The latest coronavirus has become fresh bait for phishing enthusiasts. Don’t fall hook, line and sinker for it!

The COVID-19 outbreak has caused much anxiety and uncertainty in the marketplace. Individuals are increasingly looking to government authorities and familiar entities for information on how they can stay safe, but not every supposed reliable source can be trusted.

Within the first three weeks since Singapore’s first infection was confirmed, we have reports of cybercriminals impersonating government officials to request financial information from individuals.

“This has shed light on a growing problem in Singapore’s cyber landscape — cybercriminals are exploiting the trust, relationships, and brand that financial institutions have with consumers,” commented  Matthew Bennett, Vice President, APJ, VMware Carbon Black.

Oleg Skulkin, a senior digital forensics analyst at Group-IB, said: “Over the past month, the COVID-19 topic has been actively exploited by the executors of phishing attacks, which were aimed at compromising emails of small and medium-sized business representatives in Singapore, China, New Zealand, Japan and the United States.”

Skulkin added that most of these phishing email were written in English, and contained links that were allegedly leading to “websites with info on the individuals infected with the new virus in this or that region or attachments with PDF files reportedly containing the list of measures that need to be taken to avoid infection.”

“These files, in turn, also contained links that redirected users to phishing websites that mimicked Outlook Web Access or Office 365,” he warned. “The main goal of such websites is to make users type their email login and password on a phishing webpage – this data is then sent to the attackers’ webservers.”

Here’s one example of a COVID-19 phishing email:

“The COVID-19 theme has also found its reflection in the activities of ransomware operators,” said Skulkin. “Thus, the operators of the Crysis (Dharma) ransomware, which is usually distributed by the means of Remote Desktop Protocol (RDP) compromise, has recently introduced a new feature to its malicious software – the encrypted files now have the nCoV (novel coronavirus) extension.”

Check Point’s latest Global Threat Index for January 2020 shows that cybercriminals are exploiting interest in the global epidemic to spread malicious activity, with several spam campaigns relating to the outbreak of the virus. 

Evan Dumas, Regional Director, Southeast Asia, Check Point Software Technologies, said: “In January and February 2020 the most prominent Coronavirus-themed campaign targeted Japan, distributing Emotet in malicious email attachments pretending to be sent by a Japanese disability welfare service provider. The emails appeared to be reporting where the infection is spreading in several Japanese cities, encouraging the victim to open the document for more information. When the document was opened, Emotet was downloaded onto the victim’s computer.”

“In addition to email campaigns, since the Coronavirus outbreak, we have observed a noticeable number of new websites registered with domain names related to the virus,” he added.

An example of such a website is vaccinecovid-19\.com. It was first created on February 11, 2020 and registered in Russia. Dumas said the insecure website offers to sell “the best and fastest test for Coronavirus detection at the fantastic price of 19,000 Russian rubles (about US$300)”:

According to a recent VMware Carbon Black study, 94% of organizations in Singapore have had positive results from their threat hunting efforts in reinforcing the strength of their defenses.

“Threat hunting teams are necessary for organizations to enhance visibility and bolster response capabilities in the face of increasingly complex cybercrime techniques,” said Bennett.

According to CrowdStrike, threat hunting is highly complementary to the standard process of incident detection, response and remediation. As security technologies analyze the raw data to generate alerts, threat hunting works in parallel – using queries and automation – to extract hunting leads out of the same data.

Hunting leads are then analyzed by human threat hunters, who are skilled in identifying the signs of adversary activity, which can then be managed through the same pipeline.

For instance, Group-IB uses Graph Network Analysis to help predict cybercriminal activity, even before it happens, hunting threats based on indicators of compromise found during years of cybercrime investigations, incident response operations and malware analysis by its Threat Intelligence and Threat Detection System.

The historical data on cybercriminals, gathered in 16 years, includes billions of records from domain names, IP addresses, server digital fingerprints, which have been used in attacks, as well as tagging them to specific hackers or groups.