Introduction: Being Cyber Smart Through COVID-19

With many people working from home, staying safe online is more important than ever. Threat awareness is the first step in preventing an attack from becoming successful. In the wake of COVID-19 cyber criminals across the world have devised campaigns such as fake government relief money, fake PPE (Personal Protective Equipment) emails as well fake mask mandate violation fines via text message. The incidences are numerous, but they all share common techniques.

 

Impact: Cyber-Crime during COVID-19

  • Latest figures from Hiscox Insurance predict cyber-crime to cost $6 trillion by 2021, double what it cost in 2015

.

  • One study from the UK, shows Phishing/Smishing attacks accounting for 86% of all COVID inspired cyber-attacks.

 

What Can You Do to Prevent Cyber Crime?

Use Multi-Factor Authentication

Change Wireless Router Password and Use Hidden SSID

Do Not Enter Private Information on Public Computers

Use a VPN

Use Browsers with Increased Security Settings

Use a Mobile Hotspot Instead of Public Wi-Fi

Use Social Media Wisely, and Use Strong Privacy Settings

Turn on Automatic Updates

Use Strong Passphrases

Use a Unique Passphrase PER Critical Account

Use Encrypted Drives

Use Encrypted Email

Use Encrypted Browsers

 

What are the Common Threats?

Phishing: A digital form of social engineering to deceive individuals into providing sensitive information. This traditionally takes the form of a fake website login that can look and feel like the real website.

Smishing: A form of phishing that uses unsolicited text messages (SMS).

Pharming: Malicious code that can compromise your local computer via malware or it can involve a hijack of DNS web servers. Either way, this sophisticated attack will result in a redirect to a malicious website.

Malware: Software that compromises the operation of a system by performing an unauthorized function or process. This could include a backdoor, a device placed on a device by an attacker to exfiltrate data.

  • The more sophisticated phishing sites will say you entered in the wrong credentials while seamlessly redirecting you to the real PayPal login.
  • SMS that informed recipients to stay in doors with a link to more information linked instead to a malware infested website.
  • A recent SMS (Smishing) campaign targeted parents with free financial assistance for school meals asking them to enter banking information. This co-incided with an announcement of a real government program delivering food vouchers to children who were not able to attend school due to COVID.
  • The government announced a job retention program and 2 days later a fake job retention phishing campaign was launched.

The below photo is an example of a fake PayPal Website designed to collect login credentials from an unsuspecting user:

Conclusions

  • Understand the common methods used by attackers such as unknown email attachments, fake websites, fake login pages and unsolicited or unknown text messages.
  • Prevent attacks from occurring by using multi-factor authentication, and strong passwords. Ensure your device has the latest software updates.
  • Check the URL at the top of your web browser to verify the legitimacy of the website. Look for a secure connection icon.

References

Best Practices:  NIST SP 800-46 Rev. 2

Lallie, H. S., Shepherd, L. A., Nurse, J. R., Erola, A., Epiphaniou, G., Maple, C., & Bellekens, X. (2020). Cyber security in the age of COVID-19: A timeline and analysis of cyber-crime and cyber-attacks during the pandemic. arXiv preprint arXiv:2006.11929.

Definitions:

National Initiative for Cybersecurity Careers and Studies. Retrieved from Cybersecurity Glossary: https://niccs.us-cert.gov/about-niccs/cybersecurity-glossary

NCSD Glossary, CNSSI 4009, NIST SP 800-63 Rev 1