While organised crime volumes remain broadly constant, there has been a shift to Covid-19 themed phishing campaigns and fraudulent websites as organised crime groups seek to monetise the fear, uncertainty and doubt many people feel during the pandemic.
A wide range of COVID-19 related financial scams are in progress:
— India’s Central Bureau of Investigation (CBI) is warning states of an SMS phishing campaign, spreading fake COVID-19 pandemic updates, containing embedded malicious links, that once clicked downloads the Cerebrus banking Trojan, The Hindu reports.
— A threat actor is targeting a global financial institution with an email regarding COVID-19 that contains a link to a malicious file on a popular file hosting service, Phish Labs reports.
— The Nigerian BEC cyber gang Scattered Canary, has filed more than 200 fraud claims on unemployment websites of eight US states, including Florida, Massachusetts and Washington since April 29, 2020, to claim financial stimulus, Threat Post reports.
— The resurgence of ZLoader banking malware is luring victims using the COVID-19 theme, with over 100 campaigns observed since the start of 2020. ZLoader steals financial credentials from web browsers, targeting users in the US and Canada, Bank Info Security reports.
Organised crime groups have been building out attack infrastructure to affect corporations:
— There has been a 686% increase in the number of domain names registered from February to March and a recorded increase in DNS spoofing attacks, Lifars reports.
While attacks still involve phishing linked to the delivery of malware, a range of other exploitation techniques are being attempted targeting the use of conferencing platforms:
— Two malicious fake Zoom installers, with the first installing a backdoor, allowing malicious actors to run routines remotely and the second installing the Devil Shadow botnet, Trend Micro reports.
Phishing and Malware
Extensive COVID-19 themed phishing campaigns are underway with cyber criminals exploiting health organisations, government agencies, individuals, enterprises and their IT infrastructure:
— Microsoft has uncovered a massive phishing campaign that attempts to deliver NetSupport Manager RAT, with emails claiming to come from Johns Hopkins Centre containing fake updates on coronavirus, Bleeping Computer reports.
— An email campaign targeted between 15,000 and 50,000 mailboxes, posing to come from a high-level vendor, asking for an update on an unpaid invoice, with financial conditions changing due to the pandemic, Abnormal Security reports.
— COVID-19 themed phishing emails are bypassing secure email gateways like Proofpoint, with email types including credential theft and Agent Tesla malware delivery, Cofense reports.
— Attackers are impersonating US Navy Credit Union, stating that email recipients have received $1,100 due to the COVID-19 pandemic. To receive the funds, they must validate their account with a link, which redirects them to credential phishing webpage, Abnormal Security reports.
Mobile devices are not immune from COVID-19 themed attacks:
— State of IT researchers have found a range of security issues in the NHS coronavirus contact-tracing app, including unencrypted log uploads, inadequate protection of local log files and flaws in registration.
— An existing Android malware has changed its tactics to be themed around COVID-19, with the malware stealing user contacts and SMS messages, Bitdefender reports.
— A highly sophisticated Android spyware called Mandrake, was embedded in 8 fully developed applications on the Google Play Store, with capabilities including collecting SMS messages, initiating calls and stealing credentials, Bitdefender reports.
— Thailand’s Android users are being targeted by a new variant of DenDroid named ‘WolfRAT’ over messaging apps like WhatsApp, Facebook Messenger. Its spying functions include stealing photos, audio and text messages, Cisco Talos Intelligence reports.
Broader Threat Landscape
— Top UN official has warned of a rise in malicious emails, with a 600% increase during the pandemic, Security Week reports.
— Four US states are warning unemployment applicants that their personal information may have been leaked, including names, social security numbers and banking details, Forbes reports.
— Data leak of 29.1 million Indian jobseekers personal details including email, phone, home address on the DeepWeb, Cyble Inc. reports.
— Indonesia’s election commission has suffered a data breach, with the data including more than 200 million voters’ personal information such as names, addresses, I.D. numbers and birth dates, Reuters reports.
— New vulnerability in Bluetooth, which can allow an attacker to spoof a remotely paired device, with overly permissive role switching and lack of mandatory mutual authentication, exposing billions of devices to hackers, The Hacker News reports.
— iPhone hacking team has released a new ‘jailbreak’ tool that unlocks every iPhone, including the recent models running on iOS 13.5, TechCrunch reports.
— Cisco has fixed critical vulnerability CVE-2020-3280, which stems from the Java Remote Management Interface of Cisco Unified Contact Center Express (CCX), allowing remote code-execution, Threat Post reports.
— Security flaws in the Bluetooth and Wi-Fi protocols have left multiple devices like all iPhones, MacBooks and the Samsung Galaxy S series vulnerable to a new attack named Spectra, ZDNet reports.
— Adobe has fixed a critical bug in an update of Adobe Character Animator, CVE-2020-9586, a stack-based buffer overflow vulnerability that could lead to remote code-execution, Threat Post reports.
— The US Federal Trade Commission (FTC) has warned of spam text messages for contact-tracing, informing users they have been in contact with an individual that tested positive for COVID-19, with a link that contains more information.
— The FBI has issued a warning that threat actors are exploiting the coronavirus pandemic to carry out various malicious activity including phishing for personal details, posing as charities and selling counterfeit medical equipment.