Medium

Physical and online safety are more important now than ever. All North Dakotans are encouraged to exercise caution when researching COVID-19 information online and engaging in any online activity. Malicious actors are exploiting the pandemic for monetary gain, to steal personal information, and/or to intentionally mislead the public.

This webpage is specifically focused on spreading awareness of phishing emails and malicious threats. Recent cyber threats and scams include:

  • Cure schemes – claiming they have a cure or treatment
  • Selling masks / personal ppe scams
  • Scams tied to CARES Act Stimulus checks
  • Small business payroll protection scams
  • Out-of-state residents have received calls from a DoH number claiming to be from the ND DoH and asking for Medicaid information and other personal info.

Tips to Stay Safe Online

  • Be cautious with links/attachments - If you aren't expecting the email or don't recognize the sender - don't open it
  • Use trusted websites like the CDC.gov, health.nd.gov or ndresponse.gov - Bookmark trusted sites and avoid web surfing and clicking on random website links
  • Don’t reveal personal information or financial info if asked over email or the phone. Verify and validate the agency/association/business you are working with. If the request is unsolicited, search online or call them directly to verify if the sender’s information is legitimate

Be Cyber Smart – The Common Terms:

Malicious Information – any information intended to cause harm to the targeted victim (e.g., misinformation, scams, computer viruses, worms, trojans, spyware)

Social Engineering – Bad guys trying to trick you into providing sensitive information, or click on links that could infect your device.

Phishing – An attempt to obtain sensitive information by disguising oneself as a trustworthy entity in an electronic communication (e.g., email, mobile phone)

Medium

COVID-19 Phishing Threats

The following COVID-19 phishing threats are circulating widely.​

Medium

Threat Statement/Description

Criminals are disguising themselves as World Health Organization members and tricking people via text, email and phone calls to click a malicious link, open a malicious file and/or share usernames and passwords.

Action/Guidance

  1. Do not click links or open attachments from an unsolicited WHO email

Threat Statement/Description

 

CovidLock is a malicious Android application that claims to provide access to a map that will provide real-time vrius-tracking and information, including heatmap visuals and statistics. In fact, a researcher from DomainTools said, the app is laced with ransomware.

Action/Guidance

  1. Do Not download, install and run CovidLock Android App
  2. Do not click any links received via e-mail and/or text messages about CovidLock Android App, or any COVID-19 Android mobile application
  3. We recommend using legitimate and validated websites and sources (e.g., CDC, North Dakota Department of Health) to follow and track up to date news and information around COVID-19

Threat Statement/Description

An increase in various phishing attacks aiming to take advantage of employees and school students (K-12 and University). Email purpot to come from employers and targets people who are working from home. In reality, both scams provide links to fake OneDrive or Office365 login screens that capture user credentials.

Action/Guidance

  1. Do not click links and/or attachments about OneDrive or Office365 that do not originate from NDIT
  2. Verify e-mails appearing to come from your employer, K-12 school and/or university before clicking any links and/or opening any attachments
  3. Remember these e-mails will look very convincing and will typically attempt to "scare" you with a deadline or consequences if you don't act now

Threat Statement/Description

Citizens may start receiving phishing e-mails attempting to tell them they have tested positive for COVID-19. The e-mails then asks the victim to provide a credit card number for a prescription. Confirmation on the sources of these e-mails is unavailable at this time, however, phishing e-mails like this may appear to come from health care providers, testing centers and/or the federal/state government.

Action/Guidance

  1. Be suspicious of any e-mail you receive from any organization, state or federal government telling you, you've tested positive for COVID-19
  2. Validate via a phone call with the facility or entity that you received COVID-19 testing that they sent you the e-mail
  3. Do not provide sensitive information (e.g., credit card information, social security information, date of birth, health information) via e-mail to any organization, state and/or federal government entity
  4. Be cautious with opening attachments and/or clicking links contained in an email from any source informing you, you've tested positive for COVID-19

Threat Statement/Description

A phishing campaign targeting state and local governments, healthcare, biotechnology, and financial services entities used a COVID-19 lure to trick users into opening zip archive that launches a malicious bot to either deliver malware, ransomware, gain access to sensitive data. Other entities that have been identified as targets, include energy, manufacturing, and real estate.

Action/Guidance

  1. Be suspicious of unsolicited e-mails from federal government agencies, rarely will the CDC or Department of Health and Human Services, or any other government entity send you an unsolicited e-mail with attachments for you to open and review.
  2. Do not click on links or attachments contained in any unsolicited e-mails

Threat Description:

Security Affairs - https://securityaffairs.co/wordpress/100728/cyber-crime/coronavirus-phishing-attack.html?web_view=true has reported a new phishing campaign has been identified and is preying upon the publics fears over contracting the virus.  The “new phishing campaign uses messages that pretend to be from a local hospital informing the victims they have been exposed to the virus and that they need urgently to be tested.”

Action/Guidance:

  1. Be cautious opening attachments and/or clicking links within unsolicited e-mails you receive about COVID-19
  2. Call and verify COVID-19 emails appearing to come from your local hospital or health care provider

Threat Description:

According to researchers - https://searchsecurity.techtarget.com/news/252480848/Coronavirus-phishing-lures-continue-to-dominate-threat-landscape?&web_view=true - A new campaign identified by IBM X-Force researchers, an email claims to be from WHO's Director-General Dr. Tedros Adhanom Ghebreyesus. The emails claim to share an update on the status of outbreak prevention as well as a potential cure, and they install an Agent Tesla malware variant through attached documents. IBM X-Force said it expects the attack to be "highly successful" under current circumstances.

 Action/Guidance:

  1. Exercise caution when opening attachments and/or clicking links in unsolicited e-mails from the World Health Organization (WHO)
  2. As of today there is no officially recognized or known cure for COVID-19 (Coronavirus)

Threat Description:

In a recent article https://www.securityweek.com/corporate-workers-warned-covid-19-payment-emails-delivering-banking-trojan?&web_view=true A number of “corporate users” are being targeted with e-mails labeled as “COVID-19 Payment” appearing to come from the federal government.  This attack preys upon users who may be expecting government stimulus checks.

Action/Guidance:

  1. Be cautious clicking links and/or opening attachments in unsolicited e-mails from your state, local and/or federal government
  2. When possible attempt to validate the e-mail via phone call to the government agency that you received the e-mail from

Threat Description:

As reported by SC Magazine - https://www.scmagazine.com/home/email-security/upgraded-malicious-word-excel-attachments-targeting-wfh-employees/?web_view=true  “Combining LimeRAT with VelvetSweatshop is a particularly unwelcome and powerful technique as it enables the malicious document to appear legitimate to the receiving system by using encryption.  The ransomware being used against healthcare facilities and critical business operations uses a socially engineered phishing attack that presents itself as a COVID-19 situation report. The document, in fact, carries a new variant of SNSLocker and upon being opened immediately begins encrypting files and demanding a .35 bitcoin ransom payment.”

Action/Guidance:

  1. Exercise caution when opening any kind of attachments contained in unsolicited e-mails containing COVID-19 situational updates, reports, notification of diagnosis, cures, etc.
  2. Ensure you Anti-Virus solution is enabled and up to date (be aware anti-virus solutions may not detect and/or prevent all malware and other types of cyber threats)

Threat Description:

As reported by Anomali - https://www.anomali.com/blog/covid-19-themed-hawkeye-phishing-campaign-targets-healthcare-sector-dissection-of-the-maldoc-and-the-two-way-approach?&web_view=true researchers have identified a phishing campaign that is distributing HawkEye malware via Rich Text Format (RTF) documents. This campaign appears to be targeting the healthcare sector.

 

Action/Guidance:

  1. Do not click on links and/or attachments in unsolicited e-mails
  2. Healthcare sectors should anticipate an increase in phishing and malware campaigns directed towards their staff

Threat Description:

Michigan’s Cyber Command Center has issued an alert that cyber criminals are targeting small businesses, those seeking assistance and remote workers with a malicious phishing campaign.  “The e-mail contains a malicious attachment named “SBA_Payroll_Protection_Application.img”, which when opened, infects the host machine with a remote access trojan and information stealing malware.

 

Action/Guidance:

  1. Do not click links or open attachments contained in unsolicited e-mails
  2. We recommend users reach out to the actual agency, association and/or business you received the e-mail from and “question and verify” they sent you the e-mail and the purpose of the correspondence
  3. We recommend users take time to look for misspelled words, inappropriate use of grammar, hover (do not click) over the link to display where you’ll be redirected if you click the link.  Malicious phishing e-mails will commonly include misspelled words, inappropriate grammar and will redirect you to malicious websites that aren’t even tied to a legitimate agency, association and/or business website

Threat Description:

As reported by Bleeping Computer - https://www.bleepingcomputer.com/news/security/fake-fedex-and-ups-delivery-issues-used-in-covid-19-phishing/?&web_view=true As people socially isolate and work from home, shopping online and home deliveries have increased. Scammers are capitalizing on social distancing and work from home situations by creating new scams using Coronavirus delivery issues as a lure to get people to visit malicious links or open malware.  In a new report by Kaspersky, researchers see a new wave of phishing scams that utilize a COVID-19 theme and impersonate well-known shipping carriers such as FedEx, UPS, and DHL.

 

Action/Guidance:

  1. Exercise caution when clicking links, or opening attachments contained within unsolicited e-mails
  2. Whenever possible, call the shipping company directly to confirm they’ve sent you an e-mail regarding your order
  3. Remain vigilant and look for signs the e-mail and links within it are illegitimate – some common signs include, mis-spelled words, links that point to an unfamiliar URL, or website, outlandish offers that are too good to be true
Medium

COVID-19 Malicious Information Threats

The following COVID-19 malicious information threats have been reported as being active:

Medium

Threat Statement/Description

"Social isolation is a key risk factor for susceptibility to scams, as is financial vulnerability," said Melissa Lanning, executive director of the BBB Institute for Marketplace Trust, BBB's foundation that conducted the research. As bricks-and-mortar businesses close or curtail services and the financial markets experience a high level of volatility, many consumers are left to wonder if they will have a job or an immediate way to provide for their loved ones. As people turn to the internet seeking new or temporary employment, they are also at increased risk of employment scams. Employment scams are deemed the riskiest scams of 2019, making up 9.3 percent of all scams reported and a median dollar loss of $1,500/per incident. Employment scams can take place in job search websites, via e-mail, via text and/or unsolicited phone calls.

Action/Guidance

  1. Users should exercise caution if a firm or persons requires you to pay a fee to be placed into a job
  2. Users should not provide a firm or user your bank account information or credit card information to be placed into a job
  3. Persons and/or firms cannot promise or offer you federal government jobs, all federal jobs and positions are publicly posted on usajobs.gov
  4. Exercise caution when responding to unsolicited e-mails, texts and/or phone calls from persons or job placement firms, do your research on the person, firm and/or job posting

Threat Statement/Description

Scammers and fraudsters are calling and texting elderly people in communities across the U.S. The Washington Post reports, robo calls to elderly people who may be diabetic promising, "We can qualify you to get a free diabetic monitor and a complimentary testing kit for Coronavirus." Another set of calls appears to impersonate the company 3M, which makes masks that can help prevent the spread of coronavirus. Other calls prey on Americans at a time when obtaining tests across the country has been difficult and starts our, "Thank you for calling coronavirus hotline," a male speaker then asks, "Will the free at-home test be just for you or for you and your spouse?" Calls such as this are used as a means to defraud senior citizens, could place you in danger.

Actions/Guidance

  1. If you receive an unsolicited call informing your that you've been selected for COVID-19 testing, or are being offered an opportunity to undergo COVID-19 testing, we recommend you validate who the caller is, the agency they're working for and why you were selected for testing
  2. State, or Federal Agencies will NOT randomly call and/or select senior citizens for COVID-19 testing
  3. Do not share via text and/or phone calls any sensitive information

Threat Statement/Description

The Department of Justice cracked down on a site that was offering visitors access to a WHO develop COVID-19 vaccine kit. The site was actually used to upload malware to victims' PC and/or laptop.

Action/Guidance

  1. If you believe you visited the site, you may want to run a scan of your system
  2. If you're running an older version of anti-virus software consider updating and/or upgrading your virus protection
  3. Be cautious with visiting COVID-19/Corona Virus URLs or websites are suspicious and/or malicious and set up to steal information, attempt to defraud you, or upload malware to your PC and/or laptop.

Threat Statement/Description

Rumors are circulating out there via e-mail, text messages, and social media-"Hearing a lot about texts from 'friends at DHS' or 'friends with connnections at DHS' that say DHS is planning a national lock down. Also circulating is a rumor of the National Guard fanning out to major cities to enforce martial law.

Action/Guidance

  1. Use trusted local and federal government sources
  2. A national lock down is not taking place
  3. The National Guard has not been used to enforce any type of martial law

Threat Statement/Description

A New COVID-19 Scam has emerged this time taking advantage of users' and citizens' Android Phones. The attackers send you a text that reads: "Get safety from corona virus by using Face mask, click on this link download the app and order your own face mask-hxxp://coronasafetymask.tk." When you click the link your taken to a web portal where you'll be asked to download the app. Downloading won't just help the malware spread, it'll cost you whatever your mobile phone carrier charges you for a text. The more contacts/friends you have, the higher the potential bill, especially if your friends live abroad.

Action/Guidance

  1. Delete unsolicited texts from organizations and/or phone numbers you don't know
  2. Do not click on links and/or attachments contained in texts

Threat Statement/Description

Criminals are offering home and herbal remedies that prevent or cure COVID-19. These attacks can be used to infect users' computers with malware and/or peddle unproven and potentially harmful substances for people digest

Action/Guidance

  1. Do not respond to COVID-19 vaccines or remedies advertisements received via e-mail, or in the course of browsing the web
  2. Do not click links or open attachments from advertisers offering a remedy or vaccine for COVID-19

Threat Statement/Description

Various persons are intentionally posting inaccurate and/or inflammatory information about North Dakota's response to the COVID-19 pandemic

Action/Guidance

  1. Verify Sources of Information
  2. Information in regard to how ND is responding to COVID-19 is located at XXXX
  3. Do not click links or open attachments from individuals posting information in social media platforms

Threat Statement/Description

The FTC and FDA jointly has identified and issued warning letters to the following companies

  • Vital Silver
  • Quinessence Aromatherapy Ltd.
  • Xephyr, LLC, doing business as N-Ergetics
  • GuruNanda, LLC
  • Vivify Holistic Clinic
  • Herbal Amy LLC
  • The Jim Bakker Show

The products cited include teas, essential oils, tinctures and colloidal silver

Action/Guidance

  1. Do not click on links in e-mails received from any of the above named companies
  2. We recommend you exercise caution when placing orders for COVID-19 vaccines.remedies *To date there has not been an officially recognized vaccine to prevent and/or cure COVID-19*

Threat Statement/Guidance

The U.S. Securities and Exchange Commission is warning investors about fraudsters touting stocks of companies with products that supposedly can prevent, detect or cure coronavirus. In scams such as this, the con artists have already bought the stocks, which typically sell for a dollar or less. As the hype grows and the stock price increases, the con men dump the stock, saddling other investors with big losses (aka- Pump and Dump).

Action/Guidance

  1. SEC recommends investors conduct detailed research before investing in any stocks and be aware of the risks
  2. SEC also notes it is common for fraudsters to exploit crises like COVID-19 to scam investors
  3. Be suspicious of any unsolicited e-mails and/or online advertisements with links and/or attachments on investing or purchasing stocks that have developed a cure or vaccine to COVID-19 *To date there has not been an officially recognized vaccine to prevent and/or cure COVID-19*

Threat Statement/Description

A group of hackers was found promoting a fake antivirus software to distribute a malware payload which could infect the systems with the BlackNET RAT, while adding it to a bot net

  • Security experts have reported two such sites where this software could be found:antivirus-covid19[.]site and corona-antivirus[.]com.
  • Upon reporting, the first stie was taken down. The other one, however, remained active with altered contents and malicious links being taken off.

A blurb from the site read, "Download our AI Corona AntiVirus for the best possible protection against the Corona COVID-19 Virus. Our scientist from Harvard University have been working on a special AI development to combat the virus using a mobile phone app."

The malware actors also mention an update about adding VR sync capabilities to their fake products. "We analyze the Coronavirus in our laboratory to keep the app always up to date! Soon a corona antivirus VR synchronization will be implemented!"

Action/Guidance

  1. Exercise caution when visiting sites related to the COVID-19 Pandemic new fraudulent sites are being set up everyday to try and trick citizens into downloading malicious software to steal your data and/or steal your money
  2. Criminals are attempting to take advantage of people's fear and the vast amount of misinformation about COVID-19
  3. Be careful with clicking links on websites discussing COVID-19 or purporting to have any kind of cure, special products, or new information

Threat Statement/Description

Criminals behind the WordPress WP-VCD malware have started to distribute modified versions of Coronavirus plugins that inject a backdoor into a web site.

The WP-VCD family of WordPress infections are distributed as nulled, or pirated, WordPress plugins that contain modified code that injects a backdoor into any themes that are installed on the blog as well as various PHP files. Once a WordPress site is comprimised by WP-VCD, the malware will attempt to compromise other sites on the same shared host and will routinely connect back to its command & control server to receive new instructions to execute.

Action/Guidance

  1. Exercise caution when visiting WordPress sites
  2. Exercise caution when clicking on advertisement links in WordPress sites as they may redirect you to malicious sites, or install harmful malware
  3. If you operate a WordPress site be certain your downloading Plugins from a trusted and authorized Plugin site

Threat Description:

Hacker News reports - https://thehackernews.com/2020/03/zoom-video-coronavirus.html?&web_view=true – “As people increasingly work from home and online communication platforms such as Zoom explode in popularity in the wake of coronavirus outbreak, cybercriminals are taking advantage of the spike in usage by registering new fake "Zoom" domains and malicious "Zoom" executable files in an attempt to trick people into downloading malware on their devices. According to a report published by Check Point and shared with The Hacker News, over 1,700 new "Zoom" domains have been registered since the onset of the pandemic, with 25 percent of the domains registered in the past seven days alone.”

Zoom is not the only platform being targeted, Google Classroom is also noticing an increase in potentially malicious activity.

Zoom, Google Classroom and Microsoft Teams are being increasingly targeted by cyber criminals - https://www.scmagazine.com/home/security-news/news-archive/coronavirus/cybercriminals-targeting-zoom-google-and-teams-domains/?web_view=true

Action/Guidance:

  1. Exercise caution when clicking links and/or attachments attached to unsolicited Zoom or Google Classroom invitations and/or documents
  2. Validate via phone, if possible, if you receive Google Classroom invites and/or documents
  3. Do not make meetings or classrooms public. In Zoom, there are two options to make a meeting private: require a meeting password or use the waiting room feature and control the admittance of guests. Ensure meetings are private, either by requiring a password for entry or controlling guest access from a waiting room.
  4. Do not share a link to a teleconference or classroom on an unrestricted publicly available social media post. Provide the link directly to specific people.
  5. Manage screensharing options. In Zoom, change screensharing to “Host Only.”
  6. Ensure users are using the updated version of remote access/meeting applications. In January 2020, Zoom updated their software. In their security update, the teleconference software provider added passwords by default for meetings and disabled the ability to randomly scan for meetings to join.
  7. Ensure that your organization’s telework policy or guide addresses requirements for physical and information security.
  8. Consider security requirements when selecting vendors. For example, if end-to-end encryption is necessary, does the vendor offer it?
  9. Ensure VTC software is up to date. See Understanding Patches and Software Updates.

Threat Description:

ThreatPost reports,  https://threatpost.com/two-zoom-zero-day-flaws-uncovered/154337/ The web conferencing platform vulnerabilities could give local, unprivileged attackers root privileges, and allow them to access victims’ microphone and camera.

 Action/Guidance:

  1. Zero-Day vulnerabilities cannot be fixed until the vendor (in this case Zoom) issues a “fix” (i.e. patch), or communicates steps to help reduce the risk for exploiting the vulnerability
  2. Exercise caution when granting other people access (physical or remote) to your device (PC/Laptop), exploitation of these vulnerabilities requires an attacker to have local presence on your device
  3. Exercise caution when opening attachments or clicking links in unsolicited e-mails
  4. Be careful when exploring the Internet and visiting unknown website
  5. Ensure meetings are private, either by requiring a password for entry or controlling guest access from a waiting room.
  6. Consider security requirements when selecting vendors. For example, if end-to-end encryption is necessary, does the vendor offer it?
  7. Ensure VTC software is up to date. See Understanding Patches and Software Updates.

Threat Description:

As reported in Forbes - https://www.forbes.com/sites/kateoflahertyuk/2020/04/04/new-zoom-user-blow-this-is-how-thousands-of-video-chats-are-available-for-anyone-to-view-online/#b4569a785d60 a researcher was able to access thousands of Zoom video chats as a result of users saving their chats to personal computers and/or non-Zoom unsecured cloud storage.

 

Action/Guidance:

  1. Don’t share personal or sensitive information during Zoom meetings, even with family and friends
  2. If you record, save and store your business or personal Zoom meetings make sure you properly protect those recordings (e.g., create a strong password for your online cloud storage, password protect your save Zoom recordings)
  3. Make sure the person(s) your meeting with are not recording your meeting and if they are verify they’re taking measures to secure the recording (e.g., using strong password for their online cloud storage and/or password protecting your Zoom recording(s))

Threat Description:

As reported in ZDNet - https://www.zdnet.com/article/cyber-criminals-are-trying-a-new-trick-to-cash-in-on-zooms-popularity/ researchers at Trend Micro have uncovered cyber criminals looking to exploit Zoom by bundling cryptocurrency mining malware inside a legitimate Zoom installer for the video-conferencing software.

 

Action/Guidance:

  1. We do not recommend using Zoom virtual conferencing software until the known security vulnerabilities and issues have been addressed
  2. Download the Zoom installer from Zoom’s website only, most of the malware infections reported are a result of users downloading the installer from 3rd party non-Zoom websites
  3. Make sure your anti-virus solution is up to date and verify through your anti-virus manufacturer your product is able to detect when you have downloaded a malicious copy of Zoom

Threat Description:

As reported in Threat Post - https://threatpost.com/skype-apps-hide-malware/154566/?web_view=true Kaspersky performed analysis on Skype and “uncovered a total of 120,000 suspicious malware and adware packages in the wild masquerading as versions of the video calling app.” “It should be said that Skype isn’t alone in being targeted: The research found that among a total of 1,300 suspicious files not using the Skype name, (42 percent) were disguised as Zoom, followed by WebEx (22 percent), GoToMeeting (13 percent), Flock (11 percent) and Slack (11 percent).”  MS Teams accounts for less than 1 percent.

 

Action/Guidance:

  1. Ensure you are downloading virtual conferencing software installer files from the application manufacturer’s website
  2. Don’t download installer files from untrusted 3rd party websites

Threat Description

We are receiving reports that scammers are calling people outside of the State of North Dakota masquerading as North Dakota Department of Health.  So far Department of Health has received (15) calls from victims outside of the state.  We have not received information that in-state citizens are being contacted at this time, however, scammers could begin turning their attention to North Dakota citizens.

Action/Guidance

  1. Do not provide your Medicaid number and/or other personal and sensitive data to unsolicited people who purport to represent any state’s Department of Health
  2. Call your state Department of Health number and validate they called you before sharing any personal and/or sensitive data to a purported Department of Health employee

Threat Description:

As reported by Yahoo Finance UK - https://uk.finance.yahoo.com/news/online-covid-19-quizzes-could-123349524.html?&web_view=true&guccounter=1&guce_referrer=aHR0cHM6Ly9jeXdhcmUuY29tL2N5YmVyLXNlY3VyaXR5LW5ld3MtYXJ0aWNsZXM&guce_referrer_sig=AQAAAMEIb_1APb55H2NX1QCVrbptM0G2T5mDO61ueqNwbP_TROP9ABdGPNmZcOZ12pBpI_JDGkGeX7w5Buc_ntA0vEWmucMEn2CuP9S_hb0cCx7OLSY5I8wRDhcz5KRuSI2MUJASvKXUT8rEqPq42EdMXBjr6xKeIKAXLUz04lFnhrN4 The Chartered Trading Standards Institute (CTSI) says it has received intelligence about a number of “Covid-19 quizzes” being shared on social media, which claim to test a person’s knowledge on the pandemic but actually ask unrelated questions about personal information.  Questions include asking for details such as maiden names, family information, pets and contact details, including email addresses and telephone numbers, all bearing the hallmarks of a data harvesting operation commonly seen in financial fraud and identity theft.

 

Action/Guidance:

  1. Exercise caution when browsing the Internet and visiting untrusted websites
  2. Be careful while in social media sites (e.g., Facebook, Instagram, LinkedIn) as social media sites are a common place that criminals and scammers will try to trick users with links and attachments
  3. Do not click on links and/or attachments in unsolicited e-mails

Threat Description:

As reported by Forbes - https://www.forbes.com/sites/daveywinder/2020/04/08/cyber-attacks-against-hospitals-fighting-covid-19-confirmed-interpol-issues-purple-alert/#102aaee58bc9 INTERPOL, the International Criminal Police Organization, has cautioned that it has detected a significant increase in cyber-attacks against hospitals around the world that are engaged in the COVID-19 response. Attacks that could "directly lead to deaths."

 

Action/Guidance:

  1. Healthcare sectors should anticipate an increase in phishing and malware campaigns directed towards their staff
  2. Exercise caution with clicking links and/or attachments in e-mails, many attackers are improving their Tactics, Techniques and Procedures to more easily bypass anti-malware solutions, develop more realistic e-mails posing as vendors, international health organizations
  3. In some cases, individual health care workers are being targeted

Threat Description

In a report by HelpNet Security https://www.helpnetsecurity.com/2020/04/10/covid-19-fears/?web_view=true “Shadowy sellers want to capitalize on interest in pharmaceuticals promising a potential treatment to COVID-19.  All the drugs President Trump, Elon Musk and others have discussed during press conferences, interviews or posted in social media have sites that are already being used offering these drugs. “The sites might only be active for a few hours, but then they come down after the operator makes a quick hit – preying on consumers at opportune times. Some of these sites have a padlock – giving the consumer the impression they are safe, but they’re not.”

Action/Guidance

  1. Exercise caution when conducting research on the following drugs - remdesivir, chloroquine (and hydroxychloroquine), Plaquenil, azithromycin, metformin, favipiravir, interferon, lopinavir, ritonavir, and arbitol.
  2. Use legitimate pharmacies only when seeking to fill prescription medications, be sure to speak to a pharmacist before taking any medication
  3. The medications officially authorized and being proscribed to help COVID-19 victims require a doctor’s prescription and are not sold “over the counter”
  4. Be extremely careful if visiting websites that promise you prescription medications without a doctor’s prescription

Threat Description

As reported in Cyware Hacker News https://cyware.com/news/how-are-credit-card-skimming-attacks-thriving-during-the-covid-19-crisis-e5120b66 web skimming attacks have increased 26% in March.  Previous attacks over the past 2 months indicate Nutribullet, Tupperware and approximately 40 other online stores were targeted.  In web skimming attacks, cyber criminals obtained shoppers’ first and last names, billing addresses, credit card expiry dates, telephone numbers, and CVV numbers.  “There is no proper answer on how to thwart web skimming, it is on to the online merchants and shoppers to prevent falling victim to such attacks.”

Action/Guidance

(see site - https://www.cnet.com/how-to/how-to-protect-your-credit-card-online/)

  1. Use a credit card, not a debit card (Credit cards come with more fraud prevention and protection)
  2. Only purchase from retailers that use “https” connection and have valid security certificates
  3. Don’t send/share credit card details via e-mail and/or social media
  4. Keep your anti-virus and browsers up to date
  5. Avoid clicking on “deal” links in e-mails, as it could be a phishing attack
  6. Check with your credit card company to learn about additional layers of security to help protect you

Threat Description:

According to Bleeping Computer, https://www.bleepingcomputer.com/news/security/over-500-000-zoom-accounts-sold-on-hacker-forums-the-dark-web/?&web_view=true “The purchased accounts include a victim's email address, password, personal meeting URL, and their HostKey. 290 accounts related to colleges such as the University of Vermont, University of Colorado, Dartmouth, Lafayette, University of Florida, and popular companies such Chase, Citibank” and others are all available, at time of reporting, “for pennies.”

 

Action/Guidance:

  1. Exercise caution when clicking links and opening attachments in unsolicited e-mails
  2. Change your passwords to all accounts on regular basis (e.g., 30, 60 or 90 days) and when you’ve been notified of a breach
  3. Use different passwords for each account that requires a password

Threat Description:

Trend Micro reports - https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/?web_view=true a potential cyberespionage campaign, which has been named Project Spy, that infects Android and iOS devices.  “Project Spy uses the ongoing coronavirus pandemic as a lure, posing as an app called Coronavirus Updates.”

 

Action/Guidance:

  1. Exercise caution when downloading Coronavirus Apps from Google Play Store (Android) and Apple Store
  2. Do not click links and/or attachments related to Coronavirus data, updates and programs in unsolicited e-mails
  3. Obtain data and updates on COVID-19 from legitimate sources such as, CDC, WHO, your local Department of Health sites

Threat Description:

As reported by Cyware - https://cyware.com/news/research-confirms-rising-attacks-on-gaming-industry-during-lockdown-1152bddb cyber criminals performed around 12 billion credential stuffing attacks worldwide against gaming websites over a period of around 18 months.

 

Actions/Guidance:

  1. Don’t reveal personal information about yourself in online gaming environments
  2. Check the security of the server your using to play your online game (e.g., is it encrypted, does it require strong authentication)
  3. Use websites dedicated to finding the best “game hosting” for you hosted games to protect yourself and your friends
  4. If you’re running your own server to host a game take advantage of DDoS protection services offered by numerous security firms
  5. Exercise caution when downloading “cheats” and game updates as they may contain malicious software to infect your system. Always download from reputable sites
  6. Install and update anti-virus and anti-spam software if you’re going to be playing and hosting games online

Threat Description:

As reported by Dark Reading - https://www.darkreading.com/attacks-breaches/viral-whatsapp-scam-promises-free-streaming-services/d/d-id/1337612?&web_view=true The demand for streaming services has driven an increase in fraudulent streaming services and related scams.  Some falsely promise free memberships in exchange for users' account information. Many of these scams are distributed on social media.  One of these viral scams is currently circulating on WhatsApp, it offers a free streaming service membership to anyone who enrolls in the program. To entice users to click, the scammers claim this is a "limited-time" and "limited-quantity" offer.  A link directs victims to a website designed to appear as though it belongs to the legitimate company. If users follow the prompts you’ll be asked for your streaming account credentials, which can be sold or used to attempt login access into other accounts you own.

 

Action/Guidance:

  1. Exercise caution when responding to “free” offers that appear too good to be true
  2. Do not click on links or open attachments contained in unsolicited e-mail, messages and/or advertisements
  3. Legitimate vendors, companies, service providers will NEVER ask you to turn over your credentials in order to provide you service
  4. Call, Google or find other means to verify any special offers before clicking links and signing up for free offers

Threat Description:

As reported by Cyware - https://cyware.com/news/government-aided-grants-and-relief-packages-turning-out-to-be-easy-targets-for-hackers-bf06aa06 A large number of hackers are specifically targeting financial aids and subsidies given by governments across the world to fight against the COVID-19 epidemic.  Hackers have been busy registering fake domain names and other assets, to impersonate legitimate government initiatives. Current global estimates, since January, a total of 4,305 domains relating to new stimulus/relief packages have been registered many of which are fake and fraudulent. Hackers promote these fake websites via emails and SMS, urging users to provide their personal and financial information. When users visit malicious websites, they are tricked into providing their personal and sensitive details, which are collected by hackers. The details are then used by hackers to make fake claims for the declared grants, and cash in the grant amount in their (cyber criminal’s) accounts.

 

Action/Guidance:

  1. Be extra cautious about lookalike domain names, or spelling discrepancies in emails or websites
  2. Exercise caution when visiting sites with offers to provide you your stimulus checks sooner, or other offers that appear too good to be true
  3. Do not click on links or open attachments contained in unsolicited e-mail, messages and/or advertisements related to stimulus and relief packages
  4. Call the company directly, Google or find other means to verify any special offers or unique stimulus programs before clicking links and signing up for the services

** As reported by CNN - https://www.cnn.com/2020/04/14/politics/get-my-payment-stimulus-checks-irs/index.html “The first payments will go to those who've already filed their 2018 or 2019 tax returns and authorized the Internal Revenue Service to make a direct deposit if they were due a refund. Within that group, the agency is starting with people with the lowest incomes. Social security recipients will also automatically receive their payments, even if they haven't filed a return. There are tens of millions of people who don't fall into those categories. Taxpayers who haven't authorized a direct deposit could be waiting weeks for a check in the mail -- though they can update their bank information using Treasury's new web portal.”**

Threat Description:

With the increase in online learning and the transition to widespread telework, our public and private sector workforce as well as students are being increasingly targeted by cyber criminals. These cyber criminals are exploiting vulnerabilities of those who don’t have properly configured home office computers or networks. They are hacking work, home and school computers using remote access tools (such as Remote Desktop Protocol (RDP) or Virtual Network Computing  (VNC)) that enable employees and students to ‘remote in’ to their office/school computers from home. When these attacks are successful, cyber criminals can obtain sensitive information, steal credentials, or download malware (e.g., ransomware, viruses) to the device the student or employee remotely logged into. This is particularly dangerous if someone is connected to a remote system located at a hospital, police department or any system that houses sensitive information. The consequences of these attacks can be devastating.

Action/Guidance:

Here are some helpful tips for students and employees who are working from home and remoting into school and office systems: (Call your school or work IT departments if you need assistance).

  • Use strong passwords with 12+ characters.
  • Make Remote Desktop Protocol and VNC available only through a VPN.
  • Use Network Level Authentication (NLA).
  • If possible, enable two-factor authentication.
  • If you don’t use Remote Desktop Protocol, disable it and close port 3389.

Additionally, enable Account Lockout policies as they’ll temporarily block access to the account after a specified number of failed logins.”

Why you shouldn't plug your computer into your modem

Threat Description:

As reported in InfoSec Magazine - https://www.infosecurity-magazine.com/news/dark-web-fake-vaccines-blood/?&web_view=true Fraudsters are attempting to sell fake vaccines allegedly manufactured using the blood of patients who have recovered from COVID-19.  A survey of 20 underground markets turned up 645 listings of 222 items from 110 unique vendors across 12 sites. The total estimated value of all the items was $369,000. 

 

Action/Guidance:

  1. Exercise caution when visiting sites that advertise COVID-19 vaccines and remedies.  There currently is no officially recognized cure or vaccine for COVID-19
  2. Do not click on links or attachments in unsolicited e-mails advertising COVID-19 cures and remedies