06 April 2020

Online criminality changes due to COVID-19. Intelligence Services are issuing warnings

Liviu Ioniţă

The social contact restrictions and self-isolation have increased the online interactions and the use of Internet. Implicitly, the e-mails messages have also intensified. Topics related to coronavirus have overcharged the online news media, and sources’ credibility is no longer involving a pre-verification of what is true and what not. The social media platforms are also creating many connection bridges between people who share their experiences and concerns on the pandemic, without having previous information about each other. All of these are opportunities for the white collar criminals in the cyber space, who want to get unmerited gains through Internet users’ lack of vigilance.The Intelligence agents, experts in such intelligence crimes, issue warnings and come up with advices for the online information consumers to avoid such frauds.

Image source: Hepta

The increase of crimes’ rate in the cyber space

Since last month, the World Health Organization has warned about the coronavirus- based pishing attacks and fraud campaigns on the Internet. The cyber crime operations were observed in the US, Great Britain, Italy, Japan and Indonesia.

The cyber security companies have also warned about the “increased concern rate”, and Microsoft, Google, LogMeIn and Cisco have announced that is offering free licenses for the tools related to virtual meetings, collaborations, in general, and remote activities.

Therefore, the Intelligence agencies are issuing warnings on the new e-mail frauds, as hackers are using the coronavirus concerns to get data on bank accounts and other personal data.

The criminals are sending false emails pretending to come from different organizations/ institutions and are convincing users to introduce authentification details that they can use afterwards.

Sometimes, those emails contain attachments which are damaging the computer. Once they got the authentification information or were installed the malware programs, the victim is subjected to additional attacks, including financial frauds, ransomware and accounts takeovers.

The home-work activity increase leads to the intensification of e-mail communication, adding another factor to this e-mail fraud scheme. Criminals pretend they are representing some organizations like the Centre for Diseases Control or the World Health Organization and that they are offering guidance about the COVID-19. Also, it was also observed that it increased the social engineering use, the use of Twitter and Facebook to get private details or even cash donations and the exploitation of concerns related to the virus.

FBI warning

The Internet Crime Complaint Centre (IC3)- an FBI structure which offers citizens a mechanism to report Internet frauds, classifies and analyses the data to identify and foresee tendencies on cyber threats – has issued a public warning by which it draws the attention on email frauds and malware schemes which are taking advantage on the coronavirus pandemic.

Centre’s message talks about the existence of emails pretending to contain useful information from the Centers for Disease Control and Prevention and other medical authorities, like pishing emails, which are asking users to provide personal information for charity, financial exemptions, refunds of air companies, false vaccines acquisition or testing kits.

An example the FBI gave is the launch of a pishing campaign, related to coronavirus topics, by actors behind the Netwalker/Mailto ransomware, which became active recently, targeting the governmental agencies and enterprises.

Basically, there are three specific frauds the FBI warns about:

1. False CDC emails (Centers for Disease Control and Prevention): these emails pretend to come from a medical organization, but accessing the link or an attachment may download a malware which can block the computer.

2. Pishing emails: these emails can ask for the confirmation of some personal information, so that one can get governmental or financial assistance files.

3. Posts and emails offering false treatments and equipment: disinfection products, masks and treatments, and can steal personal information.

As the cyber criminals continue to exploit the coronavirus epidemic, FBI states that three states from the US - California, New York and Washington - , those to have uncommon SARS-CoV-2 infection rates, must be careful with the cyber threats, adding this warning to the US attorney’s concerns, Scott Brady, on an “unseen” cyber attacks wave.

All coronavirus cyber-attacks against the US come from cyber-criminals outside America and are targeting areas to have the biggest SARS-CoV-2 infection rate (Herb Stapleton, FBI Cyber Division).

People who work from home are encouraged to double-check the messages’ authenticity, the received emails or phone calls and be extremely prudent when someone is trying to urgently get personal data, pretending that it is time for explanations and verifications.

Advices to avoid frauds

The United States Secret Service and the Cyber-Security Agency, both belonging to the US Internal Security Department, are offering some advices to avoid frauds:

  • avoid opening attachments and click on links from emails sent by expeditors you do not know;
  • check the emails and phone calls asking for information about the account or asking you to check the account;
  • always check any information requirement coming from legitimate sources;
  • do not offer personal or financial information through emails and do not answer to email requirements for such information;
  • check message’s authenticity coming from a charitable organization, before making donations;
  • access the websites introducing only the domain name;
  • use trustable sources – like the legitimate governmental websites – for updated information about the COVID-19;
  • use for businesses the cryptographic protocol Secure Socket Layer (SSL)- the certificate’s “errors” can be a warning sign what something is wrong.

Public warning on false emails

Experts of the National Cyber Security Centre – a structure of the Government Communications Headquarters from London (GCHQ) – has issued a rare public warning, saying that they have detected cyber attacks, targeting the exploitation of people’s concerns related to COVID-19.

False emails, presented as press releases of health authorities, are sent with links claiming they offer important updates and, when accessed, lead to devices infected with malware.

Criminals are creating similar domain name with real web addresses of these organizations, to ask for passwords and even “bitcoin donations” to finance a fake vaccine.

The criminal organizations which are stealing documents and are encrypting computers asking, then, for buyout, are targeting also the transport and the retailing fields, as well as experts from the health field, to whom are sending the pishing mails about “coronavirus acknowledgement”.

Sky News offers an example

A false email coming from the internal IT team of a company is sent to medical assistance organizations. The emails informs the employees that “the institution organises a seminary for the entire personnel to be aware of what this fatal virus involves”, asking them to access a link to register there, but it is actually providing personal data to hackers.

The Centre for National Cyber-Security offers users some guidelines to protect themselves from intelligence and identification attacks of the suspect emails.

Researchers are also targeted...

Communications Security Establishment (CSE), the Canadian intelligence agency specialized in collecting SIGINT information, draws the attention of researchers to protect their data, considering that “sophisticated hackers intend to steal key ongoing researches to get a vaccine”.

CSE posted an online notification about the hacking threat and also, directly sends through email warnings about the COVID-19 researchers.

Different actors “may try to get information about COVID-19 counteraction efforts and the possible political answers to crisis and to steal key ongoing researches to get a vaccine or other medical treatments”.

Canadian experts, as well as the US and Great Britain, are warning the other users on emails that might contain informational viruses.

Time changes and crime changes as well...

... says a former US secrete services agent, Evy Poumpuras, who encourages people to be careful with their accounts’ protection: the frequent change of passwords, the use of different passwords for each account, preferably with at least 13 characters, the update of security questions related to passwords.

Another former intelligence officer, Paul William Szulc, has elaborated self-isolation guidance. Szulc, who spent six months in self-isolation, in 2007, meanwhile working for the MI5, and has a master degree in psychology, hopes that the online video(facebook.com/paul.szulc) will help people who must self-isolate due to coronavirus.

But “services” do not lose this great opportunity either

On the other hand, cyber-security researchers claim that intelligence agencies use coronavirus information to "target their enemies": Russia against Ukraine, China against Southeast Asia, North Korea and South Korea (Ben Read, cyberspace specialist at FireEye cybersecurity company).

Using false information about coronavirus, agencies around the world perform hacking and espionage actions. The story began in Asia and migrated following the virus "from China to areas around China, then Japan, South Korea, to Europe" (Adam Meyers, vice president of CrowdStrike).

Although none of the researchers were able to confirm the existence of emails sent by news agencies specifically targeting US targets, they believe that this is probably only a matter of time, and things will change as the numbers increase cases and the intensification of crisis’ severity in the United States (Adam Meyers).

An extensive cyber espionage operation, probably supported by the Chinese government, began in January, despite coronavirus developments in China.

The operation carried out by the APT41 hackers group targeted 75 companies from 20 countries in the fields of telecommunications, production, healthcare, defence, high education, pharmaceuticals, banking, media, oil and gas, chemicals, government structures.

According to a report by cyber security company FireEye, the APT41 group has been running hacking activities since 2014, targeting businesses and organizations in the US, UK, Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, the Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland and the United Arab Emirates, for information collection and intellectual property theft. Although the APT41 group's relations with the Chinese government remain unclear, its past activities seemed to coincide with the goals of the "Made in China 2025" development plan.

Operation APT41, which debuted in January, is described by cyber-security company FireEye as "one of the largest campaigns of a Chinese spy actor in recent years."

FireEye said the reason behind the latest APT41 campaign is unknown, but there are “multiple possible explanations for the increase in activity including the trade war between the United States and China as well as the COVID-19 pandemic driving China to want intelligence on a variety of subjects including trade, travel, communications, manufacturing, research and international relations”.

Our advice is: “Stay at home and do not open the “online door” to unknown people!

Ensligh version by Andreea Soare