Today we will be talking about a new kind of virus called the coronavirus. You may say: “Wait, that is not related to computer security.” Yes, you are right, but partially. As most of you probably know that the most important and discussed viruses of today are not computer viruses but a new strain of coronavirus. It has been causing havoc in China and other countries and the infection rate does seem to be fairly high.
However, COVID-19 coronavirus is not the focus of this article. We are going to talk about viruses spread through phishing attacks that have been capitalizing on the public scare caused by coronavirus to steal login credentials.
There have been several emails like the one described by KnowBe4 that claim to be distributed by the US Centers for Disease Control and Prevention (CDC.)
The targets are informed that the CDC created an Incident Management System to coordinate public health response. The attackers try to throw in their lure by providing a web link for the recipient to click if he wants to get an updated list of new cases of infection that have happened in their city. As it usually happens, the rogue link is masked to look like it leads the official website. In fact, the link redirects the users to a malicious Outlook-themed landing page aimed at collecting user credentials.
The security firm Mimecast found one more wave of phishing emails using the coronavirus topic. It targeted American and British users. This phishing campaign asked the recipients to: “Go through the attached document on safety measures regarding the spreading of coronavirus.”
I am guessing that there are other emails like this that cyber crooks are spreading, claiming to be employers and pretending to post advisories, lists, etc.
In essence, there is really nothing new here. It is just the next case of using social engineering techniques to gain unauthorized access. Cybercriminals have been doing this for a long time. When there is an incident like earthquakes or hurricanes or other serious situations, a public scare associated with them makes it much more likely that such phishing emails are going to succeed. And, so malefactors formulate their rogue emails along those lines.
Apart from giving you a heads-up that things like this are happening, I also want to talk about the general scope of phishing emails and why they can be as effective as they are.
When I talk to a lot of people, they stress that they are smart computer users, and that is why they are not as susceptible to viruses or even minor adware. Yes, maybe you are smart user, maybe you carefully check all the emails, scan attachments, maybe you call back to senders to be sure that these emails are coming from sources that are safe. Yes, there is a very big number of computer users that do all that; however, there is one thing that people typically miss out on.
You may be cautious and attentive 99% of the time but 1% of the time that you do not do everything securely, that is actually when you typically get infected. When we are talking about the number of people using computers these days, that 1% is a very large number.
Speaking about the coronavirus, the current 50,000 infected people is a very small number compared to the number of people in the world. Similarly, the number of people who get affected by malware via phishing attacks is a very small proportion of the people that use the Internet. But because phishing is a prevalent threat that does not only occur at a specific point of time, everyone at some stage gets affected.
Let me give you an example. I am a malware analyst, so you might think that I am quite immune to such attacks. However, that is not always the case. Yes, when I am looking for phishing emails, or I am trying to look for attack vectors, I am not going to fall for phishing tricks. When I am analyzing files, I will be able to discriminate between a malicious file and a safe file but that is not how I use my computer every day.
As a human being, I get stressed, I get worried when I have to go through a hundred emails in my inbox. I do not always have the time to individually vet all the email addresses when I am quickly skimming through all those messages.
Let’s be honest here, for anyone who has to deal with a large volume of traffic, and who does this on a day to day basis. It is completely understandable that if an email looks 99% the same as a legitimate email, you might accidentally click the link. Most people have many other things in their lives to worry about. They are not constantly attentively verify their emails.
I think it is quite obnoxious to call those people unwise or stupid because, after all, honesty, I think that anyone is susceptible to malware viruses at some point in time.
I also never understand why you would not use technology where it exists to make things safer. Some people claim that security tools are not perfect. Yes, but think, for example, about the seatbelt in your car. If you run off a cliff, your seatbelt is not going to save you but that is not an argument for never using your seatbelt. It is just not the way forward.
About the Author: David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project, which presents expert opinions on contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.
Editors Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Bora.