The coronavirus has become the last bait that cybercriminals have thrown on the Internet. In recent weeks they have used it to introduce malicious software on users’ computers or steal their passwords.
COVID-19, which on Wednesday already exceeded 70,000 infected and killed 2,008 dead, has jumped into the Network adopting a new form of threat. Several cybersecurity companies have detected the use of the virus as a hook to attack users. In late January, IBM researchers discovered emails for phishing or password theft in some regions of Japan. The messages referred to the disease but were only the maneuver to introduce a popular Trojan, Emotet.
In the Israeli firm CheckPoint they have also encountered spam campaigns under the theme of the coronavirus and dedicated to the dissemination of the same Trojan. The emails apparently inform about the areas where COVID-19 is spreading or supposedly offer additional data about the condition.
Using hot issues as a hook to launch attacks is not a new trick. Quite the opposite. “It’s very normal,” says Dani Creus, researcher at the Kaspersky company. He is used to seeing how cybercriminals carry out stationary campaigns, as they call them in cybersecurity. At Christmas or when the Income statement comes, messages are sent with these hooks, to encourage users to click on a link or download a malicious file. “Apart from these stationary campaigns, they often take advantage of some circumstantial event that is of interest to send this type of spam,” says Creus.
Your company has been one of those that has detected the use of COVID-19 as bait. In January they found some files that allegedly contained video instructions on how to protect yourself from the virus or even procedures to detect it. What they actually contained were malicious software: Trojans and malware to steal data. Later, Kaspersky has discovered emails that again use the virus as attractive for the user to click on a link. The ultimate goal is to steal your email password.
“The hook used to get the attention of the user is a message supposedly sent from the Center for Disease Control and Prevention in the United States,” says Creus. “They include a link in the body of the message and this link goes to a fake mail system, to steal the user’s credentials.” In this case, the web to which he sent the user was a template identical to the Outlook Web Access platform. The only difference is that the browser’s address bar marks a different URL than the real one: http://www.outlook.com. If the user enters his credentials on this fake page, he would be sending them directly to the cyber criminals.
The United States Center for Disease Control and Prevention has not been the only organization that has been supplanted. In relation to COVID-19, the British company Sophos He has detected emails sent on behalf of the World Health Organization.
Manuel Ransán, an expert in cybersecurity for citizens and minors of the National Cybersecurity Institute (INCIBE), highlights the growing sophistication of emails intended to deceive the user: “Before phishing was quite crude. They told you that there had been a problem at the bank and they asked for your passwords. Now they are not such direct messages. Now they camouflage them better and usually associate it with an urgent issue, so that we do not reflect too much and do what they ask. ”
The goal is to give confidence. “If you refer to current affairs, known entities and prestige, it is always easier for the user to think it is a legitimate message,” says Ransán. The topics can be disparate. Although Creus points out that they usually capture the user’s attention with false, very striking information, to drag it to click on a link. In this case, according to the Kaspersky researcher, the hooks are “possible vaccines against the coronavirus or simply say that there has been a new advance in the investigation of the disease and, if you want to see more, click on this link. Any news that attracts attention is useful because they know that right now the user is receptive. ”
Common sense always ahead
Cyber attacks that use the coronavirus as a hook appeal to a very human sense of urgency, fear. And this is when the user has to be alert. “You have to suspect all those messages that try to encourage, not only fear, but also the profit motive, greed. All very human feelings, ”explains Creus. “Cybercriminals know very well how to use these baits to get hooked psychologically.”
Fortunately, each of the threats mentioned above has been discovered. This means that the indicators associated with them are entered into the database of the security company. Moreover, they are shared with other companies in the guild, so that their antivirus can also protect their customers. However, it is likely that there are other similar threats circulating at this time or that they will do so in the future.
“More and more campaigns are associated with current issues, which are having a great impact at national and international level, because in this way they give some credibility to the campaign,” says Ransán, from INCIBE. “Normally the more morbid and more curious they wake up among people, the more effective they are.”
As general recommendations, from INCIBE they emphasize that the first thing, before a doubtful email, is to check the sender’s address. If the message is supposedly sent by a brand, but it does not appear in the email address, we have a reason to suspect. If the address is legitimate, this is not a guarantee either, because they may have supplanted the sender’s address.
Ransán emphasizes the need to make a critical analysis of the message and, as an additional resource, not to click on the links in the text or download the files. When in doubt, recommend calling 017, the new INCIBE-enabled phone for cybersecurity incidents. A number that is also available to those who have been victims of any type of scam in the digital world.