with Tonya Riley
Coronavirus has inspired an unprecedented number of online scams targeting people and businesses – and researchers say the wave of attacks is just getting started.
The massive volume of cybercriminal activity reflects the overwhelming scope of the pandemic, which has upended every aspect of daily life across the world — from how people seek medical information to how they work, socialize and shop for groceries. The mass uncertainty allows criminals to prey on broad swaths of the global population.
“Spammers and scam artists have never had an opportunity like this before,” said Stephanie “Snow” Carruthers, who leads a team focused on studying phishing at IBM's hacking research division.
“Covid-19 is the first event of its kind since the birth of the Internet. This global pandemic impacts so many different aspects of our lives including physical and financial safety, across geographies for an unpredictable time frame,” she said. And that’s “a perfect lure” for online criminals, she added.
Since at least Hurricane Katrina in 2005, online scammers have piggybacked off major news events to trick people into clicking links they shouldn't and downloading malicious software or sharing personal and credit card information with what they mistakenly believe are legitimate businesses. These days, phishing gangs that normally have a range of other campaigns are now focusing on coronavirus-related scams because the opportunities to profit are so great, experts say.
The figures are staggering.
Consumer complaints in the United States related to the coronavirus have doubled in the past week to 7,800, according to the Federal Trade Commission.
The explosion of scams includes robocalls, texts, and emails posing as government officials or businesses offering refunds for missed vacations or virus-testing kits. The average loss for a consumer duped by one of these scams is nearly $600, the agency reported, which adds up to nearly $5 million nationwide.
Scammers have posed as legitimate businesses selling coronavirus treatments, charities funneling help to the infected and officials from the Centers for Disease Control and Prevention, the Small Business Administration and the World Health Organization, researchers said.
“The pandemic has led to an explosion of cybercrime, preying upon a population desperate for safety and reassurance,” concluded a report from digital security consulting group Interisle. The report was delivered yesterday to ICANN, an international body that manages many basic Internet functions.
The number of emails that used phony information about the virus to trick people into infecting their phones and computers has increased by 14,000 percent in just two weeks, according to a report from IBM’s X-Force research division.
Palo Alto Networks logged over 100,000 new potentially phony Web domains registered with words including “covid,” “virus” and “corona” in their names, in just the past few weeks. And that doesn’t count phony sites that claim to sell protective gear such as masks and hand sanitizer.
An analysis of Google data by the firm AtlasVPN found a 350 percent spike over three months in phony websites related to the virus and designed to separate people from their money or personal information.
The Justice Department has taken notice, urging prosecutors to prioritize scammers selling phony medical equipment and snake- oil cures. The department brought its first criminal fraud case against such a scammer last week — a Southern California man who sold pills to an undercover agent that he claimed could prevent people becoming infected with the virus. He also falsely claimed that former basketball star Magic Johnson was on his board of directors.
But the vast majority of scammers are unlikely to face any consequences. And their scams probably are still proliferating, experts told me.
Predictions about the long duration of the pandemic, expected to last at least several months, is also likely spurring phishing gangs to invest in developing more elaborate scams, such as posing as medical suppliers and conning hospitals and clinics into buying nonexistent goods from them, said Peter Cassidy, co-founder of the Anti-Phishing Working Group.
“That kind of business-to-business scam takes a lot more sophistication and patience, and this event gives them copious time to develop attacks like that,” he told me.
By contrast, during Hurricane Katrina, online scammers spent only a few weeks targeting people with phony warnings from government agencies and pleas from charities — hardly enough time to develop complex operations backed by legitimate-looking websites, Cassidy said.
The two big lessons, he said, are that cybercriminals will exploit any event they can make a buck off – and that consumers and businesses had better beware.
“It’s sad we have to be suspicious of our own impulse to act humanely and to aid public health, but that’s what they exploit," he told me. "[The virus] is just another story to [the scammers] and it’s a story that works. They’ll discard it the moment it stops working.”
PINGED, PATCHED, PWNED
PINGED: Sen. Richard Blumenthal (D-Conn.) wants to know what videoconferencing company Zoom is doing about a rise in reports of hackers hijacking private meetings to share hateful language and illicit images, according to a letter to CEO Eric Yuan. The attacks, known as “Zoombombing,” have risen sharply as the company's software has surged in popularity during the pandemic.
The FBI also issued a bulletin about the attacks yesterday, citing several instances where cybercriminals have dropped in on virtual classrooms to share pornographic or hateful content, as my colleague Valerie Strauss reports.
Researchers have also raised numerous other security and privacy concerns about the videoconferencing service that Warner cited in his letter. For instance, the company's encryption may not be as strong as its marketing implies, Micah Lee and Yael Grauer report for the Intercept. The company also leaked the personal information of at least 1,000 users to other users who had the same personal email domain, Joseph Cox at Motherboard reported,
“The millions of Americans now unexpectedly attending school, celebrating birthdays, seeking medical help, and sharing evening drinks with friends over Zoom during the Coronavirus pandemic should not have to add privacy and cybersecurity fears to their ever-growing list of worries,” Blumenthal wrote.
Zoom Chief Marketing Officer Janine Pelosi said in a statement that the company condemns the behavior described in Blumenthal's letter. “Zoom takes its users’ privacy, security, and trust extremely seriously,” she said. “We appreciate Senator Blumenthal's engagement on these issues and look forward to discussing with his office.”
PATCHED: Wisconsin, which is moving forward with its primary election next week, could be a test case for the supreme difficulties of voting during the pandemic, my colleague Amy Gardner reports.
Officials there have urged residents to vote by mail if they fear going to the polls, but advocates worry many voters will be unable to navigate the unfamiliar and complex process. Many polling places, meanwhile, will be shuttered or lack adequate staff, which could create a bevy of technical failures or security lapses.
“Wisconsin is the only one of the 11 states originally scheduled to hold contests in April that has not postponed or dramatically altered voting amid the pandemic,” Amy notes.
“We do not have the technical capacity to actually run a vote from home campaign in the state of Wisconsin, where every voter could actually get an absentee ballot, know how to vote that absentee ballot and participate in the election,” said Debra Cronmiller, executive director of the state chapter of the League of Women Voters, which is among the plaintiffs in three federal lawsuits that are seeking a variety of remedies, including postponing the elections.
PWNED: The U.S. government should expect retaliation from Beijing if it goes through with a proposal to further restrict the Chinese telecom Huawei's access to U.S. suppliers, the chairman of the company said.
“I think the Chinese government will not just stand by, watching Huawei be slaughtered,” Huawei Chairman Eric Xu said Tuesday, as reported by Dan Strumpf of the Wall Street Journal. “I believe the Chinese government may also take some countermeasures.”
The White House is mulling trying to weaken the Chinese tech giant by forcing its main chip suppliers to seek U.S. approval before selling Huawei any technology made with equipment sourced from the United States.
The United States has already blacklisted Huawei from buying from U.S. companies directly and barred the company from building its next-generation 5G wireless networks over spying fears. Officials have also spent more than a year trying to convince foreign powers that they should ban Huawei from their emerging 5G networks but with limited success. Huawei has steadfastly denied aiding Beijing spying .
Hackers may have accessed the names, phone numbers, addresses and other personal information of approximately 5.2 million Marriott guests in a data breach, the company revealed yesterday, Dee-Ann Durbin at the Associated Press reports. It's the second major data breach to hit the hotel chain in less than two years.
Marriott does not believe that the breach, which took place between January and February, involved guests’ credit card information, passport numbers or driver's licenses. The company says it disabled the accounts hackers used to access the information and is working with authorities.
Government investigators suspect an earlier breach at the hotel chain that affected up to 500 million guests may have been part of a Chinese espionage effort to gather massive troves of data about U.S. citizens, but the government never formally blamed China for the hack.
— More cybersecurity news from the private sector:
— Cybersecurity news from the public sector:
British Prime Minister Boris Johnson evidently didn't get the memo about Zoom. He tweeted out an image of a cabinet meeting hosted on the platform — that included his meeting number. Journalist Kevin Collier points out the security risks:
I don't want to be the one to try it, but does anyone know what happens if you try to brute force a password-protected Zoom meeting?— Kevin Collier (@kevincollier) March 31, 2020
- CyberHub USA is hosting a free virual summit: Security During Social Distancing on Thursday. You can register here.