Phish bait: With pandemic-related fears swirling, cybercriminals are finding myriad opportunities to infiltrate businesses

By Brett Johnson
New Jersey | May 26, 2020 at 11:06 am
From our print edition

Whether it’s those eager to read news about COVID-19, see updates on pending Paycheck Protection Program loans or check the status of stimulus checks, businesses and their employees have found reasons to be fast on the draw when it comes to link-clicking on the web.

Hackers are well aware of that.

There’s more than one virus spreading during the pandemic, and cybersecurity experts say a combination of events — employees in less-secure work arrangements, innovations in malware and the pandemic’s emotional cost making people less scrupulous — has created a perfect storm for cybercriminals to unleash more attacks.

Ryan M. Magee, a former cybercrimes prosecutor and current associate in a legal practice at Riker Danzig handling cybersecurity issues, said cybercriminals attempting to pilfer sensitive data from companies was common enough before the pandemic. But, what’s becoming clear to those in the cybersecurity industry is that the opportunity to exploit a moment of fear and uncertainty is too good for attackers to pass up.

“So, people are hearing a lot of the same thing right now,” he said. “What they’re hearing is there’s a higher risk of incidents in the midst of the current pandemic. So, I think the question really is, why is that? And I think the why is answered by the how.”

The approach that’s being taken is as simple as this: Get someone to take interest in an email.

What the pandemic has largely inspired is more “phishing” attacks, or emails purporting to be from a legitimate source that induce individuals to inadvertently reveal financial information or passwords.

“Right now, you’re seeing phishing emails implanting malware on networks that look like a standard coronavirus response update from an organization like WHO,” Magee said. “It may be using legitimate documents as well as giving advice that isn’t outlandish. But it also has a link to a file that — if you were to install it — would implant a trojan horse onto your network.”

Hackers have found more ways than that to take advantage of this catastrophic juncture. There has been an increase of fraudsters promoting highly-sought answers to small business loan eligibility to nab more sensitive information from businesses or infect systems. The same has been true for individuals seeking news about stimulus checks.

Karen Randall, who chairs Connell Foley‘s Cybersecurity and Data Privacy Group, said the fraudulent activity has even involved offering counterfeit hydroxychloroquine or other touted COVID-19 cures, as well as scamming individuals as well as health care businesses with falsely advertised test kits, masks and ventilators.

Sadly, there’s some efficacy to the strategy.

“People are anxious and scared — they want the money they need or that right medicine to give to loved ones,” she said. “Emotions are running high. So, the likelihood of people clicking on a fake email is also pretty high.”

The threat level has risen enough, Randall added, that federal agencies such as the FBI are getting involved and issuing warnings about these scams.

Some of the worst-case malware threats — such as ransomware, a tool hackers use to lock data and demand an expensive ransom for its release — were already on the rise before the pandemic. The U.S. Department of Homeland Security reported several years ago that more than 4,000 ransomware attacks were happening every day.

It’s unclear exactly how many attacks are happening on a regular basis today. But no one in the industry would be surprised to hear it was more than that.

“People in data privacy and cybersecurity know for certain it’s creating a lot of problems right now,” Randall said. “However, there will also be problems not even detected until after people return to work.”

As Randall pointed out, it sometimes takes months to determine if you have a vulnerability that a hacker has exploited.

“So it may take a long while until we see a tsunami of additional attacks,” she said, adding that, at the same time, “Attackers are becoming more sophisticated and have designed even more devious ransomware variants that will be more debilitating.”

Randall referenced a malware dubbed REvil, which seizes data and allows hackers to extort the attack’s victim by threatening to release sensitive details. A New York media and entertainment law firm that represents celebrities, including Lady Gaga and Bruce Springsteen, was recently affected by the new attack.

Cybersecurity experts say hackers are also looking for new vulnerabilities during the sudden explosion of remote work, leaving companies without preexisting infrastructure for working from home compressing a monthlong information technology project into a weekend.

Some of what companies could be doing better to plug holes is not complicated.

“The best advice, and perhaps it seems too obvious, is to make sure employees have up-to-date versions and patches of software they’re using to work remotely,” Magee said. “Companies are always upgrading software to protect against new cyberrisk. So, if you have someone using an antiquated version of the software, that individual employee is putting the entire company at risk.”

What’s primarily being recommended involves basic education for company’s now-remote staffers, especially as setting aside funds for top-of-the-line cybersecurity infrastructure might not be tenable during a period of economic downturn.

Carl Van Dusen, chief operating officer at Riverdale-based Safari Solutions, which just entered a joint venture with Sax LLP to expand the accounting firm’s IT guidance to local businesses, said that’s why no one helping companies stay clear of cyber threats has asked for major new investments.

“Given that those investments right now are hard for companies, finding protections in a cost-effective fashion is important,” he said. “And the good thing is, training your employees to simply know what’s a good email and what isn’t makes a big difference.”

Besides just educating employees on what a phishing attempt might look like, some companies have taken to testing their workforce by sending mock phishing emails, even — and especially — during the pandemic.

One thing companies can’t control is the emotional element of the current moment, the unease and eagerness for updates that makes cybercriminals as effective as they have been.

“We’re all in this together,” Van Dusen said. “We’re all clamoring for more updates than ever before. But, to ensure systems are able to be supported in the best way possible, everyone has to be asking the right questions and looking for all angles of vulnerabilities.”

Read more from ROI-NJ on coronavirus: