When a new wave of fraud and abuse hits the Internet, the bureaucrats usually notice it first. The network bureaucrats are the administrators of the Internet addresses, the so-called domains. If you want to build a new website, you first need building land, i.e. an address. Since January, the IT security company DomainTools, which monitors this area, has registered significantly more new registrations of Internet addresses that are related to the corona virus: for example, “covid19help.com”, “testmycorona.com” or “quarantinder.com”.
In itself, this is not unusual for special situations. Many web addresses were also registered at the noble wedding between Meghan and Harry. The trends follow the media reporting relatively closely. This also applies to Corona: In January, addresses with the terms “Coronavirus” and “Wuhan” were registered, and from February the term “Covid-19” was added. The number of registrations has skyrocketed since the first curfews in Europe, with 60,000 addresses registered in March alone, says DomainTools Research Director Sean McNee. Sure: not all of them will be used for scams. There are also legitimate commercial sites that offer N95 breathing masks or other useful things. Often, pages are also “reserved” by business-minded entrepreneurs so that they can later be sold to the highest bidder. But the majority of the registered sites may have been registered by opportunistic cybercriminals who want to make money from the crisis, says McNee. The Internet administrators were therefore warned: this will not be a wave, but a tsunami.
Defense against dodgy cyber criminals
A good part of cybercrime is psychology. Fraudsters need to get email recipients to read them. Links have to be clicked, documents downloaded, access rights granted if malware wants to be successful. This works best when the recipients are nervous. A lot of people are nervous right now.
“We know that the dodgy bastards out there are just waiting to take advantage of this situation – or are already doing it,” says Michele Neylon. The Irishman is the founder and CEO of Blacknight, which manages Internet addresses and leases storage space, mainly for Irish websites with the “.ie” extension.
For a few days now, Neylon has been a member of a Slack channel of IT experts who are trying to counter the impending cybercrime tsunami with an IT security wall. Or at least a rapid reaction force, a kind of “A team” of the Internet. The channel on the communication platform serves as a forum, where information is exchanged quickly and unbureaucratically and tips are passed on. The platform was founded by the chief scientist of the antivirus company Sophos, Joshua Saxe. Not as an employee, but as a private person, he invited his network to join the channel. Just a week later, the channel grew to 1,700 members, there are 20 different sub-forums, even a website. The “Cyber Threat Coalition” brings together high-ranking employees of large IT security companies, IT defenders of billion dollar companies and ethical hackers without a permanent employer, but also officials from state authorities. Many here are usually competitors, but that doesn’t matter now. The organizers have just set rules for the platform, for example: no advertising and no sales calls. This Defense Council should work in a concentrated manner.
It is about restoring equality of arms, or at least trying. Because cybercriminals not only play the threat situation in their hands, but also the home office, says Saxe in the chat on the platform.
Millions of people had to change drastically almost overnight. From a network protected by IT professionals, they moved to a home office where they do not protect corporate firewalls or professional antivirus programs. For IT security specialists, who normally look after company networks, the switch is even more difficult than for many others, says Saxe. At home, they often lacked the digital tools to keep an eye on the network. They usually pay attention to unusual connections in the network. Now that hundreds of new employees are connecting to companies via VPN tunnels, there is hardly any “normal” network traffic for orientation. That makes things confusing. “This is a situation that has not yet existed. For cybercriminals, the corona virus is like early Christmas,” says domain administrator Neylon, who is the cyber defender in the 40-strong organizational team.
Cyber security is more difficult in the home office
Using badly protected home computers, attackers can sneak into the VPN networks of companies that are supposed to be isolated. They can then inject malware into them – for example ransomware. This can lead to even greater disasters during the corona pandemic than in quieter times. If the software paralyzes networks of hospitals and other health care facilities, in the worst case this could prevent doctors and nursing staff from saving infected people.
The extortionists also noticed that such a scenario would be pretty bad for their already battered reputation. In mid-March, some of them, following a request from the IT website Bleeping Computer, announced that they would stop targeting healthcare targets – a kind of ceasefire. But that is easier said than done. Many ransomware gangs today only provide the software, but whoever attacks their “customers” with them has no control over them. In a mixture of defiance and outrage, a gang recorded: “Do you think we are deliberately attacking health systems?” – just to make it clear that hospitals will of course also have to pay ransom in the future. In fact, several attacks with the Ryuk and Netwalker malware have been registered in the past few days, the latter luring its victims into the trap by emailing coronavirus information.
Not only ransomware threatens Internet users. Corona virus is now used to initiate just about every type of cybercrime, from false web shops to fake business emails to phishing campaigns and attacks by state hackers. For example, the US Department of Justice removed the coronavirusmedicalkit.com website on Wednesday, on which an alleged test kit including vaccine from the World Health Organization (WHO) was sent for a shipping fee of five dollars. An app was advertised on the “antivirus-covid19.site” website, which pretended to protect against the virus using artificial intelligence. Instead of protection against the corona virus, there was malware that spied on the victims. A number of Android apps pretended to track infected people nearby, but were actually only there to pass the victim’s credit card details on to criminals, or to encrypt their cell phones and request a ransom to make the devices accessible again .
Phishing emails with cards that look like Johns Hopkins University’s now famous corona virus dashboard, which shows the number of infected people, or false calls for donations for the World Health Organization (WHO) are also popular.
Most experts are certain: the corona virus cyber wave is just beginning. For the foreseeable future, fear of the pathogen will remain the most important psychological fishing hook for the majority of cyber attacks.