Under quarantine conditions, not every company can provide employees with VPN, secure remote access, or corporate technology. As a result, workers use their own laptops and smartphones, and also connect to unsecured networks. All of this increases the risk of personal and corporate data theft. 

How attackers attack corporate networks

One of the most popular types of attacks is phishing. It aims to steal users’ personal data using fake websites that imitate real ones. According to PwC India, the number of phishing emails has been growing steadily since the beginning of February 2020, which indicates attempts by fraudsters to take advantage of employee concerns during the COVID-19 coronavirus outbreak. 

Analysts have pointed to a sharp increase in corporate penetration and data theft from leading Indian IT companies: since February, the number of attacks has tripled. According to PwC, the main threat was the shift of employees to remote work: companies tried to set up VPN infrastructure as soon as possible, but unsecured devices and connections to insecure networks allowed hackers to launch widespread phishing campaigns.  

Attackers mask login pages and then send malicious links to users by email. To attract, botnets or a previously known base of necessary addresses for a targeted attack are used. A scam letter can come under the guise of important information about the spread of a virus or a letter from the internal communications department.

The outbreak response is an additional social engineering tool for attackers, while maintaining past attack methods. For example, the main threat in India is the AZORult malware designed to steal credentials. This malware has been around for over three years, but in an epidemic situation it has become relevant again. Attackers disguised mailing lists as important information related to the spread of the coronavirus.

Scam letters 

The UK National Cyber ​​Security Center has detected emails that use the Agent Tesla malware. The fraudulent emails were sent under the guise of a message from the WHO Director-General on 19 March 2020. Previously, a similar mailing list offered to purchase thermometers and face masks. The email, disguised as product images, contained a malware downloader. 

In other campaigns, the emails included a Microsoft Excel attachment or URL leading to an Excel spreadsheet download. In both cases, the Excel file contained macros that ran a built-in dynamic link library (DLL) to install the GraceWire Trojan through the Get2 loader.

Another malware, TrickBot, has also been used in various COVID-19 campaigns. In one example of emails aimed at Italian users, the attached document contained a malicious macro that downloaded a batch file (BAT) that would run JavaScript and then enable TrickBot.

In many cases, Trojans such as TrickBot or GraceWire download other malicious programs: remote access Trojans, desktop-sharing clients, and ransomware viruses.

Malicious mobile apps

A study by BroadbandSearch shows that the share of mobile traffic is growing every year and in 2019 accounted for 53% of global Internet traffic. Cybercriminals are actively using mobile devices as a vector for cyber attacks – corporate mobile devices have long been under threat. In 2017, Check Point conducted a survey of information security professionals. The study shows that 58% of professionals have encountered attacks on mobile devices of a company, and about 64% of respondents doubt that their companies can defend against cyber attacks on mobile devices. 

Such a massive use of smartphones in a corporate environment and high rates of cyberattacks on them gave an impetus to the development of solutions for protecting mobile devices – MTD (Mobile Threat Defense). There are several ways to secure your smartphone for work: set up a full MDM / EMMfor a smartphone, or create a container for work tasks in a mobile device, protected by an additional pin code: an employee will have access to corporate data and resources only after authentication. The user will be able to use the corporate applications installed in the container – mail, calendars and other work resources through the established VPN tunnel. Thus, corporate data will be completely isolated from personal and protected. With unsecured connections, attackers can gain access to the data of both profiles and use it for extortion or further attacks.

For example, in early March 2020, a new ransomware was discovered – Covidlock, disguised as an app to track the spread of coronavirus on heatmaps in real time. During installation, the application prompted users to grant it administrator access to their smartphone. Having gained access, the attackers blocked the device’s screen and demanded a ransom in cryptocurrency.

SMS attacks 

Most of the SMS phishing attempts before the outbreak were related to extortion. These were fake reports of unpaid fines, late taxes, erroneous payments, or discounts. Upon receiving a message containing a malicious link, the user went to a phishing resource, where he left his data. To create the impression of authenticity and build trust, attackers fake not only the look of the site, but also the information about the sender. 

The UK National Cybersecurity Center has recorded an increase in fraudulent SMS disguised as messages from government authorities: for example, messages came from COVID and UKGOV addresses. Russians have also recently come across fake reports of fines for self-isolation violations. 

Personal devices in companies

BYOD (Bring Your Own Device) is the concept of using personal devices of employees while working. This allows many companies to reduce costs and avoid buying the same equipment, but increases the risk of cyber threats. According to a 2018 Samsung study, nearly 80% of employers indicate that their employees cannot do their jobs efficiently without a mobile phone, and three-quarters believe mobile devices are essential for their business processes. 

At the same time, only 17% of businesses provide mobile phones to all employees, 31% rely on BYOD, and the remaining 52% use a hybrid approach: employees receive devices based on job title or length of service. When using personal devices for work, due to their wide variety, OS and firmware versions, IT specialists are forced to adjust and work with each device individually.

The ideal picture from a security point of view is, for example, a laptop that IT specialists set up and hand over to an employee with all the necessary software. An employee can use it without restrictions, but is deprived of administrator rights. Everything is under control: any installation of software or updates is coordinated with the security service, and the exchange of data takes place over the internal working network, which provides less load on corporate systems and additional data security. 

At a glance: how to protect your data 

First, don’t forget about personal cybersecurity rules . Tell employees about possible threats, ask them not to install unverified applications. Do not follow unfamiliar links in emails: important information, especially in a pandemic, is reported by trusted resources in the body of the email. Consider EMM as a solution to detect suspicious activity on employee devices to help prevent sensitive information from being leaked.

If you suspect that your employees have encountered such attacks, ask them to change passwords, check bank accounts for suspicious transactions, and also contact the resource whose site the cybercriminals copied.