We May Never Have a Vaccine for Cyber Crime

One of the greatest challenges we face related to a pandemic is that a virus has the ability to rapidly mutate, staying one step ahead of medical science and our ability to eradicate its impact on our lives. Similar challenges abound regarding cyber criminals, as they too can quickly adapt to new situations, seamlessly altering their nefarious tactics to take advantage of current events. Earlier this year, the vast majority of the world had never heard of coronavirus, but within hours of the outbreak, criminals had developed sophisticated attack strategies to take advantage of the flurry of communications related to this disease. Here are a few examples of the types of activity that has occurred during the pandemic:

• Warnings have been issued by the Internal Revenue Service regarding scams relating to expediting Economic Impact Payments. Criminals have been calling or sending text messages asking for verification of personal or banking information, claiming that they can “help move their claim to the front of the queue.” In reality, the information is being used by the criminals to reroute and steal payments from their unsuspecting victims.
• The Health and Human Services Department fell prey to a cyber-attack, part of a campaign of disruption and disinformation that was aimed at destabilizing the response to the coronavirus outbreak, most likely the work of a foreign actor. The attack involved a distributed denial of service (DDos) attack that involved the agency’s servers being bombarded with millions of hits in order to slow the site to a crawl or even take it offline.
• The attack was ultimately not successful and no data was accessed, according to Bloomberg and follow-up reports. Caitlin B. Oakley, a spokesperson for HHS, also told Recode that the department’s cyber infrastructure was solid and “fully operational.”
• Tens of thousands of websites have been spun up, claiming to sell Personal Protective Equipment or provide inside information on staying safe from the virus. However, many of these sites accept payment and then never deliver the products or are well-designed facsimiles of genuine sites used to deploy malware or harvest credentials.
• Cyber criminals based in Nigeria have pilfered what could amount to hundreds of millions of dollars in unemployment funds by utilizing stolen personally identifiable information (PII) to submit bogus claims. Investigators believe that intermediaries (“mules”) based in the United States helped facilitate the operation.
• Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation issued a warning to COVID-19-related research entities, alerting them that that malicious cyber actors based overseas have been targeting organizations in the United States that conduct COVID-19-related research. These actors have been observed trying to identify and unlawfully obtain valuable intellectual property (IP) and public health data related to treatments, vaccines and testing from the networks and personnel of medical, scientific or research facilities.
• Forbes reported a 700% increase in phishing email activity from March to May, as criminals attempt to capitalize on the chaos associated with the pandemic. While many of these emails may be eliminated by corporate filters, it is safe to say that some attacks are bound to circumnavigate defenses and result in successful spear phishing attacks or ransomware deployment. The dangers associated with these attacks are compounded by distracted employees working from home on personal computers and networks that do not possess the same level of security of their corporate counterparts.

With this dramatic surge in cybersecurity threats, many businesses are looking for solutions to avoid becoming the next victim of cyber criminals. Citrin Cooperman’s Technology Risk, Advisory & Cybersecurity (TRAC) practice’s cybersecurity team can help you with remaining safe from spear phishing attacks. Whether it be conducting a cybersecurity risk assessment, developing a customized on-demand cybersecurity awareness training or executing a spear phishing simulation, our team of security experts can help your clients socially distance themselves from cyber-criminals and their attacks.

Kevin Ricci, CISA, CISM, MCSE, CRISC, QSA Principal kricci@citrincooperman.com