Ransomware Masking as COVID-19 Contact Tracing App – Experts Comments

Cybersecurity experts comments below on the new ransomware targeting Canada that is masking as a COVID-19 contact tracing app.

Subscribe
Notify of
guest
2 Expert Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Mark Sangster
Mark Sangster , Vice President and Industry Security Strategist
InfoSec Expert
June 25, 2020 9:33 am

We’ve seen opportunistic criminal leveraging of natural disasters before, for example with 2012 Hurricane Sandy. During the storm, we saw a 30 percent drop in wen traffic in our New York and eastern seaboard customers, with an equivalent increase in malicious traffic. With tunnels flooded, criminals knew banks and financial institutions were crippled and ripe for attack. And more recently, we have seen thousands of attacks against the medical facilities we protect. These attacks leverage the response to Covid-19 as means of increasing the likelihood of success.

Cybercriminals are adept at using chaos and confusion as the smokescreen in which to move with stealth, speed, and impunity. In the case of Covid-19, there is no end to the amount of fraudulent and weaponized coronavirus apps, malicious documents, fake websites, and texts. The CryCrypto attack shows a level of surveillance on the part of criminal elements, attuned in real-time to government pandemic responses, and their agility when it comes to creating rapid malware campaigns.

This sort of campaign is extremely dangerous. It masquerades as a legitimate app, distributed by a trusted source (in this case, the Canadian government). For this reason, many people could fall prey to this attack. It also drives home the fact that platform vendors play a role in securing their ecosystem with rigid app verification and validation.

On a larger scale, it begs questions around the broader privacy and security issues of macro-population tracking, but should also spur people to consider how readily they are willing to surrender personal and potentially costly information on a daily basis. We all too easily surrender our privacy with the click of “I agree”, and then buy back our personal information in the form of products aligned to our searches, preferences, and social media brags. It’s a laissez fair approach on the side of the consumer. In this case, the blind click could be costly in terms of ransomware.

As the stakes of cyber fraud increase, legislators and lawmakers must address the accepted view of “click” rights, when we all know that very few people actually read the terms and conditions. It’s time for government, vendors, and consumers to wake up the risks, and take measures to counter cyberattacks like CryCrypto.

Cybercriminals employ many tricks to tempt users to install malware on their devices. An exceedingly popular technique is the use of phishing attacks where users/victims are tricked into executing malicious payloads to gain access and control of a victims\’ device. Once an attacker has control, there are a number of ways they will monetize this access. One of the more popular ways cybercriminals monetize this control is through the use of ransomware where victims\’ personal information is encrypted and held hostage until a ransom bounty is paid.

Last edited 2 years ago by Mark Sangster
Rob McLeod
Rob McLeod , Director of Advanced Threat Analytics
InfoSec Expert
June 25, 2020 9:28 am

The most successful phishing campaigns use a topical, stressful event to set the stage for communication with the victim to increase their effectiveness. COVID-19 provides an ideal backdrop for cybercriminals to conduct these operations.

Users will likely be familiar with phishing attacks, and CryCrypto is not the first Android ransomware in the wild. What\’s different for most users in the mobile device context is the exposure of communication vectors not typically associated with phishing attacks. This includes voice, SMS, messaging apps, and social media channels where attackers can communicate with potential victims to trick them into installing non-legitimate apps.

There are many strategies users can employ to protect themselves. Far and away the best strategy is to only download apps from official sources that have been digitally signed and verified by mobile device providers, without exception. And before downloading an app from an official app store, do some research. Check:

How many times has the app been downloaded
What is its rank in the app store?
Does the author of the app match expectations?

Last edited 2 years ago by Rob McLeod
2
0
Would love your thoughts, please comment.x
()
x