LIFARS The Daily TRUTH