Cybercriminals are targeting people through phishing scams

Hackers are taking advantage of the disruption and fears caused by the pandemic to steal personal information from people, cybersecurity experts told CNBC. 

Most countries have stepped up social distancing measures to contain the virus, and that includes directing employees to work from home, which can make some more vulnerable to attacks. Authorities are also publishing infection numbers online and contacting people who may have been exposed to those infected by the virus — a process known as contact tracing.

That’s providing opportunities for cybercriminals to exploit people’s fears by posing as health authorities or by sending scam emails, according to experts. Unsuspecting people are being directed to fraudulent websites to check if they’ve been in contact with an infected person, or are being tricked into downloading malicious software that steals their personal information.

The outbreak that causes the respiratory disease Covid-19 has affected more than 1.9 million people around the world and over 126,000 have died from the illness, according to the latest data from Johns Hopkins University.

There were just 190 domain names on the internet with the terms “corona” and “covid” in them last year, according to Etay Maor, chief security officer at cyber-intelligence firm IntSights. Toward the end of March, he said there were more than 70,000 domain names related to those terms. 

“Not all of them are bad, right? Some of them are just domains people register and some of them are legit,” Maor told CNBC. “But, some of them did turn out to be phishing attacks.”

Phishing attacks are usually carried out via email, where online criminals try to access sensitive information like log-in and credit card details, by presenting themselves as a trustworthy figure, such as a banking institution or a government body.

Maor explained that every time a major event happens, attackers take advantage by creating phishing sites around them. In the case of the pandemic, hackers are preying on the fact that people are afraid, and many want to get more information about the disease, he said. 

The attacks have evolved from fraudulent offers of face masks and hand sanitizers, to phishing attack, and in recent weeks, more sophisticated players including nation-state actors have entered the fray, according to Maor.

“Everybody has their hand in it right now. They’re using mainly the fear that people have and the need for knowledge and using that for their types of attacks,” he said. 

In the first week of February, when the outbreak was still mostly limited to China, there was an increase in the distribution of malicious files disguised as documents related to the virus, according to Yeo Siang Tiong, general manager for Southeast Asia at Russia-headquartered cybersecurity firm Kaspersky.

He told CNBC that a week later, attackers began sending phishing emails related to Covid-19 recommendations by posing as trusted sources like the U.S. Centers for Disease Control and Prevention.

“Everything looks legitimate, and upon clicking the domain, you are directed to an Outlook log-in page, which is, in fact, a phishing page designed to steal your email credentials,” Yeo said. 

Maor added that other organizations have also been impersonated. They include the Department of Homeland Security in the U.S., the Chinese health ministry and the World Health Organization. What makes these attacks more challenging is the fact that they’re not targeted at a specific entity, he said. 

Phishing emails designed around contact tracing is a popular way many attackers are using to deliver their malicious software designed to steal information, according to Matt Bennett, Asia Pacific and Japan vice president at VMWare Carbon Black.

“Basically you receive an email, which says ‘Hey, you’ve been in contact with patient X, we need to determine XYZ about you, please go to this portal,'” Bennett told CNBC. “I think that’s a common trick we’ve seen in cybersecurity for a while where people leverage one brand or a government agency brand or reputation to trigger what they want to achieve.”

Bennett explained that though the types of cybersecurity threats are not new, they’re a lot more effective in the current climate. “In fearful climate, people can do things that they probably shouldn’t,” he said. 

With many people around the world working from home, using remote tools like video conferencing services and such, experts agreed that the situation presented a broad range of vulnerabilities that cybercriminals can exploit. 

Phishing emails are not the only way attackers are targeting people. Remote working platforms pose a significant security risk too, and so do virtual private networks that many people use to log in to their office servers. Video conferencing platform Zoom, for example, added millions of users in the last few months as people were forced into social distancing and working from home. However, the company has come under some scrutiny over its security lapses. 

Kaspersky’s Yeo pointed out people working from home can make themselves a target by indiscriminately downloading all the files sent to them via other platforms. 

“In the absence of being guided by their IT organizations, people start to make bad decisions, they download things that perhaps they shouldn’t have,” Bennett added. 

Maor said there are a few ways people can protect themselves from becoming unwitting targets for cybercriminals.

First, they need to be aware that these attacks are happening. 

“The attackers are interested in these types of attacks, going after the technology, the processes, the people. They understand these vulnerabilities, they’re actively looking for them. So, people should understand that they may be a target of these types of attacks,” Maor said.

Next, it’s important to practice good security hygiene: That means regularly updating software to keep them up-to-date, as well as using advanced security measures such as two-factor authentications or VPNs. While they’re not foolproof, Maor said it prevents people from becoming easy targets. 

“If an email looks mildly suspicious, don’t open it. Or click on any links. If they look like your bank or financial advisors, call them and ask,” he added.