top of page
Image by Jefferson Santos

Your COVID-19 Map may be...a virus 

By Ceasor Horne

March 27, 2020

As millions of Americans' lives have been disrupted by the omnipresent threat of coronavirus, cybercriminals are taking advantage of vulnerabilities in user systems to steal data and privacy records. 

Author

CISO

Ceasor Horne

President, CISO

Here's a disturbing fact: When pandemics, natural disasters, and national emergencies occur, cyberattacks rise at an exponential rate. Let's take a deep dive into the current phishing, IP spoofing, and DNS poisoning attacks that are causing havoc on systems and intensifying the crippling collateral damage of the COVID-19 outbreak.

 

Dangerous Dashboards & Phishing for Panickers

When a cybercriminal is bold enough to put you in a financial and technological disadvantage during an economic downturn, it's time to fight back. I'm on board to defend your assets with you but before we can sniff out a potential cyber threat, we have to know what red flags to look for. According to the Internet Crime Complaint Center, approximately 467,000+ cases of cybercrime were reported to the FBI. So what exactly are these hackers doing in order to breach your personal privacy and data during the coronavirus outbreak? 

 

For the fifth year in a row, Social Engineering was the most common method for cyberattacks.

Unethical hackers are using two methods to steal your information; social engineering and spoofing. Let's start with the attacks that are the most deceiving, which is spoofing: 

 

Spoofing is the attack of an IP address or network through redirection, impersonation, or forgery. For example, the prestige John Hopkins University provided a UX COVID-19 map for the general public. This map gives live updates and you can drill down the data to focus on regional outbreaks that are pertinent to your neck of the woods.

Dashboard

* Photo courtesy of John Hopkins University. Check out one of the official dashboards.

With the dashboard having other gateways through Tableau and ArcGis the attackers saw a vulnerability. Playing off the UX design of the maps, the cybercriminals spoof the IP address of the dashboards and prompt the visitor to download an "app" to access the fake map. The "app" is malware that steals your stored passwords, credit card information, and other valuable data from your device. If you download the "app" from a smartphone, it can abuse user privileges and change your lock screen password.

What's in it for the hacker? They have encrypted your data and are holding it for ransom. Usually, a ransom demand of $100 or more in cryptocurrency is made for the decryption key and password resets. So users and administrators, if a website you visit for COVID-19 maps or trackers is prompting you to download an app, steer clear and take caution. Avoid that site and use the options that have been verified as secure and from a trusted source. Now let's move on to the most common method of cyberattacks; social engineering:

Social engineering is the act of trying to obtain data and personal information by posing as a legitimate entity. Phishing and Vishing scams are the weapon of choice in these scenarios. The attackers send an email pretending to be a representative of the World Health Organization (WHO) with an urgent document for safety precautions, a vendor sending an updated supply chain report, HR with an updated policy, etc.

Once the document or attachment is opened a trojan malware or a keylogger is installed on your device that will track your keystrokes for online bank account passwords and credit card payment fields from eCommerce sites. Here's a few examples:

Safety Measures
Supply Chain
Policy

The golden rule for phishing defense is to not open any attachments from unverified accounts. Most cyber-criminals operate under the quantity over quality model, so there are a few signs. Mismatching URL links, terrible grammar and misspelling, and multiple file extensions on the attachment (doc.exe, txt.pdf, etc.) should trigger you to act on protecting your inbox. 

In the midst of all the uncertainty in today's world, would you like to hear some good news? These phishing tactics have not changed much from the phishing attacks you have received in the past! With information (good and bad) flowing so freely during social distancing, it's a little more tempting to click that link out of curiosity. Don't do it. Block that sender and report the phishing attack to your internal IT team.  

Now that we are aware of the potential threats, you should be more prepared and take proactive measures to protect your family, your team, and yourself. Be safe everyone and remember we are in this together. Here are a few more security network protection best practices to shield your assets from spoofing and social engineering attacks:

1. Utilize Device Guard or Gatekeeper

Device Guard (Windows) and Gatekeeper (macOS) are a great way to ensure that only trusted apps and software are downloaded on your global network devices. These powerful tools use code integrity policies to lock down devices. All software downloads will have to be approved by the network administrators, preventing a trojan horse download from the end-users.

2. Avoid IP Trust Relationships 

IP Trust relationships were once the preferred method to assign permissions between domains, but not anymore. This approach leaves your system vulnerable to IP spoofing attacks because the IP address is the sole source for device authentications. A hacker can utilize a network sniffer to locate domain IP addresses, mimick an IP in the network, and initiate a malicious DoS attack.

 

A whitelisting security model, also known as Federation, mitigates these risks. Federation denies access by default through IdP and enforces the principle of least privilege. Active Directory trust relationships define what is disallowed, while implicitly allowing other permissions. Much easier to have an oversite or assign implicit permissions from a parent with the latter method. Federation through IdP can also be integrated with other authentication methods such as SSO, without the use use of attack-susceptible NTLM protocol.

3. Add Anti-Spoofing Filtering to Networks

The last line of defense will be to add some anti-spoofing algorithms to your network in order to deflect attacks from hitting the system and email inboxes. Get your IT architect involved and have a discussion on what methods (SAVI, ACLs, Unicast RPFs, etc.) work for your size and scope of business. NAT is sometimes thought to be a anti-spoofing filter but it is not the proper tool to defend from these attacks. NAT with not screen out packets that are not included inside access list. A clever cybercriminal can spoof an untraceable source address.

bottom of page