COVID-19 InfoSec Impacts: Social Engineering and Phishing

Last Updated on January 12, 2024

Pivot Point Security has been answering numerous calls from clients and others with questions and concerns brought about by COVID-19. To help with many common issues, Pivot Point CISO and Managing Partner, John Verry, recorded a special episode of “The Virtual CISO Podcast”.
In it, John shares critical advice on the three main categories of cybersecurity challenges that businesses face due to the coronavirus outbreak:

1. Work-from-home and telecommuting issues
2. New widespread social engineering/phishing attacks
3. Third-party risk management (TPRM) and other supply chain concerns

Practically every company is making quick changes to cope with COVID-19, and John’s insights will help reduce some of the associated information security risk. This blog post overviews new and widespread social engineer and phishing attack scenarios from the podcast.
Some very potent social engineering/phishing attacks have emerged in recent days that exploit panic, fear or concern around COVID-19. “The bad guys are bad guys for a reason, and they don’t miss a beat,” quips John in a serious tone. (Yes, John does have a serious side.)
One phishing email John mentions comes with a poisoned PDF attachment called “Coronavirus Safety Measures.PDF” that is supposedly from the World Health Organization (WHO). This one plants a Remote Access Tool (RAT) that downloads malware.

Another well-crafted phishing scam claims to serve up a link to “new cases around your city” on the US Centers for Disease Control (CDC) website—and looks the part. It even prepopulates your email address into the bogus website login. When you enter your password and sign on, the hackers now have your Microsoft login credentials. Then they bounce your browser to the real CDC website, so you probably won’t even know you were just compromised.

Wait… there’s more!

Another novel and highly effect COVID-19 scamming vector is Android apps. One app that claims to track the virus’s spread locks up your phone for ransom. Another promises to help you buy a safety mask, but instead scans and spams all your contacts to fuel its spread.
If you or an employee clicks a link and have suspicions there’s a problem, what should you do first? Will your helpdesk be working at normal capacity? Should a helpdesk ticket go to the usual location? If you call the helpdesk, is it going to ring someone’s mobile device? Be sure to tell employees how your incident response plans now look in this “brave new world.”
And while there may be challenges, you need to ramp up security awareness training right now, to educate your workforce about new threats. People need to be on alert for phishing and malware attacks wrapped in “too good to be true” COVID-19 promises.
John also anticipates a jump in home-based vishing (phishing via voice calls). A typical “vish” goes something like, “Hey, I’m calling from Microsoft. We’re seeing a problem with your current connection. It looks like your machine is attacking another site. Point your browser at this URL so we can diagnose it.” In reality, clicking the link gives the hackers remote access to your system.
John closes the podcast with this sobering statistic: According to Check Point Software’s threat intelligence feed, since January 2020 there have been 4,000 domain registrations pertaining to coronavirus. Of these, 3% (120) were found to be malicious and an additional 5% (200) were suspicious—so 8% of these new sites are of concern.
This is why you need to amp up security awareness training to alert users to these potential hacks, even as you seek to balance remote access and productivity needs with mitigating cyber risk.
Good luck and stay safe and well out there!
Link to The Virtual CISO Podcast Episode: Staying Secure in a COVID-19 World