How to Avoid COVID-19 Cybersecurity Scams
LAUNCH DATE: 4/2/2020
Secure Remote Access Webinar Transcript:
Gathering and Introduction:
I’d like to begin by thanking everyone for joining us today; we truly appreciate it. The purpose of today’s webinar is to provide some best practices when it comes to phishing attacks and what you can do to protect yourself.
Today we’ll be reviewing
- Social engineering – what it is?
- How to identify a phishing attack as well as some examples
- Some of the Coronavirus Scams we’ve seen
- And finally, how ThrottleNet can help
Did you know that there has been a 667% increase in phishing attacks amid the coronavirus outbreak? This is why we’re doing this today. To provide ways you can identify and protect against these scams especially when your users are working remote.
Let’s take a quick poll of our participants today. How many of our attendees have experienced a phishing attack?
So, let’s start today by talking about the typical attacks most are familiar with as well as some you may not be.
In order to do so, we need to establish what Social Engineering is as this is the overarching term used for Phishing Attacks. Social Engineering is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.
Sounds great – right?! But what does that mean?
Some examples of Social Engineering include someone calling you claiming to be from your IT help desk requesting your username or password; however, you’re busy and just want them off the phone, so you give it to them.
Another example might be someone leaving a company thumb drive in the parking lot with malware installed on it. An unsuspecting employee sees it, picks it up and plugs it into the PC to find out who it belongs to.
One other might be working in a large, secure office building in which you only know your immediate team members. An individual approaches the building with their hands full and asks you to hold the door because they can’t reach their access card. You do so without realizing they aren’t authorized to be there.
So given these examples, Social Engineering – in its most common form – is taking advantage of human curiosity or a desire to be helpful for fraudulent purposes.
The iteration of Social Engineering we’ll be reviewing today is phishing as this to has all the traits commonly associated with any type of social engineering attack.
So, what exactly is a phishing attack?
A phishing attack is a type of social engineering often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack or the revealing of sensitive information.
Now that we know what Social Engineering is as well as what a phishing attack is, let’s review how to identify one.
No matter the phishing attack, they typically have a few telltale signs you can use to identify whether your email is or is not a phishing attack including:
An odd from address. For example, this might be an address that appears to be okay, but it’s from an unknown sender. One way to check to ensure the email is from how it says it’s from, simply hover over the address and this will show if it’s a spoof email or not. The way it does this is by showing the actual senders address as opposed to the one listed.
An example of this would be if I sent an email to you, it would show as email@example.com as both the from address as well as the address listed when you hover over my name; however, if this were a malicious attack, the address shown when hovering would differ from the one showing. In the case of the previous example, instead of reading firstname.lastname@example.org when you hover over it, it would show email@example.com.
Another way that used to be more effective is to look for unprofessional punctuation or grammar. I say used to be more effective since cybercriminals are getting much better at creating these and have figured out that it must look like it’s coming from someone in the US.
There’s almost always a link or attachment of some kind which is typically how the ransomware virus is introduced to the compromised party.
Finally, there’s typically a statement that creates a sense of urgency such as “If action isn’t taken by” something bad will happen such as funds won’t be deposited, or your account access will be cut off.
Now let’s look at some examples of phishing attacks.
The first example is one I received several years ago, but it still holds true today. In this case, they’re claiming I have funds pending transfer and need to approve it prior to said funds being released.
Of course, I want my money as fast as possible, but I also recognize that I would probably know if money was coming my way.
That said, clicking on the attachment I’m supposed to approve will most likely result in malware being installed on my PC.
In this example it’s obvious this is malicious in nature. It’s clearly from overseas given the language it’s written in so why am I showing it? The reason is this illustrates why it’s so hard to block these.
In the case of the example above, you’ll notice that the from address includes numbers. This is why this example is so challenging to block using your spam filter. As soon as you block @8733.com.cn they’ll resend it as @8734.com.cn and so on.
I tried to block this one several times over months with no success until it just stopped one day.
In this example, the cybercriminal is acting as if he’s the CEO of our company in an attempt to get the user to take action. We’ve seen this same tactic used for everything from Starbucks to Apple gift cards.
These attacks have also become a little savvier since they now ask that the recipient not call them because they’re in meetings all day. The reason they do this is because calling to confirm is one of the easiest ways to ensure this is from who it says it’s from.
Remember this going forward. If you suspect the email as malicious, call the person that you think sent it to confirm.
Before moving on, I wanted to point something out that typically slips past people. Note the from address. At first glance, it appears to be from @throttlenet.com, but upon closer inspection, you’ll notice it’s from @throttelnet.com (misspelled).
If you’ve ever played a game where the first and last letter were correct, but the rest were jumbled, you’d know why this works. Our minds fill in what we think we should see and not what we see. It’s a way to get through the day faster as this serves as a mental shortcut, but in this example, it could also be a problem.
The point is, take a moment to make sure your eyes aren’t playing tricks on you.
This is a similar example as the last except in this case, they’re not trying to get you to do anything – yet. They are simply trying to get you to engage in discussion with them and eventually instructions will follow on how to move the money.
Other things to avoid would be clicking on unsolicited links in emails.
A way to avoid this would be to view the email in plain text without any links as this eliminates any potential for clicking on any links contained within.
This is especially true today considering the number of emails we’re all getting for shipments and deliveries. Cybercriminals have become very good at spoofing the emails of legitimate companies such as UPS, FedEx and USPS.
If you receive an unexpected – or even expected – email from any of these delivery companies or any others, we encourage you to go to their site directly as opposed to clicking on the tracking link in the attachment as this link may download malicious content in the background.
This applies to your financial institution as well. If you received a text or email with a link a to log into your bank, don’t click on it. Simply go to the institution’s website directly and login there.
Before moving on to the next slide, let’s take a quick poll.
What is a zero day virus?
Please submit your answers now.
A zero-day virus (also known as zero-day malware or next-generation malware) is a previously unknown computer virus or other malware for which specific antivirus software signatures are not yet available.
I mention this because it illustrates one of the biggest vulnerabilities in your antivirus solution – definitions and updates.
If you’re antivirus solution isn’t completely up to date and since it’s only as intelligent as what it’s told, it may not stop a virus or malware infection from coming through since it may not recognize it as being malicious.
This is why it’s important to use a robust, up to date antivirus solution.
One of the last methods we’ll cover today is how cybercriminals act as tech support from Microsoft. I’ve personally had this attempted on me at least twice over the last few years.
In the case of this scam, the cybercriminals call claiming they’re from Microsoft tech support stating that your PC is having problems and they’re calling to fix the issue.
Now, if you know anything about Microsoft Tech Support, you’d know that you typically sit on hold for hours when calling and in some cases you need to schedule a time for support to help stem the amount of calls coming in. I mention this because there’s no way Microsoft is so far ahead in the call que that they’re calling you directly for support.
The way this scam works is that the malicious party convinces the user that they’re from Microsoft and noticed their PC is producing bad packets of information. From there, they’ll gain remote access to the PC with the user’s assistance.
Once they’re in, they’ll move around files and folders, so the user thinks they’re fixing a problem. They then claim to have found it, but that they require $150 to fix the problem. The user then provides them with their credit card information and the cybercriminal goes to work fixing the nonexistent problem.
Now they have your credit card information and may have installed malware or spyware on your PC to conduct future attacks or monitor keystrokes for usernames and passwords.
If you ever get a call from Microsoft, simply hang up.
This concludes what to look for and how to avoid becoming a victim of a phishing attack.
Now let’s talk about some of the methods cybercriminals are using specific to the current pandemic.
Let’s start by defining an Infodemic as defined by the World Health Organization.
So what is an infodemic?
Before moving on to the next slide, let’s take a quick poll.
What is an Infodemic as defined by the WHO?
Please submit your answers now.
An Infodemic is when people are bombarded with an overabundance of both accurate and inaccurate information thus making it hard to know who to trust.
The primary way an infodemic is caused is when hackers capitalize on the confusion by sending out emails that purport to offer health advice such as cures that are phishing attacks.
Let’s review some of the way’s cybercriminals are using the Coronavirus to scam people and compromise networks.
The first way we’ll cover is a smishing attack.
For those that aren’t aware, these are attacks conducted via text as opposed to email.
An example of this type of phishing attack would be a message claiming to be from a local, state or federal agency stating there’s going to be a national quarantine with a link to more information.
Needless to say, the malicious actor would like you to click on the link within the text message which results in your phone becoming infected.
We’ll talk more about this later in our presentation.
Another method cybercriminals are using to attract users is via websites.
As you can see here and as reported by Market Watch – coronavirus related website name registrations are 50% more likely to be from malicious actors.
There are a few key examples of this such as….
Those handy Coronavirus tracking websites showing the number of infections, recoveries and deaths. These are great tools to keep track of this information as well as to see if your immediate area is affected; however, they can be malicious in nature.
It’s also difficult to determine which is which since a fancy graphic is appealing, but also something cybercriminals would do to get your attention.
If this is something you’d like to track, I’d encourage you to check out Johns Hopkins University as they have a very informative, yet safe, tracking site.
The impending stimulus checks are another way that cybercriminals are using to conduct phishing attacks.
They’ll send something like the examples shown earlier along with a link or attachment stating that they require your information to process your stimulus check.
If you receive an email like this, we encourage you to delete it as the methods the government will use to remit payment don’t include sending an email link and, in most cases, don’t involve email at all.
Another way is via websites claiming to have a cure for the virus; however, we would ask that you defer to local, state or federal agencies for this information as a number of people have not only been impacted by these sites, but have caused themselves unnecessary harm following the cures listed.
Again, if it’s not from a trusted source such as the government, CDC or your physician, you shouldn’t follow it.
Then there are those that claim to have a warehouse full of personal protective equipment.
Thus far, I’ve seen these come from China; however, there will be others coming from the US or at least will appear to.
Again, don’t interact with these by clicking on anything as that’s when your problems will begin
And as we touched on earlier, even your phone is susceptible to attack. One such example is COVIDLOCK that claimed to help users chart the virus only to lock their devices for ransom.
An easy way to protect against this is to password protect your phone.
We would also encourage you to install apps from the Google Play store as these reduce the likelihood of them being malicious.
Last, but certainly not least, is the use of charity sites pretending to be legitimate organizations. So what are some best practices if you want to donate with confidence?
Search sites such as guidestar.org and give.org for the name of your charity before donating.
-If on Facebook, clicking the “about” section of a Facebook group, you can see whether that group has changed its name multiple times to reflect new national crises — a sure sign that the group is trawling for an audience rather than promoting reliable news.
-Keep an eye on official sources on Twitter, including the accounts of trusted news sites and their news reporters, and avoiding political operatives where possible.
If the site claims to be from the government, check to make sure that it’s using a .GOV domain
If it doesn’t, this isn’t a government site and as such shouldn’t be trusted.
So how does ThrottleNet help avoid or mitigate issues like this?
One way we help our is by installing folders in all your users My Documents file that we always monitor.
In the event the file becomes encrypted, this will send a notification to our team in addition to quarantining the PC from the rest of the network to prevent it from spreading – and encrypting – your entire network
If you’re one of our many Managed Network clients, this service is included along with a robust antivirus, antimalware and antispyware solution that we monitor and maintain in real-time.
For those that aren’t familiar, Managed Network is where ThrottleNet serves as your full time IT department by providing maintenance, monitoring and management of your network in addition to a fully staffed help desk and dedicated team of IT professionals.
If managed services aren’t for you, we’d recommend our workstation remote maintenance, monitoring and AV combo as well as our server safeguard. This ensures your machines are protected in addition to sending alerts in the event of an issue.
Finally, and as a last line of defense, a solid backup solution from ThrottleNet will ensure that if you are compromised, you have viable backups to work from.
ThrottleNet offers Business Continuity and Disaster Recovery solutions such as Datto that ensure downtime is kept to a minimum. This solution does this by allowing the users to work from a local backup appliance in the event the server is compromised.
If the entire building is destroyed by a natural disaster, this solution also allows you to work directly from your cloud backup in Datto’s hosting environment until such time as your local network is operational.
This solution has saved our clients almost $3 million in ransoms since 2018 by allowing them to restore from a point prior to the attack taking place.
This concludes today’s webinar; however, before we go – AJ, does anyone have any questions?