Lying in Wait: Cybercriminals’ COVID-19 Tactic
As business slowly and cautiously reopens, cybercriminals lie in wait. A case study into a massive unemployment insurance fraud shows that cybercriminals patiently hunt for lucrative opportunities to strike. For that reason, companies reopening should consider conducting a cyber-audit to identify their cyber vulnerabilities and thwart cybercriminals lying in wait.
Pandemic Brings More Remote-Access, Greater Cyber-Threat
Beginning in March, states implemented stay-at-home orders throughout the United States, baring non-essential workers from reporting to the office. Since then, companies have attempted to allow their employees to function much as they did in their office settings, relying heavily on remote access to corporate servers. However, the rapid shift to teleworking prevented many businesses from adequately evaluating their remote-access software or properly training their employees. As a result, cybercriminals have leveraged this opportunity to increase attacks on unsuspecting employees and vulnerable IT environments.
Threats in the New Remote Environment
According to the Department of Justice, cybercriminals have created hundreds of fraudulent websites with domain names that contain words such as “covid19,” or “coronavirus,” and, in some cases, purporting to be run by, or affiliated with, public health organizations or agencies. Cybercriminals utilize these websites to deploy secret malicious software onto systems so that devices used for teleworking navigate to them. Such websites have been used to trick individuals into entering personally identifiable information, including banking details.
Similarly, a joint alert by the United States Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA), and the United Kingdom’s National Cyber Security Centre (NCSC), warns that cybercriminals use COVID-19-related themes in their email and SMS phishing campaigns. These emails and text messages generally contain a call to action, encouraging the victim to visit a website that malicious cybercriminals use for stealing valuable data, such as usernames and passwords, credit card information, and other personal information.
Under the right circumstances, malicious actors can utilize these schemes to gain access to a company’s IT environment. In particular, the surge in teleworking has increased the use of potentially vulnerable services, such as virtual private networks (VPNs), amplifying the threat to individuals and organizations.
Case Study of Lying in Wait Tactic
A recent case study indicates that cybercriminals may use the chaos caused by the COVID-19 pandemic to incubate their malware, waiting for an optimal opportunity to strike. On May 14, 2020, the Secret Service issued an alert regarding a well-organized Nigerian crime ring exploiting the COVID-19 crisis to commit large-scale fraud against states’ unemployment insurance programs. The cybercriminals, who had amassed a substantial data base of personal information, submitted and received unemployment benefits on behalf of hundreds, if not thousands, of individuals, totaling hundreds of millions of dollars in fraudulent unemployment payments. The cybercriminals used personal information belonging to first responders, government personnel, and school employees to submit claims in the states of Florida, Massachusetts, North Carolina, Oklahoma, Rhode Island, Washington, Wyoming, and possibly more.
In effect, this criminal organization halfway around the world spied an enormous opportunity to utilize its data base of personal information to commit widespread fraud. As the personal information was likely stolen during past consumer data breaches, this lie and wait tactic shows cybercriminals patiently crouching for the most opportune moment to pounce.
This tactic is salient to companies planning to reopen, a time that may present a lucrative opportunity for cybercriminals to attack (e.g., companies may have higher cash flows, engage in more financial transactions, etc.). Much like human viruses, malicious software can incubate while remaining undetected in IT environments for years. During incubation this malware can perform discrete actions, with intelligence gathering and data collection as part of the end goal. These often symptom-free, covert actions create a perfect environment for cyber criminals to identify a favorable moment for their assault.
Mitigating the Risk of Attack during Reopening
In order to mitigate the risk of a cyberattack, companies should consider undergoing a cyber-audit as part of their reopening strategy. A cyber-audit comprehensively identifies cybersecurity threats and vulnerabilities in policies, procedures, and the IT environment. In addition, a cyber-audit assesses a company’s level of preparation to respond to a cyberattack. This includes evaluating the incident response plan and cyber insurance policies to ensure that coverage is commensurate with the level of cyber risk. Finally, a thorough cyber-audit should also determine solutions for any vulnerabilities identified, particularly in addressing the greater risks associated with a continued remote workforce.
While a cyber-audit can be conducted in-house, a team comprised of both a third party IT vendor and outside counsel will provide greater expertise and attorney-client protections of privilege over the process. By leveraging cyber experts and conducting a thorough cyber-audit, companies can defend against the risks of cybercriminals lying in wait.