Crises can vary immensely, be it in terms of the specific nature of each situation or the impacts that may be limited to a specific group — or even an event such as the COVID-19, which is essentially affecting all countries around the world.
Even with this huge variety in types of crises, the fact is that they all share a common point: their ability to bring out both the best and the worst in people. The COVID-19 crisis is no different. While we have countless heroic tales from the front, such as health professionals working long hours daily under the constant risk of contamination, there is no shortage of both scammers and cybercriminals who did not hesitate before starting to exploit the pandemic for their own benefit.
In truth, scammers are experts in exploiting all kinds of situations that attract mass interest, especially those that produce strong emotions in the general public. Unfortunately, this is not something new, and it certainly will not change anytime soon.
One of the best strategies to avoid scams now is to shed some light in our recent past. Let’s try to understand how cybercriminals and other scammers behaved during global crises and what lessons can be learned and applied today.
1. 2009: Swine flu scams
Our earliest case goes all the way back to June 2009 and involves another pandemic, the swine flu. This influenza pandemic lasted for about 19 months, and the estimated number of cases, including asymptomatic and mild cases, could be 700 million to 1.4 billion people. This is roughly 11 to 21 percent of the global population at the time.
Soon there were millions of people frightened of catching the H1N1 flu and desperately looking for an easy cure. Scammers took advantage of this public-health emergency and came up with several ludicrous treatments, such as a hand spray that leaves a layer of ionized, virus-killing silver on your hands. These fraudulent products popped all over the internet, requiring quick action on the part of the Food and Drug Administration (FDA).
While this sort of fraudulent action is almost entirely based on social engineering with a touch of spamming to spread the message, this example presents us with a basic lesson: if there is a chance of profit, cybercriminals and scammers have no problem in exploiting our emotions, even in life and death situations.
2. 2010: Cybercriminals exploit disaster in Haiti to spread web scams
The 2010 Haiti earthquake was a catastrophic event affecting approximately three million people, with an estimated 316,000 casualties. Almost instantly, various types of scams and malicious exploits sprouted up on the internet.
Attacks included scam tweets and spam emails asking for donations that went to fraudulent charities and SEO poisoning (creating malicious websites and using search engine optimization tactics to make them show up prominently in search results). While now there is some tech knowledge, the basis for these scams remains the same: social engineering. However, different aspects are exploited. This time, it targeted the natural curiosity people have about major events and our goodwill and intent on helping those in need.
Figure 1: 2010 fraudulent tweet about Haiti Earthquake (Source: Forcepoint)
This case brings us to an even darker point. Obviously, the donations sent to fraudulent charities never reached the people affected by the earthquake. This situation shows that cybercriminals have no concern about the impact of their attacks, even when it means the loss of human lives.
3. 2011: Cybercriminals exploit Japan earthquake with SEO attacks
Another case of a major earthquake, this time in Japan, reaching 8.9 magnitude and resulting in a tsunami in the Pacific region. Cybercriminals were quick to exploit this catastrophe, launching SEO traps that sent users straight into phony websites full of malware.
At the time, Trend Micro reported that monitoring for any active attacks started as soon as news broke out. Sure enough there were pages inserted with keywords related to the earthquake, including sites infected with FAKEAV variants such as MalFakeAV-25.
In essence, cybercriminals used the same strategy employed during the Haiti earthquake case: quickly responding to a major event and leading careless and curious people to malware infection. Again, they have zero shame about taking advantage of catastrophes to make financial gain for themselves.
4. 2011: Cybercriminals exploiting 9/11 anniversary
The 9/11 attacks are probably the most painful event in recent US history. Even so, cybercriminals had no problem capitalizing on its 10th anniversary and launched a series of phishing scams and other cyberattacks.
As reported by the Department of Homeland Security, most cases included malware campaigns or fake websites. These campaigns utilized seemingly legitimate web content related to the September 11 attacks, with fraudsters asking for money to support victims of the 9/11 attacks or their families.
Once again, the psychological factor is key to the effectiveness of this attack. It abuses people’s emotional side, resulting in many clicks on unsolicited web links in email messages.
5. 2014: Cybercriminals use Malaysia Airlines flight MH17 plane crash news to bait users
The tragedy of the crashed Malaysia Airlines flight MH17 was also exploited by scammers and cybercriminals. MH17 was a scheduled passenger flight from Amsterdam to Kuala Lumpur that was struck by a ground-to-air missile.
Using the same tactics applied to all major events that capture public interest, cybercriminals spread malicious links with the goal of snatching users’ personal data and distributing malware. But this time we have a significant change: the target now was primarily social networks and instant messaging applications, which had experienced unprecedented user growth, including the elderly and other groups more susceptible to social engineering attacks.
Figure 2: 2014 fraudulent tweet on MH17 plane crash with a malicious link (Source: The Hacker News)
6. 2017: Hurricane Harvey phishing scams
This is a slightly more recent case, which again makes it clear that cybercriminals have no problem using natural disasters for financial gain. Harvey was a devastating Category 4 hurricane that in August 2017 made landfall on Texas and Louisiana, causing catastrophic flooding and many deaths.
Almost before the winds dispersed, US-CERT warned users to remain vigilant for malicious cyber activity seeking to capitalize on interest in Hurricane Harvey. As usual, phishing is the path of least resistance. US-CERT was quite clear in advising users to exercise caution in handling any email with subject line, attachments or hyperlinks related to Hurricane Harvey, even if it appeared to originate from a trusted source.
This time, with the omnipresence of social media, attackers expanded their tactics to checking profiles and gathering information on the target, such as “who a user may know in the disaster area.” They then used it as the basis for a spoofed email or to create fake profiles and contacting the victim to ask for money and information or sending malicious links or files.
7. 2019: Cybercriminals trying to make money from a mass shooting
At this point, it’s clear that there is no limit on how low cybercriminals will go. As recently as last year, phishing campaigns were created to make money out of people who wanted to help the victims of a mass shooting that killed at least 50 people in March 2019.
By spoofing Westpac, one of Australia’s four major banking organizations and one of the largest banks in New Zealand, cybercriminals sent fake emails asking for donations to help victims of the shooting. With over $5 million donated to a fund for New Zealand shooting victims, it is still unclear how much money the shooting email scam may have siphoned, directly harming a legitimate effort to help those in dire need.
8. 2020: COVID-19 and the rise of cyberattacks and phishing scams
Back to 2020, and as you may have already guessed, cyberattacks and phishing scams based on the COVID-19 have unfortunately escalated to massive numbers.
As early as January, COVID-themed phishing campaigns were already on the rise, spreading almost as quickly as the real virus. The first Emotet spam campaigns detected targeted Japanese entities as COVID-19 cases peaked in Italy during February. Scammers quickly sent emails with attachments detailing precautions against infections that in reality were DOCX files containing macros for dropping malware on the victim’s system. Other phishing campaigns in late February were used to spread the AZORult Trojan to high-value targets in the shipping and logistics industry.
Figure 3: Phishing email based on COVID-19 (Source: Trustwave)
In March, several attacks were aimed at the World Health Organization (WHO), including phishing emails and even a malicious site designed to mimic the WHO’s internal email system. But while the identity of the cybercriminals is still unclear, their effort was unsuccessful. The probable suspects are known as DarkHotel, a group that has been conducting cyber-espionage operations since at least 2007.
Another form of attack, Zoombombing, was used to hijack video conferences. Reports by the FBI listed two schools in Massachusetts targeted in recent incidents. As with many other similar solutions, Zoom has seen a massive increase in users during the COVID-19 pandemic; this led to the practice of Zoombombing, where unwanted guests intrude on video meetings for malicious purposes. Cybercriminals also took advantage of Zoom’s recent popularity and used its name and look to create a number of “suspicious” websites to trick people into clicking potentially malicious links.
In April, coming full circle to our first example back in 2009, malicious messages and websites preyed on the fear and uncertainty around the COVID-19 pandemic. With many people in quarantine, government stimulus payments and small-business loan packages were amongst the most common topics used by cybercriminals trying to harvest credentials.
Figure 4: Phishing email exploiting small-business loan packages (Source: SentinelLABS)
Attacks continually escalated over May, with many cases of RATs (Remote Access Trojans) such as Remcos, which is able to harvest credentials, steal sensitive documents and information. It even gives an attacker access to basic functionality, including microphone access, screenshots, webcam control and keylogging. There was no shortage of other sorts of nasty malware, either: for example, the fuckunicorn ransomware family, which was used in a series of attacks against the Italian Federation of Pharmacists.
As we reach the summer, cyberattacks exploiting the COVID-19 are still steadily occurring. Many phony Android applications use the pandemic as a lure, with malwares such as Anubis and SpyNote having registered cases in contact-tracing apps aimed at various locales, including Indonesia, Iran, Russia and Italy. Both Trojans and their variants are trying to extract sensitive or personal information from the targeted devices.
Yet again proving that cybercriminals are devoid of any sort of morals, recent attacks targeted a German task force for COVID-19 medical equipment. This group was commissioned to use their international contacts and expertise to obtain personal protective equipment (PPE), including face masks and medical gear, particularly from China-based supply and purchasing chains. Unfortunately, facts make clear that new medical equipment procurement structures are among the top targets for cybercriminals.
Cybercrime lessons during widespread crises
There are countless lessons that we can learn from cybercrime tactics during widespread crises. A fundamental first point is to understand that cybercrime simply has no scruples: whenever there is a possibility of financial gain, they will immediately take advantage of any situation that has the interest of the general public, to the point that It does not matter if cyberattacks will ruin businesses or even end in the loss of human life.
Unfortunately, this scenario is expected to get even more challenging in the coming years. According to 2020’s version of the Global Risks Report, published by the World Economic Forum, organized cybercrime entities are joining forces. Cybercrime-as-a-service is also a growing business model, with increasing sophistication of tools making malicious services affordable and easily accessible for anyone. By 2021, it is expected that cybercrime damages might reach $6 trillion. To put it into perspective, that would be equivalent to the GDP of the world’s third-largest economy.
A second lesson is also quite evident: Social engineering is still a major part of cybercrime tactics during crises. Yes, attackers may be using ever-evolving sophisticated tools, even to the point of employing AI/machine learning to devise when a phishing attack will be more successful. But a simple fact still holds true: humans are the primary target. This is exploited even further during crises. Since major events attract lots of public interest, several facets of our human nature (such as curiosity, fear, goodwill and even tiredness and negligence) may increase an attack’s chance of success.
While we are still fighting one of the worst pandemics in our history, there are already clear indicators that very soon there will be more effective treatments or even a vaccine to prevent COVID-19. The fact is, as hard as this challenge may be, we are heading towards a solution. In the case of cybercrime, we have a very different scenario.
For now, there is no concrete evidence pointing to a definitive solution against cybercriminals any time soon. There is no doubt that this cyber insecurity is one of the biggest challenges that businesses will face over the next few years. Cyberattacks have not yet reached the point of taking lives in the same amount as COVID-19, but its ability to ruin business, destroy people or even directly implicate in the loss of human life is irrefutable.
The big question is how we should deal with this cyber-pandemic? According to International Data Corporation (IDC), worldwide spending on security-related hardware, software and services is forecast to reach $133.7 billion in 2022. While investing in cybersecurity solutions is a strategy that most organizations have adopted in recent decades, with different levels of success, it is important to remember that a truly protected environment must consider people, processes and technology.
Since crises show us that humans are at the center of most attacks, we must understand that humans must also be at the center of the solution against cybercriminals. Of course, this does not apply solely to your team of cybersecurity experts. A truly intelligent and effective security strategy must include information security education and awareness actions at all levels of your organization. This is undoubtedly the biggest lesson we can learn about the behavior of cybercriminals during crises, and the most efficient way of preventing the next attack.
- Psst! Want a Cure for H1N1? Swine Flu Scams, Time magazine.
- Cybercriminals exploit disaster in Haiti to spread Web scams, Forcepoint
- Cyber criminals exploit Japan earthquake with SEO attacks, Silicon Republic
- Cybercriminals exploiting 9/11 anniversary, TrendMicro Simply Security
- Cyber Criminals Use Malaysia Airlines Flight MH17 Plane Crash News to Bait Users, The Hacker News
- Potential Hurricane Harvey Phishing Scams, Department of Homeland Security
- Phishing on Fears: How Low Will Hackers Go?, Secure World Expo
- Exclusive: Elite hackers target WHO as coronavirus cyberattacks spike, Reuters
- FBI Warns of ‘Zoom-Bombing,’ Where Hackers Hijack Video Conferences After Two Schools Affected, Newsweek
- COVID-19 Malspam Activity Ramps Up, Trustwave
- German Task Force for COVID-19 Medical Equipment Targeted in Ongoing Phishing Campaign, Security Intelligence