Capture computers, steal passwords, extort money: criminals exploit the hectic reactions to the corona crisis. Newcomers to home offices are particularly at risk.
Not only the average European medium-sized company – even the large companies in Silicon Valley are struggling with problems when changing their work under pandemic conditions. Another branch, on the other hand, quickly adapted to the new situation: cybercriminals of all kinds are trying to take advantage of the fear and confusion among the population.
In early March, security specialist Shai Alfasi from Reason Labs discovered a program that promises to present the current number of cases of the coronavirus. The plan appears to display the Johns Hopkins University infographics about the state of the pandemic, which has been much cited in recent weeks. Also, the program also acted as malware.
“The Azorult Trojan is usually traded in Russian underground forums,” Alfasi writes in his analysis. Once a user has activated it, they search for all the information that can be turned into money: passwords, for example, credit card information or even information about cryptocurrencies. Thanks to the modular principle of such Trojans, they can easily be adapted to new occasions.
Same trick, different platform: DomainTools found an Android app that also pretended to display the latest figures on the spread of the new coronavirus. Anyone who installed the program on their smartphone was soon exposed to a blackmail attempt: the app blocked the device and offered the user the release for a payment of $ 100. Fortunately, the program was so poorly programmed that security researchers could quickly crack and publish the decryption key.
Two cases, probably hundreds. Internet criminals have been trying to exploit attention to the epidemic since January: For example, the World Health Organization warns against fake emails that are said to contain health tips or documents with security measures but to cheer users off malicious malware or otherwise want to steal information from them.
No new attack campaigns have yet been exposed
“Since January we have observed that both cybercriminals and – we assume – state-sponsored spy campaigns use the topic of Covid-19 as bait in phishing emails,” explains Jens Monrad from the IT security company FireEye. In the event of phishing attacks, attachments are sent by email, the opening of which triggers the downloading of malware, with the help of which attackers can gain access to a computer or even entire company networks. Another variant tries to lure users to fake websites where the user name and password are to be entered. Given the current uncertainty and the high level of information required by many people with regard to the new coronavirus, simple attacks like this promise success.
The Federal Office for Information Security (BSI) has so far recorded no increase in cyber attacks. “Rather, attackers use the current occasion to make their spam emails more interesting,” explains a government spokesman. This is a phenomenon that occurs again and again on special occasions – such as the bargain weeks around Black Friday and Cyber Monday, but also during major sporting events.
Essentially, well-known malware programs that were previously disguised as video players or sold as cell phone games are now being distributed under the guise of corona information. However, such attacks can have serious consequences. The university clinic in Brno, Czech Republic, for example, was partially paralyzed by such an attack. In recent years, several German hospitals have also been infected with so-called ransomware, which is software that encrypts internal databases to extort a ransom.
Phishing attacks are currently particularly attractive to attackers because many companies have now sent most of their employees to their home office to prevent infection in the workplace. In many cases, this means a radical change: Many employees who were previously only allowed to work in the office are now being sent home with company laptops or even have to use their computers. At their desk at home, they often have to see for themselves how to cope with new video conferencing software and unique collaboration platforms without training.
“Users who have to work in an unfamiliar environment are easier to deceive,” explains Manuel Atug from the IT security consultancy HiSolutions in Bonn. The employees who have now switched to the home office have to click through many dialogues, the number of emails has increased significantly. It is therefore understandable that they open emails that at first glance, appear legitimate. A large part of the circulating malware is still sent via this route today. And the administrators of many medium-sized companies are currently working under enormous pressure: not only do they have to come to terms with many unfamiliar programs, but they also often lack the opportunity to train their employees on how to secure communication.
Improvised security
Also, the usual security rules that apply in many companies can only be implemented at a lower level in the current hectic anyway. For example, when it comes to virtual private networks, thanks to which the communication via unsecured Internet infrastructure is encrypted and takes place in a kind of tunnel. “Many companies have bottlenecks in VPN licenses or have to upgrade their hardware so that all employees can dial into the company network,” explains Atug. The companies are therefore faced with the choice of either denying their employees access to essential resources such as in-house software solutions, databases or the intranet for security reasons – which, however, makes decentralized work very difficult.IT security made to keep operations decentralized from the home office.
However, operators of critical infrastructures such as water and power plants, electricity suppliers or telecommunications companies are usually better equipped and have activated emergency plans. This shows that those who have invested in IT security concepts for exceptional cases in the long term can benefit in the current situation.
However, authorities are currently not spared from safety margins. For example, the editors of the magazine c’t could log into the video conference system of the Bavarian Ministry of the Interior unnoticed because access was unsecured. After all: After the gap became known, the administration improved.
Remain critical, upgrade
The usual precautionary measures apply to the employees: They should use secure passwords, switch on virus protection and firewalls. As far as possible, it is also advisable to activate two-factor authentication so that a stolen password alone is not enough to take over an account. And when editing emails, it is worth taking a particularly critical look when it comes to messages from unknown sources. Especially if the click on a link leads to a log-in mask from Outlook, for example, you should not carelessly enter your password. The Federal Office for Information Security has put together advice on its website. In addition to a wide range of information for citizens and businesses, no specific guidelines for the changeover to the home office have been published.
It is essential for companies to raise the security level as quickly as possible to at least the level that is normal in regular operation – for example by updating the software on company laptops or distributing security chips for two-factor authentication when accessing the company network. Once this has been done, the administrators must take a unique look at whether attackers have already been able to penetrate their employees’ computers or even the company network. “Attackers can nestle inconspicuously in the company network in the tumult,” warns Atug. The damage to such a digital back door can only become apparent months or sometimes years later.
