Tuesday, March 31, 2020
Matt Nern, managing member and senior vice president at SignaPay, pointed out that extraordinary times call for extraordinary measures. In a recent interview with The Green Sheet, Nern observed fraudsters are taking advantage of current conditions by unleashing a variety of malicious attacks.
Nern suggested that we address cybercrime in the same manner in which we are addressing the current pandemic. "Traditional treatment or the traditional way of managing risk isn’t going to suffice," he said. "To get ahead of the curve, processors, banks and service providers need to enhance traditional tools they’ve typically used over the years with advanced technology and machine learning risk modules."
Rene Kolga, head of product at Nyotron, agreed, stating that attackers prey on fear and uncertainty. They take advantage of people’s fears and uncertainty by distributing spam, spreading disinformation and stealing sensitive corporate data.
Kolga advised being extremely cautious when opening or downloading email attachments, because email is the most common malware delivery vehicle. "Attackers will use phishing and business email compromise (BEC) attacks, which appear to be from an employee’s supervisors, CEO, partners, or a healthcare provider that include file attachments that claim to contain COVID-19 related information," he said. "When the employee downloads and opens the attachment, he launches the malware."
The fact that most people are now working from home creates an unprecedented challenge for CISOs and their IT security teams, Kolga noted. The Cybersecurity and Infrastructure Security Agency, the Department of Homeland Security’s cyber agency, issued an alert regarding the increase in cyber vulnerabilities that come from having so many people work from home.
"CISA is particularly concerned about attackers targeting the virtual private networks (VPNs) employees could be using to access company resources remotely," Kolga added. "[CISA] recommends that organizations ‘update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and security configurations.’"
Gus Evangelakos, director of North American field engineering at XM Cyber, said attacks are the same ones he sees every day, just at a larger scale. Phishing, malware, and attacks will never end, but one thing people can do is keep up with basic IT hygiene, he stated.
"[Attack aren’t] new, but because of the magnitude, attackers are focused on using the topic against home users and companies on a very massive scale," Evangelakos said. "This involves phishing emails crafted to look like legitimate senders or including attachments with valuable information but also loaded with malware. On top of that, they have registered thousands of malicious domains that users will visit looking for information such as the COVID-19 map mentioned."
Evangelakos acknowledged this is a massive and critical situation, noting the new challenge companies face is trying to secure users at home where non-business-related browsing and family member access can open up a window for an attacker to gain access. Once an employee connects back to the corporate network, an attacker has access to potentially many corporate assets, he warned.
"If you are keeping up with your IT hygiene, even if a user gets infected it is less likely that an attacker will be able to move around freely, Evangelako said. "When we think of ransomware attacks related to COVID19, possible threats exist because there are available credentials and open network access that allows for that attack to be staged. In some cases, the protections that are put in place to stop the malware are disabled because the admin accounts are stolen."
He advised businesses that expand their workforce to ensure that all employee laptops and mobile devices are updated before they leave the premises, adding, "you must also make sure your VPN and firewalls have the latest patched versions, and that you have visibility into changes being made in your network that can put your critical assets at risk or bring down your network entirely."
Uri Arad, cofounder and vice president of product and research at Identiq, advised professionals who are working from home to be vigilant and be on the lookout for escalating attack vectors, which include the following:
As a result of the crisis, many online businesses are experiencing a sudden change in underlying user behavior and buying patterns. Some sites are seeing far more orders and activity, and others far less. The most popular items have completely changed. The places people are sending things may have changed. It’s extremely dynamic right now.
Arad said that changes happening simultaneously means the statistical models, buying norms and rules that online businesses have set up to deal with fraud in normal times will be far less effective. Companies that rely on future models looking the same as the past are misguided, he stated, because the models are nowhere near alike.
"It may be time to leave the traditional approach of spotting atypical behavior." Arad said. "Everything is atypical right now. Focusing instead on identities and positively identifying good customers, rather than only trying to pick out bad actors, may be more reliable in a time when everything except identities is changing."
Online safety tips become even more crucial in times of crisis, noted Mark Gazit, CEO at ThetaRay. In today’s climate, with massive populations of at-home workers, multichannel authentication is a must, he noted. In normal circumstances, if your boss tells you to wire $50,000 to a specific account, you could just walk over to her office to confirm that it was a legitimate email, but today when she is most likely working from home, this is no longer possible. If you get an email that you're not sure about, it makes sense to confirm by phone or video call, he added.
"Every time there is a crisis, crime increases," Gazit said. "We've all heard about how scores of workers who have been laid off due to the coronavirus is wreaking havoc on their industries. Unfortunately, if history is any indication, some of those people will decide to engage in criminal activity to earn a living until things return to normal."
Gazit also pointed out that VPNs provide secure connections, but many people are using them for the first time and may be unaware of best practices and threats. "For example, hackers may try to make you believe that you are connecting to the VPN website of your organization, but actually connect you to a fake VPN website," he said. "They can then capture your username and password and use them to connect to your organization and do much more damage. Bad guys know how to take advantage of bad situations."
Mark Gilroy, CEO at Fornetix, agreed that workers who are working from home need to follow cybersecurity hygiene in much the same way that they are practicing social distancing. "Moving at short notice from a trusted office environment to working remotely can create security risks," he said.
Gilroy advised work-from-home workers to be exceptionally suspicious of any emails from people they don’t know or emails that prompt them to check or renew their passwords or login credentials. "Make sure your WiFi connection is secure and lock your screen if you work in a shared space," he added. "Ensure anti-virus is in place and fully updated and check if you have encryption tools installed."
Gilroy has seen an uptick in malicious emails that look benign with attachments from HR departments, or from companies claiming to distribute masks, gloves and other protective gear. These attacks include phishing scams from people pretending to be with the World Health Organization. Malware has also been found in the form of documents alleging to be responses to COVID-19, he noted.
For example, a recent campaign leveraged the trusted FedEx trademark as a decoy to gain the trust of a recipient so they will open an included attachment that appears to be a PDF but has been compressed; however, when the decompressed file is opened, the recipient sees that the file is not a PDF and soon finds out it is an executable file infected with the Lokibot infostealer that exfiltrates date to a website.
The United States Secret Service and Department of Homeland Security released a list of new scams law enforcement is seeing:
Authorities advise citizens to avoid these scams by paying attention to the email addresses where they originate. If they don’t look right, delete the email immediately. They also recommend not following hyperlinks or opening attachments from unknown senders. For additional information and to report suspected scams, visit the FCC website: www.fcc.gov. 
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
