Coronavirus-themed domain registrations 50% more likely to be from malicious actors; popular map tracking virus is targeted for malware.
A recent screenshot of the real Johns Hopkins coronavirus tracker.
Hackers and cybercriminals have been leveraging the hype and fear connected with the growing COVID-19 pandemic as a tool to steal passwords and data.
Coronavirus-themed domain registrations are 50% more likely to be from malicious actors, Check Point Software Technologies Ltd. CHKP+8.52% found in a study. Since that report was released last week, there have been some high-profile examples, most notably an attack aimed at a popular interactive COVID-19 tracking map maintained by Johns Hopkins University.
Noted security blogger Brian Krebs reported Thursday that the map has been targeted by hackers who are selling malware claiming to compromise the map and infect users. Johns Hopkins spokeswoman Jill Rosen said the university is aware of the malware that impersonates its COVID-19 site, and warned users to only trust the maps at its own site and one maintained by ArcGIS. The malware requires users to download software to generate the fake map, Rosen told MarketWatch.
“If you receive an email containing a link to download such an item or come across the code for the malicious app please report it immediately to the Esri incident response team through ArcGIS Trust Center security concern page,” Rosen said in a statement.
Just as doctors say frequent hand-washing and respiratory hygiene is the best defense against the coronavirus, cybersecurity professionals stress that computer users need to be more wary of what they click, such as not downloading an email attachment from an unknown source, and other tips offered by the Cybersecurity and Infrastructure Security Agency.
These ploys of tricking computer users to download malware by tapping into fear and anxiety are as old as the internet, said Charles Poff, chief information security officer at SailPoint Technologies Holdings Inc.
“Despite international efforts to quell the virus, the World Health Organization recently classified this as a global pandemic; online scammers are trying to exploit this uncertainty through phishing attempts and bunk domain names,” Poff said.
“An email seemingly from the CDC is trying to lure vulnerable people into clicking links to learn more about the virus but ultimately leading them astray,” Poff said. “Not only am I recommending people to be cautious about opening email and files received from unknown senders, but also to beware of look-alike domains that are phony websites.”
SailPoint noted that students and staff from universities that were canceling classes were also falling prey to hackers. Discovered by San Francisco-based Abnormal Security, one attack uses an email that looks like it is coming from the school’s “health team” leading to a fake login page that tries to steal the victim’s credentials.
Similarly, Proofpoint Inc. PFPT+2.11% has found attacks using emails promising coronavirus cures, or spoofing the World Health Organization.
Check Point researchers said Thursday that they found hackers based in China have been using rich text format, or RTF, coronavirus warnings against public-sector workers in Mongolia. If a target opens the RTF document, it attacks Microsoft Corp.’s MSFT+3.89% Word application, and seeks to take screenshots, list files and directories and download files.
“In this campaign, we observed the latest iteration of what seems to be a long-running Chinese- based operation against a variety of governments and organizations worldwide,” Check Point researchers wrote. “This specific campaign was leveraging the COVID-19 pandemic to lure victims to trigger the infection chain.”
“The full intention of this Chinese [advanced persistent threat] group is still a mystery, but they are here to stay; updating their tools and it seems they will do whatever it takes to attract victims to their network,” the researchers wrote.
“We have observed espionage actors from China, North Korea and Russia exploit this topic in spear phishing campaigns,” Ben Read, senior manager of intelligence analysis at FireEye Inc. FEYE-0.15% wrote in emailed comments.
Read said that hackers based in China have tried to attack victims in Vietnam, the Philippines and Taiwan with lures using “legitimate statements by political leaders or authentic advice for those worried about the disease, likely taken from public sources” in late February and early March.
Also Read said “TEMP.Armageddon, an espionage group that acts in support of Russian interests, sent a spear phish with a malicious document themed around the coronavirus to Ukrainian entities,” and that North Korea hackers have also sent “a Korean Language lure titled ‘Coronavirus Correspondence’” to South Korean victims.
“We expect continued use of coronavirus themed lures by both opportunistic and targeted financially motivated attackers due to the global relevance of the theme,” Read said.
The unprecedented uncertainty created by COVID-19 has trashed stocks, which were spending Friday the 13th limping higher. For the week, the Dow Jones Industrial Average DJIA+3.33% has fallen over 16%, the S&P 500 index SPX+3.05% is down 15%, the tech-heavy Nasdaq Composite Index COMP+2.79% is off 15%, and the ETFMG Prime Cyber Security ETF HACK+0.47% is down more than 18%.
0 Comments