In an effort to keep our clients updated on emerging cyber threats specific to the remote workforce, we have gathered the latest research related to specific Coronavirus-themed attack methods. We continue to see criminal campaigns that specifically target employees in the form of social engineering schemes. The fact that remote employees will have less communication and access to other employees coupled employers facing potential staffing shortages could make these crimes even easier to execute. For these reasons we feel it is imperative that all employees are trained on what to look for.
Employees need to be aware of phishing emails that exploit the need for information and emotions associated with the Coronavirus pandemic. They often impersonate government officials, fundraisers seeking charitable donations and key employer contacts. In the initial stages of the Coronavirus outbreak, these campaigns were initially carried out by espionage groups associated with China, North Korea and Russia. It can be expected that organized criminal groups and lone hackers motivated by financial gain will follow this pattern and continue to perpetuate similar email phishing schemes. Emotet, Ryuk, Remcos, AZORult, and ParallaxRAT are examples of malware families that are commonly utilized to carry out these crimes.
While some of the phishing emails contain obvious tell-tale signs of fraud, such as obvious misspellings and improper grammar, we want to stress that others are difficult to flag as fraudulent.
COVID-19 Maps: There is a spoofed version of Johns Hopkins University & Medicine COVID-19 tracking map being used to deploy information stealing malware, including AZORult. Researchers identified at least one online criminal forum that offered to sell a malware loader disguised as the tracking map.
According to researchers, several dangerous domains have emerged in January, with a notable spike in suspected fraudulent domains in mid-February. When clicked upon, it is believed that they will potentially enable hackers to steal information or infect the user with malware. Security company Check Point sampled 4,000 Coronavirus-themed domains in February and reported that 3% of all COVID-19 themed domains were definitively malicious, while another 5% were deemed suspicious. These include but are not limited to the following: ***
Immediate Needs: Employee Training
Employee training specific to the cyberattack methods related to Coronavirus should be a main priority for employers:
- Do not click on links or open attachments from unknown senders
- Be cautious of any email purporting to come from the Center for Disease Control or the World Health Organization.
- Be suspicious of emails promising non-public information about Coronavirus, information, vaccines or other sales offers for products to fight Coronavirus infection.
- Provide a means for employees to report all suspected phishing emails.
Source: Recorded Future
Gallagher provides insurance, risk management and consultation services for our clients. When providing analysis and recommendations regarding potential insurance coverage, potential claims and/or operational strategy in response to national emergencies (including health crises), we do so from an insurance/risk management perspective, and offer general information about risk mitigation, loss control strategy and potential claim exposures. Any statement or information provided is for informational purposes only and is not intended to be, nor should it be interpreted as, medical, legal or client-specific risk management advice. The general insurance descriptions and other information contained herein does not include complete insurance policy definitions, terms and conditions and should not be relied on for coverage interpretation. Policy-specific terms and conditions dictate whether coverage applies to any particular risk or circumstance, and this information in no way reflects or promises individual client or policy-specific insurance coverage outcomes.
Insurance brokerage and related services to be provided by Arthur J. Gallagher Risk Management Services, Inc. (License No. 0D69293) and/or its affiliate Arthur J. Gallagher & Co. Insurance Brokers of California, Inc. (License No. 0726293).