Covid-19 cyber scams surge in March-April as threat actors rapidly adapt

Covid-19 cyber scams surge in March-April as threat actors rapidly adapt

Covid-19 themed cyber scams have seen a marked uptick over the past month, with cybercriminals launching more sophisticated phishing campaigns aimed at distributing malware or harvesting personal information, according to the latest threat update by the Government’s Australian Cyber Security Centre (ACSC).

ACSC head, Abigail Bradshaw, said that malicious foreign cyber actors were adapting their techniques within days – sometimes even hours – of government announcements such as relief payments or public health advice.

Since 10 March, the ACSC has seen more than 95 reports (approximately two per day) of Australians losing money or personal information to coronavirus-related scams, while also receiving 115 cybercrime or security incident reports from individuals and businesses.

The Australian Competition and Consumer Commission’s (ACCC) Scamwatch service noted a similar trend, registering more than 1,100 Covid-19 scam reports to date, totalling nearly $130,000 in reported losses.

However, ACSC estimates the true extent of Covid-related scam activity to be “much higher”, as these figures do not account for unreported cases.

The ACSC has also responded to 20 security incidents affecting Covid-19 essential response services or major suppliers in the current pandemic. It has also acted to disrupt more than 150 coronavirus-themed malicious websites that have sprung up since March, with assistance from local telecommunications providers and tech giants Google and Microsoft.

Covid-19 Cyber scam case studies

Banking-themed SMS campaigns emerged as the Covid-19 cyber scam medium of choice for cybercriminals over the past month. For instance, on 30 March 2020, the ACCC said it had received 16 reports of a Westpac-themed phishing text message directing recipients to a website harvesting personal information.

Another tactic utilised by criminals was to brandish Australian Government livery on payment-themed scams, such as spoofing official email accounts to send out malware-bearing attachments or impersonating government correspondence on assistance payments in an effort to steal PII.

Corporate email systems are bearing the brunt of cybercriminal’s extortion efforts. Preying on cash-strapped and idle employees, criminals have begun disguising work emails as official correspondence from payroll administrators, offering “benefits” of up to $1,000 to the unsuspecting, all the while urging users to click on links which redirect them to websites designed to install malware onto a company’s corporate network.

Criminals are also capitalising on the growing need for public information and updates on Covid-19, sending emails or text messages claiming to be from trusted authorities, such as local government departments or the World Health Organisation, in order to lure recipients to click on compromised links or attachments.

In one example given, an SMS containing a malicious link was made to appear as though it were coming from a “GOV” domain; once the domain used in the initial phishing campaign was spotted and taken down, criminals quickly switched tactics, creating a new malware-hosting domain redesigned to instead spoof “MyGov”.

“By replacing the alpha tags in the SMS header with ‘MyGov’, the malicious actor was able to deliver these messages within the existing legitimate SMS chain between individuals and Services Australia,” the ACSC explained.

As corporate teams embrace remote working amid Covid-19 corporate response directives, the ACSC in its bulletin further cited the growth of remote access scams, where criminals commonly pretend to be from IT or telecommunications companies, banks, or even the ACSC, requesting remote access to “fix an issue” on a person’s computer.

“Allowing anyone access to your devices can, and usually does, result in devastating consequences, including financial loss or the compromise of your personal accounts,” the ACSC warned.

Finally, the ACSC noted a rise in fraudulent e-payments commonly targeting businesses that work with foreign suppliers and/or regularly perform wire transfer payments. This type of scam sees cyber miscreants posing as a supplier or client, sending an invoice-themed email directing payments to a criminal-run bank account.

While noting the growing volume and sophistication of coronavirus-themed social engineering attacks, the Australian Signals Directorate (the parent agency of the ACSC) has pledged its commitment to “protect Australians from malicious cyber activity during this difficult time… [including] by striking back at these cybercriminals operating offshore”.

“The Australian Signals Directorate has used its offensive cyber capabilities to disrupt foreign cybercriminals responsible for malicious cyber activities exploiting the Covid-19 pandemic,” Bradshaw said.

“We have stopped them from accessing their own systems and prevented them from accessing information they stole.”

The Threat Update bulletin further listed strategies for users to stay protected in this new climate, such as using two-factor authentication for essential services or switching their email, SMS, or social media to providers that offer spam and message scanning.

Meanwhile, the ACSC is reportedly working alongside industry, government, and law enforcement partners – including the ACCC, Services Australia, Australian Federal Police and Australian Criminal Intelligence Commission – to share information and disrupt virus-related malicious online activity.