“Rex”=“king” in Latin
The beginning of 2020 is already proving to be tough: Australian bushfires, Storm Ciara, but above all – the recent outbreak of coronavirus – all these disasters dominated the media in the recent weeks. It might be a bit too early to be giving exact numerical estimates of the damage, yet, it is already clear that coronavirus will have a far-reaching impact, not only in terms of the way we do business (as we expect the economic growth in China to slow down); on the way we perceive each other (just yesterday I was a witness to a very disturbing situation, when a person of apparent Asian ancestry sneezed on the Tube and half a dozen people moved away from him in different directions while about a dozen changed the train car...); but also on the global cyber security landscape.
What are the latest cyber threats related to Coronavirus?
Coronavirus already became one of the major baits used in phishing attack scams in 2020. According to Kaspersky Daily, one of the most recent social engineering innovations from cybercriminals poses as an email from the Centers for Disease Control and Prevention (a real US entity) and uses cdc-gov.org domain (while the real domain should be cdc.gov). The email provides a bogus Outlook link, where a user is asked to input personal data (such as email address and password). Another version of the same email asks for Bitcoin donations.
Image Source: Kaspersky Daily
Sophos Security reported another reincarnation of the same phishing attack, where the email pretends to be from the World Health Organization.
Image Source: Sophos Security
In other places around the globe, the attack took a different form, where the user is asked to click on the attached PDF file (or another attachment) containing malware. Check out this example from Singapore.
Image Source: 5NBCDFW
It is not uncommon for cybercriminals to leverage on human fears, especially the fear to be infected by or to otherwise get a deadly disease. By “fear”, I do not mean conditions like hypochondriasis (fear that existing physical symptoms may be a result of an undiagnosed disease) or nosophobia (fear of developing a specific disease), but rather a behavioural state of anxiety, which can be experienced by any individual.
In fact, some of the cybercriminal “innovations” in terms of attacks as well as attack “business models” originated from using human health-related fears. For example, the first global ransomware attack in 1989 took advantage of people’s anxiety over potentially contracting HIV/AIDS. According to the WHO, of 57 million deaths worldwide, HIV/AIDS is responsible for about 3.1% (1.78 million). Back in the day, a post-doctoral AIDS researcher, Joseph Popp, sent out 20,000 floppy disks to other AIDS researchers located in more than 90 countries around the globe. Each disk was said to contain a risk-assessment questionnaire and a program which would estimate the risk that a particular individual contracts AIDS. The disk contained ransomware with lagged activation (it activated after the computer terminal was powered on 90 times). After activation, the ransomware showed a message demanding a payment of $189 and $378 in exchange for the “software lease”. This attack was later labelled the “AIDS Trojan” attack.
How do Cybercriminals Use Our Health-related Fears?
While the attack target audience or goals could be different, in the overwhelming majority of cases the end purpose of health-related cybercriminal attacks is revenue generation. In other words, hackers are just trying to make money. The most common way to execute such attacks is phishing (i.e., fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers).
It is worth noting, however, that not any health-related event is used by cybercriminals to launch an attack. For cybercriminals, the event or phenomenon of choice is usually one with following characteristics:
Large media exposure
Large-scale (preferably global) geographical coverage
Deadly or potentially deadly consequences
In that sense, coronavirus is a perfect instrument for any cybercriminal as every day millions of people are reminded about the threat of this virus via all types of media. There is significant uncertainty about the way in which the virus spreads (e.g., we still do not know how long the virus can live on surfaces) and the reported incubation period of 2 to 14 days creates global panic as the current understanding is that one could potentially be infectious without displaying any symptoms. Another big factor increasing the uncertainty associated with coronavirus is that there is no vaccine, in other words – there is no cure. With confirmed cases in 27 countries around the globe as of today, coronavirus represents a very lucrative opportunity to be used as a cyberattack bait. Since the virus fatality rate is about 3% and the number of transmissions range between 1.5 and 3.5 in terms of the average number of people infected by each sick person, coronavirus is a reason for significant fear among the general population, and, hence, a source of high-impact high-revenue activity for any cybercriminal.
Historically, viruses with similar characteristics were used to engineer various types of attacks. In 2014, a phishing attack used Ebola outbreak fears to harvest large amounts of personal data from unsuspecting citizens, who received emails pretending to be from the World Health Organization. The attackers invited email recipients to open malware attachments, causing loss of personal data as well as leakages of credit card information. Similar attacks were designed as a result of the Bird Flu and MERS (Middle East respiratory syndrome), yet, their relatively limited geographical spread significantly limited potential impact. For comparison with coronavirus, Bird Flu affected 16 countries, while MERS was mostly linked to 4 countries.
There is also a noticeable trend for new viruses and diseases to be used by cybercriminals. At least this is certainly true for the viruses which recently received broad coverage in the (traditional and social) media. For example, it would be hard to imagine Spanish flu, Swine flu, Seasonal flu, Common cold, Polio, Chickenpox or Measles being used for a cyberattack bait despite the fact that some of these infectious diseases have higher fatality rates or spread quicker than coronavirus, unless they generate significant waves in the media.
Why do we fall for health-related social engineering?
Humans are incredibly sensitive to uncertainty, especially to uncertain events related to their personal health or health of their loved ones. The main issue here is not the fact that we do not realize that there are many things in this world that can kill us. We understand this very well. Yet, we suffer from an illusion of control (“the tendency for human beings to believe they can control or at least influence outcomes that they demonstrably have no influence over”).
When we know that it is possible to survive a particular health-related threat in principle, we believe we can control it. For example, it would be hard to find a person (unless, of course, we are talking about people with pre-existing medical conditions) who would be scared of catching a flu, despite the fact that flu kills about 35,000 people annually in the US alone. While there is no obvious solution to the illusion of control problem, one thing we all can do is be aware that we tend to suffer from this illusion. The reality is, dependent on the context, any individual (no matter how careful) may contract a deadly infectious disease and any individual (no matter how smart) may become a victim of a cyberattack. The best we can do is educate ourselves about potential threats (both physical and cyber) and work on trying to reduce our (individual) vulnerabilities. For ways to protect yourself and your organization against phishing, check out the recent NCSC advice and, generally, look carefully at links and attachments before you click on them (i.e., “think before you click”).