PiChris - Fotolia
Phishers seize upon any opportunity to prey on people, and the COVID-19 pandemic is providing plenty of openings for attacks.
Between March 1 and March 23, security vendor Barracuda Networks detected 467,825 spear phishing email attacks, of which 9,116 were related to COVID-19, accounting for 2% of attacks, the company wrote in a blog post. In comparison, Barracuda detected a total of 1,188 coronavirus-related email attacks in February and just 137 in January.
Welcome to the state of phishing in 2020, which industry experts say is becoming more innovative and sophisticated than ever before. It's not just the pandemic that malicious actors are exploiting. Experts predict phishing attacks will increase as the presidential election in November draws closer.
This means managed cybersecurity services providers will continue to have their hands full monitoring and applying phishing countermeasures, even when the COVID-19 crisis begins to dissipate.
How attackers are exploiting the current climate
The latest trends in phishing efforts range from scams soliciting donations for fake coronavirus research initiatives to attacks that spread ransomware by spoofing official Centers for Disease Control and Prevention updates, observers say.
The COVID-19 pandemic has led to some "really good, sophisticated and convincing phishing attacks" that are preying on people's fears, said Craig Taylor, chief information security officer (CISO) of managed security services firm Neoscope Technology Solutions, in Portsmouth, N.H. Taylor is also CISO for the city of Portsmouth and co-founder of cybersecurity awareness training firm CyberHoot.
Taylor said he has seen phishing incidents where an individual is emailed a form from a hospital with a domain nearly identical to a well-known one, such as Johns Hopkins Hospital. The email says the recipient has potentially been exposed to someone infected with coronavirus. It comes with an attachment that tells the recipient they need to fill out the form to schedule a virus test, he said.
"How scary is it to get that? And people don't know better, and they're fearful and scared, and they open it," Taylor said.
More than 4,000 lookalike domain names were recently registered with "Zoom" in the name, he added. It's indicative that attackers are trying to fashion believable phishing campaigns. "Those registered domain names are a harbinger of attacks that are to come."
Maxime M. Boutin, COO and co-founder of VARs Corp., a Montreal-based managed security service provider (MSSP), said he's seen a recent uptick in the number of phishing attacks. Attacks have grown more sophisticated, he said, because "malicious actors are seeing COVID-19 as an opportunity" to exploit concerns and uncertainty. "They want to seize it to infiltrate organizations and spread their malware, playing on people's fears and doubts."
Boutin said he has seen phishing attempts that offer a map showing how the virus is spreading. In this case, the email instructs recipients to download a file to receive more details. It conveys a sense of urgency, pressuring recipients to see if their region is affected, he said.
Phishing attacks are becoming more personal in nature, noted Francisco Criado, vice president of global security solutions at IT distributor Tech Data in Clearwater, Fla.
"Before, there was a better chance for a causal user to spot a phishing attack," Criado said. "These often-generic attempts would include misspellings or wouldn't address the user by name. Now, we're seeing a lot of instances of spear phishing, in which bad actors and hackers are conducting deeper research into a business or the person they are targeting."
These attacks are more believable in the way phishers position the message, he said. A seemingly sanctioned email might prompt the user to click on a link, which automatically downloads malware capable of logging the individual's keystrokes.
Patrick KinsellaCTO, Onepath
"Another, more advanced technique we're seeing is to mimic a site someone is accustomed to visiting," Criado noted. "When they click on the URL, which appears to be normal, they are prompted to reset their password, providing bad actors and hackers with their credentials to potentially read emails … access other platforms or sell [the information] on the dark web."
People's fears are at an all-time high, which can lead them to act more rashly, noted Patrick Kinsella, CTO at MSSP Onepath in North Andover, Mass. "If a link says, 'Cure is found!' or, 'COVID-19 death toll spikes,' it only makes sense that a person will click it more quickly, even if they're usually cautious," he said said. "Essentially, we're seeing the usual phishing attacks but with a timely spin.''
Phishing countermeasures that channel partners can take
Besides continuously educating customers on threats, multifactor authentication (MFA) is a key phishing countermeasure, especially if a user's credentials have been compromised through a phishing attack, Criado said.
Kinsella agreed. "Over 90% of attacks are essentially nullified by MFA. Along with training and testing, MFA serves as a bulwark against attacks, and it should be implemented across all companies," he said.
Boutin said VARS Corp. uses Ironscales, a phishing protection and mitigation platform that uses AI. Proper endpoint detection and response software is also critical to have in place, he added, "because the average time an attacker can stay in a system is about 206 days, which is crazy."
After malicious actors successfully infiltrate an organization, they don't usually deliver the payload or ransomware right away, Boutin noted. "[They] stay under the radar in the system and move laterally and … use some hacker tools to scan the internal network all the way up until they have enough control to exfiltrate information and send ransomware." This makes it critical to detect an intrusion at the very beginning.
Another tool that VARS Corp. uses as a phishing countermeasure is Cynet's breach detection and response product, he said. "It also has orchestration and automatic remediation that allows for potentially malicious code to be blocked before it has the ability to spread to customers," Boutin said.
Security integration remains a challenge
Many security systems today are "out of the box" and cloud-based, making them easy for users to implement and use, Criado said. "However, companies may have varying requirements when it comes to cybersecurity, especially now that much of the workforce is remote." That's an area where MSSPs can add significant value, he added.
Boutin said most tools have become "extremely easy to deploy." He noted that Ironware can be installed in a half hour.
Taylor added that vendors have gotten very good at embedding tools into their default offerings. The challenge, he's found, is "having too many vendors doing too many things. … It's difficult to manage so many solutions together for security for clients."
The goal is to have a single dashboard with all the features a company needs to simplify things, he said.
"It's not that the technologies are overly complex. It's that each vendor does things in different ways and has different privileges to get in," Taylor said.
It's all about the user
Attackers' social engineering techniques like phishing have been on the radars of partners and customers for some time. While users are becoming somewhat better at recognizing these kinds of attacks, education must continue, observers said.
"Technology is great and definitely helps, but at the end of the day, it's all about the user," Boutin said. "They're the weakest link in the chain."
Security awareness training is helping users stay mindful of the threats, he added. Fewer are getting tricked into clicking on suspicious links, "but bad actors are changing their techniques, and there's going to always be a battle there."
Taylor said Neoscope introduced security awareness training for Portsmouth municipal employees after the city suffered a massive ransomware attack about two years ago. Whereas IT used to get panic phone calls from staff saying they've been attacked, now they're getting calls from people saying they have a phishing email in their inbox. "The city has fared well with this training," he said.