with Tonya Riley

The novel coronavirus has created a raging contest between cybercriminals piggybacking on the disease for scams and defenders trying to protect a populace more reliant on the Internet than ever.

The battle shows how the pandemic – which has shut down businesses of all kinds – has done nothing to temper the hacking marketplace. Computer users, who are anxious about their health and finances and migrating more of their activities online or using unfamiliar systems to apply for government services, are often easy prey. 

The numbers of scams related to coronavirus are alarming.  

The Justice Department, working with private companies, has disrupted “hundreds” of websites that were exploiting the virus to commit fraud and other crimes, the department announced yesterday. The malicious sites posed as government agencies running relief programs, legitimate companies and even the American Red Cross. 

The FBI’s Internet crime center has also received and reviewed more than 3,600 coronavirus-related complaints — mostly about sites hawking fake vaccines and phony cures and claiming to run fraudulent charity drives. Some of them are designed to steal people’s personal and banking information to hack into their accounts. Others deliver malicious software that can root through computers looking for sensitive data. 

The center is urging people to be on guard against strangers requesting personal or medical information. 

The United Kingdom’s National Cyber Security Centre, meanwhile, has taken down more than 2,000 online scams related to coronavirus in the last month, officials say, including 471 fake online shops selling fraudulent items and more than 700 sites designed to steal people’s information or infect them with malicious software. 

The worst may be yet to come as the stimulus relief funds head out the door. 

Justice Department officials are girding for another wave of digital scams connected with the trillions of dollars in aid the government is distributing to individuals, families and small businesses to manage through the pandemic, as my colleague Matt Zapotosky reports.   

“The unfortunate fact is the only limitation here is the limitation on the creativity of these fraudsters to come up with ways to use the situation that we all find ourselves in to separate individuals, businesses and the government from lots of money,” Brian Benczkowski, the assistant attorney general in charge of the criminal division, told Matt. 

The department plans to deploy data analytic tools that it typically uses to spot health-care fraud to identify when people might be applying for benefits they don’t deserve or are posing as someone else, Benczkowski told Matt. 

Scammers are already stealing people’s identities to apply for stimulus checks in their names, as the New York Times’s Nathaniel Popper reports. One woman he spoke with was scammed out of $3,400 in benefits due to her and her husband and two children.
Without the check, she’s just about one month away from being unable to pay rent, Krystle Phelps told Popper. 

Justice Department officials are also eager to share information with the Small Business Administration so they can better identify potential fraud trends. 

“We know from past history, whenever the government makes a large amount of money available to help individuals and businesses, the fraudsters will come out of the woodwork and seek to get access to that money. So we are preparing vigorously for what we absolutely know is coming,” Benczkowski said.

But law enforcement is up against a determined adversary. 

Researchers at Palo Alto Networks had identified more than 2,000 clearly malicious new Web domains related to the virus as of the end of March — mostly aimed at scamming people out of money or loading their computers up with malware. The company found another 40,000 such sites that weren’t clearly malicious but they labeled as “high risk.”

There also has been a 6,000 percent increase in phishing and spam emails related to the virus just since March 11 when the World Health Organization declared the outbreak a pandemic, according to a report this morning from IBM’s X-Force threat monitoring division. 

And Google’s Threat Analysis Group is detecting 18 million malware and phishing Gmail messages per day related to the virus according to a blog post from the group’s director, Shane Huntley. That’s in addition to more than 240 million daily spam messages on the topic. The vast majority of those — about 99.9 percent — are blocked by the webmail’s filtering system, Huntley wrote. 

And average citizens aren't the only targets. The group has also identified more than a dozen government-backed hacking groups using emails related to the coronavirus to try to worm their way into computers used by U.S. government workers and international health organizations. 

NOTE TO READERS: We've debuted a redesign of The Cybersecurity 202 this week aimed at making this tipsheet cleaner, sharper, and easier to read. Please let us know what you think here. Thanks for being a Cybersecurity 202 reader, and tell your friends to sign up here.

The keys

House leaders punt on remote voting.

House Speaker Nancy Pelosi (D-Calif.) canceled plans to push through a rule change this week that would have allowed some lawmakers to vote from home during the pandemic by having a colleague in Washington cast votes on their behalf, Heather Caygle, John Bresnahan and Sarah Ferris at Politico report. Instead, Pelosi appointed a bipartisan commission to further review the idea. 

Pelosi reluctantly endorsed a proxy voting plan from House Rules Committee Chairman Jim McGovern (D-Mass.), which avoids the cybersecurity and legal concerns posed by members voting by webcast or other online systems. But she flipped that position amid significant opposition from Republicans and after consulting with GOP leadership. Rep. Tom Cole (Okla,), ranking Republican on the Rules Committee, will serve on the commission along with House Minority Leader Kevin McCarthy (R-Calif.) and House Majority Whip Jim Clyburn (D-S.C.). 

Cole told Politico he opposes remote voting and wants Congress to figure out a way to vote in person. “We could be up and operating within normal parameters,” he said. “Instead, we're dreaming up ways to keep us out of Washington longer.” 

Here's analysis from Daniel Schuman, policy director of Demand Progress, which has been a leading advocate for remote voting:

Apple will fix a flaw that possibly left more than half a billion iPhones vulnerable to hackers.

The vulnerability affected the email app on iPhones and iPads and might have been used by hackers as early as 2018, ZecOps, the cybersecurity firm that found the bug, told Christopher Bing and Joseph Menn at Reuters.

There’s evidence the bug was used to hack at least one Fortune 500 North American technology company, ZecOps said. Other likely victims include companies in Japan, Germany, Saudi Arabia and Israel, ZecOps said, but declined to name any of them.

Apple acknowledged that it was developing a fix for the vulnerability but declined to comment further.

Reuters also could not independently verify the research, which suggests that hackers could attack without having physical access to the iPhones or tablets. Other researchers say the report should spark concerns.

The research “confirms what has always been somewhat of a rather badly kept secret: that well-resourced adversaries can remotely and silently infect fully patched iOS devices, Apple security expert and former NSA researcher Patrick Wardle told Reuters.

States are pushing forward with mail voting plans amid the pandemic. 

Some of the biggest efforts are coming from Republican-led states. That's despite President Trump’s intense criticism of mail voting, which he claimed without evidence produces widespread voter fraud. 

  • Iowa Secretary of State Paul Pate (R) is urging the state’s residents to vote by mail during the state’s June 2 primaries, the Associated Press reports
  • Georgia is sending mail ballots to 650,000 residents who’ve requested them so far, per the Atlanta Journal-Constitution.  
  • Florida counties (Miami-Dade, Broward and Palm Beach) will send vote-by-mail registration forms to every voter, which could possibly double the number of people who vote by mail in the vital swing state, the Miami Herald reports.
  • West Virginia, meanwhile, is solidifying plans to expand a program of voting by mobile apps to all voters with disabilities in the state a move cybersecurity pros have greeted with skepticism, saying it’s far too vulnerable to hacking. Disability rights advocates consider the use of the tool a win, however.

But states expanding mail voting will face a lot of hurdles. 

Washington Secretary of State Kim Wyman (R) outlined many of the challenges during an online hearing of the Election Assistance Commission yesterday. Here are details from the OSET Institute’s Edward Perez:

Vote-by-mail also comes with its own coronavirus concerns. Jason Kunz from the Centers for Disease Control and Prevention:

Hill happenings

Sen. Markey is urging strict guidelines for states using contact-tracing tech. 

Those guidelines should mandate that private entities limit data tracking to just coronavirus issues and that they're held accountable for misusing any data they collect, Sen. Edward J. Markey (D-Mass.) said in a letter to Vice President Pence.

“The federal government must provide leadership, coordination, and guidance to ensure that contact tracing efforts are effective and do not infringe upon individuals’ civil liberties, including the right to privacy,” Markey wrote.

Apple and Google have both promised to end their contact-tracing programs after the pandemic is over. But Congress is skeptical and there are still plenty of state and private efforts that lack federal oversight, Markey points out.

Industry report

Top tech platforms announced new moves to protect elections and combat the pandemic.

Facebook will make it easier to see where election-related posts originated. 

The social media platform will display the country of origin for some non-U.S.-based Facebook pages and Instagram accounts primarily targeting American users, the company announced in a blog yesterday. It could help quell criticism from U.S. lawmakers that the company isn't doing enough to curb foreign influence in U.S. elections. The pilot will eventually expand to other countries.

Twitter will remove coronavirus content that could lead to offline destruction of 5G telecommunications infrastructure, TechCrunch reported yesterday.

The move follows online conspiracy theories that the next-generation system is linked to the virus and that prompted people to destroy cellphone towers in the United Kingdom. Such theories also gained traction on Facebook and Instagram, but those services have yet to institute a similar ban. 

More industry news:

The next version of Zoom will have stronger encryption to prevent tampering. Account administrators also can choose where their traffic is routed.
CyberScoop

Global cyberspace

A Vietnam-linked hacking group known as APT32, tried to crack into the email accounts of staff at China’s Ministry of Emergency Management and the city government of Wuhan, researchers at cybersecurity firm FireEye report. Wuhan is where the coronavirus pandemic originated.

It shows the lengths governments are willing to go to for coronavirus intelligence. “These attacks speak to the virus being an intelligence priority everyone is throwing everything they’ve got at it, and APT32 is what Vietnam has,” Ben Read, senior manager for analysis at FireEye, told Reuters. Vietnamese officials called the charges “baseless.”

More global news:

Expansion of ‘snooper’s charter’ would allow more authorities to access web browsing histories
The Guardian

Cyber insecurity

Sextortion scams now account for up to 20 percent of all spam.

The paydays average around $3,000 a day for the scammers who threaten to share intimate videos of their victims, researchers at Sophos report. Often, the videos don't exist but hackers have just enough personal information to make it seem like they do.

Some of that money goes toward more crime.

“Given that some of the transfers were used to obtain stolen credit card data or other criminal services — probably including more botnet services for sending spam — the payouts from the sextortion campaigns are funding yet another round of scams and fraud,” researchers write.

Chat room

One thing you might’ve missed amid the coronavirus news: Controversial post-9/11 surveillance powers have now been expired for more than a month with few signs of concern from the White House or Congress. Officials including former president Barack Obama once warned of dire consequences if the spying powers went inactive for even a few days.

The Wall Street Journal’s Dustin Volz:

The Electronic Frontier Foundation:

Daybook

  • The McCrary Institute and Cyberspace Solarium Commission (CSC) will host live event discussing if deterrence is possible in cyberspace Wednesday at 1 p.m.
  • The R Street Institute will host a discussion on "EARN IT Act and Its Broader Implications for Encryption and Cybersecurity" Wednesday at 2 p.m.

Secure log off

A lesson in what not to do on Zoom. Reporter Alain Tolhurst:

We’re doing far better with Zoom conferences here at The Cybersecurity 202…

Who wore it better?