Security

COVID-19’s Impact on Phishing Attacks

The threat of phishing attacks is gradually expanding in the number of cases and their sophistication and use in different attack vectors; this is especially true in the troubling times of COVID-19, where more of the world’s population are working from home, relying on the Internet to facilitate all aspects of their jobs. COVID-19 has also affected the cybersecurity industry resulting in furloughs and downsizing, significantly reducing their abilities to protect all that we depend on to stay securely connected to the IoT (Internet of Things). While COVID-19 is the cause for increases in several methods used by cybercriminals, phishing alone is currently evolving to meet the growing demands of the world of tomorrow.

Phishing can come in various forms, such as spear, whaling, smishing, vishing, and angler-styled attacks[1]. For example, some users will report instances such as deactivation scares; this attack of style is very efficient, as it scares users into reacting by threatening to deactivate a critical account. The email can threaten to deactivate a banking account and informs the user they must follow a convenient link to reactivate it; they are then asked for the user’s login credentials, such as their username and password. When an unsuspecting user follows the instructions correctly without questioning the email’s authenticity, it would eventually ask for their debit/credit card information as well. While most of these kinds of attacks can be easy to spot by looking for misspelled letters or poor-quality images, they have lately evolved to be very realistic. Some phishing emails even have indications that they were already scanned for malicious content by antivirus programs or email systems such as Google’s Gmail.

I feel that phishing attempts are beginning to evolve in complexity and that this threat is not going away anytime soon. By relying on most of the population’s unwarranted trust in their favorite technology company’s cybersecurity and data protection rules, regulations, and defenses, phishing attacks are one of the most significant threats now and into the future. Many individuals would not notice the potential signs of malicious intent of phishing emails; even if they had reason to distrust the email, any attempts at scaring the individual with threats such as having their banking account deactivated would take precedence.

In phishing attacks, a simple equation can be formed for scientifically measuring the likelihood of the general user’s chance at opening an email. In any given phishing email, several factors are in play, including the sender’s email address that is shown (often spoofed), the actual sender’s address (which most users do not know to look for), the words used in the email (any indication that the email should be automatically marked as spam by email filters), the appearance of the email (low/high-resolution images, poor/proper scaling), the subject matter of the email (threats or enticements), the status, size, authority, and trust of the ‘company’ that the email is from (or attempting to be from), as well as several factors involving the target of the attack, including their education level, current financial status (how prone they are to opening emails promising free funds, services, or goods), whether the email was sent to their personal, school, or work account, the time of day the email arrives, the nation in which they live, and attributes derived from social engineering attacks. For example, the attack target’s Facebook account can be searched for products or companies they admire, thus opening an opportunity to create a target phishing email in their name.

Domain name scams such as typosquatting are where an unaffiliated individual purchases a domain that is similar to a business’s and then uses that domain to send its customers emails and notices. Creating and purchasing domain names is a relatively simple process with little-to-no governance involved. By obtaining a similar domain to one owned by a business, one can message their customer while appearing to be affiliated with their company and request payments or personal information. For example, say a company owns ‘www.randomcompany.com’ and someone purchases’ http://www.randomcompany.net;’ as most can probably tell, the ‘.com’ has been replaced with ‘.net’; however, for the average user, they might not be so aware. Several other variants of attacks can be involved in a domain scam, besides the aforementioned typosquatting style.

Domain hijacking ensues when someone gains access to domain registrar account details, thus obtaining complete control of all domain-based functions (editing technical, personal, administer details and changing/transferring domain name/DNS name servers). When a domain is hijacked, seeking to reclaim ownership can be a prolonged procedure, primarily when assigned to a new registrar. Domain phishing happens via scam emails, which route gullible customers to counterfeit websites masquerading as the original registrar’s sites. Within a phishing email, the attackers collect sensitive data such as banking information and personal details, which can then be exploited in identity theft.

   Phishing attacks in the early ’90s were devastating, as employees were new to the Internet and not educated on proper cyber-etiquette, like spotting malicious or spoofed emails; thankfully, with modern technology, these tasks have been automated through A.I. or scripts, removing the risk-filled human element from the equation entirely in some cases; however, even with the surplus of new technology and operating methods, phishing attacks have grown into new sectors and vectors in the IoT (Internet of Things). In 2016, we saw cybercriminals continuing to exploit human nature as they rely on attacks such as phishing and ransomware. Phishing (when users are sent an email from a fraudulent source) is on the rise as the percentage of users who open these emails rose from 23% to 30%. Ransomware attacks increased as well, with an added 16% from the previous year. Per the report, 89% of all attacks involve espionage or financial motives. It is quite shocking that most of these attacks use known vulnerabilities that never have been patched even though these patches exist. The top ten known vulnerabilities accounted for 85% of the total number of exploits. What is even more shocking is the number of data breaches that involved using stolen or weak passwords. A total of 63% of data breaches were recorded using this easily prevented method[2].

In the 2017 Verizon Data Breach Investigations Report, the trends identified in the 2016 document held true. 43% of the events were social attacks, including cyber-espionage and web application attacks. By merely influencing or holding leverage over an individual utilizing various forms of social engineering, intruders could bypass many of the security protocols set in place. Phishing was again the top variant, being involved with 90% of both breaches and incidents. When it comes to miscellaneous errors in 2017, there were over 2,478 incidents of misdelivery, disposal, publishing, and misconfiguration errors. Cyber-espionage continued to be a problem, with targeted phishing campaigns at the top; educational organizations were impacted much more than in 2016[3]

In 2018, we saw the trends between 2016 and 2017 continue to make their appearance. Phishing and pretexting represented a surprising 98% of social incidents; the top industry for these breaches was the public sector. In 2018, over 73% of breaches were perpetrated by outsiders, and 48% featured hacking. Ransomware continues to make its tragic incline of incidents, ranging from around 0% in 2013 to over 40% in 2017 (Verizon, 2018). In 2019, cyber-espionage related breaches increased from 13% in 2017 to 23% in 2018, which should place some fear into many businesses’ hearts. A surprising 90% of malware arrived via email, showcasing the dangers of improper policies and employee training[4].

COVID-19 has impacted the world as we know it in several manners. As INTERPOL states, “Cybercrime has shown a significant target shift from individuals and small businesses to major corporations, governments, and critical infrastructure[5].” Due to the vast majority of employees who are working from home and the suddenness of the change, organizations are frantically attempting to secure the remote systems and networks they set up, thus allowing cybercriminals to take advantage of the often-weak protective measures and willingness of work-from-home employees to click on malicious links in emails that they would deem as necessary to perform their job’s duties. The phrase, ‘when it rains, it storms’ is, unfortunately, suitable for this current pandemic, as social, financial, and political unrest leads to a sudden rise in the forces of evil, attempting to collect information, damage businesses, and steal resources in their phishing attacks against those who have far more on their mind than standard security policies and procedures. Per one of INTERPOL’s private sector partners, from January to April in 2020, a total of 909,000 spam messages, 48,000 malicious URLs, and 737 malware incidents were reported, all related to COVID-19[6].

Phishing attacks, similar to the growth of technology, are both expanding and becoming vastly more sophisticated than previous versions to combat new defensive measures and interact with the IoT. With many of the top email providers using cloud-based services and issuing trusted links to their customer’s files, the battlefield of cybercrime has been altered by attacks using filesharing services. The zombie phish is another relatively new concept, in that an attacker will take over an email account and respond to an older email thread/conversation with a phishing link; due to the sender and subject’s familiarity, their targets are far more likely to open the link. Shortened URLs are beginning to be immensely popular with phishing attacks by using services such as Bitly. A shortened URL is not often blocked by URL content filters due to not revealing the link’s destination, as since when the majority of the population thinks of a malicious URL, they imagine a long chain of odd numbers and characters, a shortened URL is an excellent cover for an otherwise suspect URL.

Due to the pandemic, the rise of online scams and phishing attempts show unprecedented levels of both usage and success. Implementing COVID-19-themed phishing emails, which often impersonate health and government employees, are widely successful, especially those related to the government’s medical response and payments to their citizens in much of the world. Through search engines such as Google, we are seeing a growth of COVID-19-related searches, ranging from cases of the virus, the vaccines, as well as stimulus payments. Google’s Coronavirus Search Trends website shows that from February 28, 2020, to April 28, 2020, Coronavirus was the leading search term by a staggering percentage[7]. The rise in popularity of COVID-19 allows cybercriminals to create targeted ads that play on their target’s fears. While the everyday citizen may think twice about opening an email with the subject of, ‘You Won a Million Dollars,’ many would not show the same resolve if the email stated that one of your employees or friends had contracted COVID-19 or that (in the U.S.), your stimulus check needs to be authorized within 24 hours to receive it.

Using fear in phishing attempts is an unfortunate but effective tool in convincing an individual to give up sensitive information; these attacks are especially hazardous for those who are not tech-savvy, such as the elderly. Many do not understand the science behind even a simple email, especially when trying to prove such an email is authentic. In the scenario involving the fraudulent bank account email, to confirm that the email was, in fact, a phishing attack, one could look at the email’s header to verify the sender’s address was either duped, spoofed, altered, or even coming from a completely different domain.

One could also examine the Enhanced/Extended Simple Mail Transfer Protocol (ESMTP) number, which is unique to each individual email[8]. A website’s address should always be verified to be the same as the real company’s official website address. Close attention should be paid to items in emails and websites such as font, coloring, and low-quality images; these are all reasonable indications of fraud. Recognizing when emails come from unrecognized senders is also essential. Another indication of a fraudulent email would be to remember that typically, companies do not ask for login information over anything other than their trusted website.

To thwart domain scams, there are numerous methods to bolster a website’s defenses. Selecting an appropriate domain registrar company is an excellent first step. Features such as DNS management, two-factor authentication (2FA), multi-factor authentication (MFA), and 24/7 technical support are ideal. If the registrar allows two/multi-factor authentication, always enable it. 2FA/MFA ensures that even if an unauthorized individual has access to a domain’s username and password, they will have to successfully pass through a second security layer to access the account (such as entering a code sent to your email or cellphone).

Domain locking, while generally enabled by default by popular registrars, prevents unauthorized domain name transfers; this should always be on. ICANN WHOIS is a great tool to help reduce the amount of personal data one exposes on the Internet, including physical and email addresses, phone numbers, and other potentially sensitive information. Similar to all login credentials, a password’s sophistication and security practices need to be extensive and advanced. Passwords should have over eight characters, avoid dictionary words, use a combination of numbers, symbols, lower/uppercase letters, and be frequently changed. Furthermore, keep the domain’s contact details updated and not shared with anyone.

A single instance of a hacked or stolen domain can significantly impact a business in various aspects, potentially leading to declining sales, reduced SEO rankings, lower customer trust, or even a company’s total loss. A domain name and its security are just as crucial as apps, content, and code; devote extra funds to using a reputable registrar, backup service, and purchase the common spelling variations of your domain. Domain scams are a primary factor of phishing attacks, leading unsuspecting users at a loss when attempting to defend against such sophisticated methods of convincing targets to believe something that is not true to gain either information, access, or resources[9].

While COVID-19 has and is currently inflicting havoc on both businesses and individuals worldwide, only by understanding the correlation between fear and technology can we, as a population, reduce the number and success of phishing attacks. Fear, the feeling that many individuals and companies have during these unprecedented times, whether relating to their health, job security, or their company’s dwindling profits, can lead the average user vulnerable to threats from cybercrime. Technology impacts the effectiveness of cybercrime, such as phishing, in two ways that are polar opposites. First, the lack of technical skill and knowledge directly affects the everyday user’s ability to identify and protect against fraudulent emails and other cybercrime forms. Second, the inclusion of technical skill and expertise in cybercriminals allows them to create targeted phishing attacks and malicious malware, thus giving them the tools they need to bypass even the most robust defenses. As the human element is the weakest link in cybersecurity, new policies, procedures, and security measures must be developed to counteract the evolution of cybercrime in the COVID-19 era.

Bibliography

Google. (2020). Coronavirus Search Trends. Accessed January 06, 2021, from https://trends.google.com/trends/story/US_cu_4Rjdh3ABAABMHM_en?fbclid=IwAR159CKSid1b3M-eGfwz-_9uN_PkhVKvpDAFTlSZsf4Gpd8krLRG8tiJ0Io.

Grimes, Roger A. 15 real-world phishing examples — and how to recognize them. Accessed January 06, 2021, from https://www.csoonline.com/article/3235520/15-real-world-phishing-examples-and-how-to-recognize-them.html.

INTERPOL. INTERPOL report shows alarming rate of cyberattacks during COVID-19. Accessed January 06, 2021, from https://www.interpol.int/en/News-and-Events/News/2020/INTERPOL-report-shows-alarming-rate-of-cyberattacks-during-COVID-19.

Nelson, B., Phillips, A., & Steuart, C. Guide to Computer Forensics and Investigations. Boston, MA: Cengage Learning, 2019.

Otero, A. R. Information Technology Environment and I.T. Audit. In Tools and Techniques Used in Auditing IT (Fifth ed., pp. 97-128). Boca Raton, Florida: CRS Press, 2019.

Verizon. 2016 Data Breach Investigations Report Accessed January 06, 2021, from https://content.bellevue.edu/cst/cis/608/cd/docs/rp_DBIR_2016_Report_en_xg.pdf.

Verizon. 2017 Data Breach Investigations Report. Accessed January 06, 2021, from https://content.bellevue.edu/cst/cis/608/cd/docs/rp_DBIR_2017_Report_en_xg.pdf.

Verizon. 2018 Data Breach Investigations Report. Accessed January 06, 2021, from https://enterprise.verizon.com/resources/reports/DBIR_2018_Report_execsummary.pdf.


[1] Grimes, 15 real-world phishing examples — and how to recognize them, 2020.

[2] Verizon, Data Breach Investigations Report, 2016.

[3] Verizon, Data Breach Investigations Report, 2017.

[4] Verizon, Data Breach Investigations Report, 2018.

[5] INTERPOL, INTERPOL report shows alarming rate of cyberattacks during COVID-19, 2020.  

[6]  INTERPOL, INTERPOL report shows alarming rate of cyberattacks during COVID-19, 2020.  

[7] Google, Coronavirus Search Trends, 2020.

[8] Nelson, Phillips, Steuart, Guide to Computer Forensics and Investigations, 2019.

[9] Otero, Information Technology Environment and I.T. Audit, 2019.

Categories: Security

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s