Tackling the Post Covid Cybercrime Pandemic
Lockdown has transformed the scale and nature of Cybercrime
The threat landscape has changed with millions working from home. Most are using systems secured by afterthought, not design. After a short pause the criminal world seized the opportunity. UK Central Government appears to be giving priority to threats from state actors and enhancing its cyberwarfare but the cost of fraud (direct and indirect) is such that its own finances are now at risk.
In June the DPA Cybersecurity Group discussed the changing threat landscape. It agreed the need for follow up on the changing threat landscape resulting from large scale remote working, the challenges of reconnection, the response of law enforcement and the current state of plans for co-operation with industry and academia. The Group ZOOM on the afternoon of 14th September is for DPA members and registered observers only. Those interested in joining are welcome to attend as a taster but need to join before any further participation. More details are available at: https://www.dpalliance.org.uk/join-us/.
The blog below summarises my own understanding of the current situation from a variety of sources. The pace of change along criminal supply chains is accelerating. But so too is the response from law enforcement. Lockdown saw the first step with long overdue automation of incident notification (i.e. phishing attacks). Now the UK regional pilot to test processes for forwarding notifications in bulk from organisational firewalls has gone live. That will help transform law enforcement understanding of what is happening.
The next step is for those who are serious about protecting themselves and their customers to “get political” in order to help reset and resource the agendas of Government, Law Enforcement and their security suppliers accordingly. Only then will it be practical to do, in co-operation, what is necessary to address vulnerabilities and take effective action to detect and deter those responsible for aiding and abetting, as well as those committing, cybercrime.
That will not be easy. Vulnerability removal and action against criminal supply chains clashes with both the cyberwarfare capabilities of nation states and the business models of major on-line players and internet service providers. Those with different priorities are legion, but fragmented. Hence the lack of “clarity” in current debate over Cybersecurity, On-line Harms and Internet Governance. Hence also attempts to instead blame customers and consumers for not making more use of complex end-user protection tools and techniques that are of limited practical value.
I am now only an arms-length advisor trying to make sense of what is happening. It is up to those 30 – 40 years younger than me to respond. They need YOUR support.
Contents:
- Summary
- The Covid Honeypot
- Opportunities opened by Lockdown
- Opportunities opened by Government Response Programmes
- Evolving public-private predator supply chains
- Why legacy guidance is no longer adequate
- Areas where improvement will make a difference
- Local, national and international co-operation
- Conclusion
- = = =
1) Summary
The Covid cyberfraud pandemic began with a rash of semi-customised scams akin to those which happen with any major event, be it tragedy (like the Tsunami) or sporting (like the World Cup), but on a much larger scale. There followed a short lull as traditional crime and even on-line fraud were themselves disrupted by the lockdown.
The criminal world then began to appreciate the opportunities to infiltrate the systems of large organisations offered by the mass expansion of home-based working, using systems and network that had been secured (if at all) by afterthought, not design. The result has been a retargeting and refining of attacks rather than an overall increase, save in specific areas, such as intelligence-led fraud and ransomware.
In parallel the Government response, support and intervention programmes, with ease of access and speed more important than security, offered a whole new raft of opportunities, both for direct fraud and for impersonation. Then came the targeting of those whose jobs have gone or are at risk.
The combination led to a rapid evolution of the criminal supply chains, both to overcome problems with the way lockdown affected some sources and processes (e.g. call centres and cash collection) and to exploit new opportunities, e.g. lures tailored to fit UK Covid response programmes or to recruit those desperate for paid work.
The security response began with a reiteration of existing guidance, amended over time as realistic “lures” were used to gain access to user laptops and phones.
The sharp fall in consumer and SME confidence and willingness to respond to phone calls or texts, let alone e-mails has expedited consideration of how current guidance can be improved.
In parallel we have seen moves to overhaul mechanism for co-operation between law enforcement and industry to counter fraud and attempts by nation state actors to gain access to systems of interest, including government and research.
The conclusion is that large organisations who are serious about protecting themselves and their customers need to take collective action. The next online meeting of the DPA Cybersecurity Group. scheduled for Monday 14 September at 14.00 on Zoom, is due to “discuss the role of authorities in addressing cyber risk, building on its previous discussion of its growing significance and changing nature as those working remotely connect to the networks of their organisations and return to their offices. Remote working and growing reliance on information technology and digital communication have significantly increased the attack surface for any would-be adversaries.
The meeting, chaired by Baroness Neville-Jones, will include discussion on planned work with business and academia through Cyber Resilience Centres with Andrew Gould, National Cybercrime Programme Lead for the National Police Chiefs’ Council, who will brief members on a current technical project.
Please email [email protected] to register your attendance.”
2) The Covid Honeypot
Whenever there is a major event, a disaster or sporting event there is a rash of topical lures to persuade the fish (you and I) to swallow the hook that gives access.
The peak of registration of Covid-themed domain names took place took place in the 3rd and 4th weeks of March. Few were used in the first couple of weeks, when new domain names are routinely checked for potential fraud by reputable registrars and ICANN. More came into use over time. By the end August of the UK Domain Name SOC, (within the NCSC), had secured the removal of over 22,000 URL related to over 9,000 scams. This was in response to over 2 million notifications via the reporting system launched in April.
The National Crime Agency issued its first comprehensive warning on the 26th March. That week the Metropolitan Police issued warnings of doorstep fraudsters in Harrow demanding access to homes to check for Covid. Imitation test and trace services were being used as a themed lure (both on-line and on-the-doorstep) two months before the NHS Service went live. As we went into Lockdown and the scale and nature of the criminal opportunities became apparent it was soon only one of a group of inter-twined, Covid and Lockdown related lures to gain access to corporate as well as personal systems.
In the course of April the volume of spam, smishing and vishing began to grow with ever more realistic imitations of the messages being sent out by Government and its departments and agencies (DVLA, DWP, HMRC etc.) as well as Banks, ISPs, Telcos and organisations like the TVLRO. As those in lockdown became dependent on home delivery so we saw a growth in the volume of imitations of delivery services and high street names.
Then came the realistic “sorry you out” or “your account has been suspended because of unusual transactions” notices, with plausible response addresses. In parallel there was an explosion of employment scams , targeted at those who had lost their jobs or were in furlough. The volume of reports to Safer Jobs (the co-operation between Industry and Law Enforcement to support victims of such fraud) has already risen by nearly 70%.
3) Opportunities opened by lockdown
What is different about Covid is the impact of lockdown and the sudden mass expansion of those working from home for more than a couple of days a week. Thus, shortly after lockdown began there was a rash of e-mails purporting to come from “Personnel” or “Procurement” announcing new arrangements and/or requesting “confirmation” of details. Those in furlough were at greater risk after losing access to corporate e-mail accounts, lest they be accused of using them to do productive work while in furlough. In consequence they no longer benefited from the routine DNS authentication of e-mails purporting to come from their employer and/or organisations with which they have regular dealing
Also at risk are those who know, or fear, their jobs are unlikely to come back after furlough. They are busy job-seeking. They are therefore vulnerable to the many frauds targeted at job-seekers, from those to harvest their CVs (to aid fraud against them) to those seeking to recruit them as “mules” in support of money laundering. Finally there have been a great many sudden but genuine changes to procurement, supply and distribution chains. Hence the common criminal objective of making a few more, not so genuine.
The threats vary by sector. There are more reports of attacks targeted at sectors with large numbers working at home. There are fewer against sectors which has largely gone into furlough. One interpretation is that fraudsters have not bothered to attack businesses that have been furloughed. Another is that the attacks will only be detected and reported when the systems are brought back on-line. Hence, one of the concerns for discussion in the DPA Cybersecurity ZOOM on 14th September is about what will happen when the latter are powered up and reconnected, needing six months of operating system and other updates before they are secure.
4) Opportunities opened by Government Response Programmes
Publicity for contact tracing programmes and apps has opened up opportunities for impersonation. So too have the various public/private support schemes. The scale and nature of the latter, with ease of access prioritised over security, have also enabled fraudsters, organised or not, to loot central and local government and health care funds around the world, not just in the UK.
Around the world contact tracing is usually covered by mainstream Public Health legislation and includes the use of mobile phone location data allied to symptom reporting. Mobile phone apps are used for symptom reporting and contact tracing, although the use of bluetooth (as opposed to QR codes) has, so far, been of limited value because of the scale of false negatives and positives.
The scale and nature of publicity for and against centrally controlled apps has, however, facilitated much fraud linked to bogus contact calls and supposedly decentralised apps (harvesting location and other data for sale into criminal supply chains). Using Bluetooth (as opposed to disabling it, easier said than done) reduces the security of mobile phones, facilitating stalking, surveillance and abuse by strangers, as well as by Google analytics, the Apple equivalent, parents, partners and law enforcement.
Requirements on the hospitality and other venues to record customers and visitors, in case they are needed for contact tracing, has also increased the volumes of data held insecurely for access by those claiming to be responsible for identifying and tracing customers.
The scale of increased fraud against public sector support programmes and procurement around the world is unknown. Daylight Robbery, estimates £4 – 5 billion of fraud already under way against UK public sector aide programmes. At least two US states are on “life-support” having been bankrupted by fraud against their support programmes.
5) Evolving public-private predator supply chains
Many criminal supply chains were seriously disrupted when overseas call centres were hit by Covid. So too were local courier services to physically contact victims with fake or fogged “credentials” in support of targeted fraud. Meanwhile, faced by lockdown and disruption to their other enterprises, local criminals (not just in the UK) moved on-line, using local knowledge to add tailored front-ends and new physical delivery/collection facilities to global criminal supply chains. Crypto-ransom demands are now similarly tailored to the ability/willingness of the victim to pay rather than resist or contact law enforcement.
The lures to get UK audiences now use the house styles and language of Gov.UK sites for public services and have evolved over time from notifications to claim a tax rebate or register for a Covid-related special service to notices that a payment or delivery has failed or an account been suspended because of “suspicious activity”.
What happens after the potential victim has clicked on the link, or responded to the text or phone call may not be that different, save the voices in any criminal call centre will have regional UK accents. But the consequences of added realism go well beyond greater criminal success. The more realistic spoofing of e-mail addresses, domain names and phone numbers, plus locally accented voices on criminal call-centres, have helped fuel a paranoia that has led to a sharp fall of confidence in almost any form of unexpected electronic contact.
More recently we have also seen an accelerating rise (70% so far) in reports to Safer Jobs of employment scams. These include exercises to recruit the newly unemployed into the UK -end of criminal supply chains, including as local couriers and money mules to get round laundering controls. There has also been a sharp rise in the use of false credentials in order to get into position of trust including, for example, the NHS.
6) Why legacy guidance is no longer adequate
The impact of the fall in consumer confidence can be seen in the difficulty those seeking to organise support for those in lockdown have had in making any contact, not just those because they may have been in touch with some-one who may have been infected.
After an initial success rate of 80% the success of the central NHS Test and Trace in getting responses from “contacts” dropped to 40 – 50% before recovering, after follow up was passed to those with experience of tracing the contacts of those with sexually transmitted and other “notifiable” diseases. That was in part because the actual incidence of Covid is so low that those they try to contact begin with the assumption that it is yet another fraudster. Local Government Welfare and NHS support services have had similar problems making contact with benefits recipients and others at risk to offer deliveries of food and medicine. Those with whom contact was most needed rarely responded other than to personal contact from some-one they trust.
This is not new. One of the consequences of Covid has been the discovery that most of the population does not respond to contact from apparent strangers on-line any better than on the high street. A summary of recent research findings, Me and my Big Data , was launched just before lockdown. It indicated, inter alia, that most of the population may use the technology but only the young are truly confident. More-over those most dependent on public services were least likely to go on-line to access them.
The NHS brand is more trusted than those of Google or Apple, though the latter are the second and third most valuable Global brands. Hence its attraction as a honeypot and guidance to not trust any contact claiming to come from Test and Trace. Instead you have to visit the website to register.
Paranoia, particularly among those not previously confident in their use of on-line products and services, has helped widen the digital divides that have opened up during lockdown. There is a need for similar guidance on how to check the genuineness of communications, whether e-mail, text or phone call, purporting to come from HMRC, DVLC, TVLRO, DWP, your bank or the delivery firm which has supposedly attempted to deliver a parcel while you were out.
We are beginning to see improvements, such as more informative warnings when you try to use on-line banking to a new contact: “LOOK OUT: Criminals are using COVID-19 to their advantage impersonating known organisations such the Government, HMRC, Loan Providers, Banks, Charities and the Police … Please stop and consider why you’d need to make a payment in these scenarios”. Guidance like the 30 page booklet from Which, the Consumer Association entitled “Protect yourself from scams” is also good but tends to be read by those already easiest to advise.
How do we best advise those in most need? How do we ensure that the guidance does not simply increase the paranoia? Or is the volume of fraudulent contact such that the paranoia would be even worse without it? The first step is almost certainly to make it very much easier to report incidents to those who will respond, automatically if necessary, with helpful guidance.
7) Areas where improvement will make a difference
The biggest changes needed are with regard to guidance for organisations, large or small, which now depend on home-based workers for key functions.
Cyber essentials has not been updated since its launch in 2014. In 2016 the Culture Media and Sport Select Committee received evidence of the need to address weaknesses with regard to:
-
- Identifying assets, vulnerabilities and risks
- People processes, training and awareness
- Encryption, hashing, slating passwords
- Developing, testing security and recovery plans
The Select Committee recommendations , including for updating cyber-essentials, have still not been implemented although the more recent IASME standards could be used to address many of the weaknesses identified, as well as others which were not raised at the time.
To these we need to add:
-
- Guidance for home based and /or mobile staff
- Processes for secure communication with home-based staff
- DNS authentication including along supply chains
- Recording and Reporting processes
Most spam reported by home-based workers comes in via personal rather than corporate e-mail addresses. That is presumably because the corporate e-mail services check for DNS authentication. The volume of Spam also appears to differ widely by service. Presumably because of the censorship that takes place on some services but not others.
A growing number of organisation are encouraging DNS monitoring and authentication on those in their supply and distribution chains. All those (mainly Central Government and its departments and agencies) should be using Protective DNS . All with their own domain names should be securing their with tools like those available at no charge from the Global Cyber Alliance.
Data minimisation is one of the best ways of improving security. There is a good case for the, now mandatory, customer recording systems of the hospitality industry to use “privacy friendly” identity and authorisation processes, akin to those developed in support of PAS 1296 for age checking, to avoid the need to record personal details. Thus the doorman of the night club need know only the Yoti card number (for example) of the pretty girl acting as group leader, not her address and phone number.
There are many other areas where organisations could and should take action to help protect their organisations and its staff, customers and supply/distribution chains as well as society at large, including to:.
- organise customised awareness programmes for staff and contractors, particularly those who are home-based or still on furlough. These should include regularly updated examples of the scam e-mails, texts and phone doing the rounds, and guidance on how to report them.
- use DNS authentication and monitoring themselves and to support, advise, require those in the organisation’s supply and distribution chains to do so as well. They should also check that their DNS registrar receives and acts on reports of abuse
- look at co-operation with their peers, their suppliers, their customers and with law enforcement to not only share information and good practice but act collectively to expose and deter bad practice and “remove” common vulnerabilities and threats.
8) Local, national and international co-operation
Over the years there have been many calls for Industry and law enforcement to work together in co-operation, for example that from Tech UK in 2015 . I have blogged on them 2008.
For many years the main UK vehicle for co-operation, apart from professional bodies, trade associations and organisations like CIFAS and Safer Jobs (launching an on-line vetting system for job ads on 11th September), was the network of Warning Advice and Reporting Points, created by the Centre for the Protection of National Infrastructure. Some are still running, e.g. for local Government in the North West or London , but it is unclear what support the National Cyber Security Centre provides.
The ability of the National Cyber Security Centre and the National Crime Agency to support co-operation via other channels has been affected by their priorities and the resources available. A major constraint on targeting was the ability of potential victims to report incidents (e.g. phishing attacks) as opposed to actual crimes (e.g. fraud or extortion subsequent to infiltration after a successful breach). That began to change with the automated Suspicious E-mail Reporting Service. It will transformed as the UK Police CyberAlarm (which enables bulk reporting from organisational firewalls) grows from the current pilots (North East, North West, East Midlands and South Wales).
The current NCSC/NCA strategy is to work with the National Police Chiefs Council to support local law enforcement prevent and address cyber threats via cybercrime units for each police force supported by Regional Organised Crime Units and the National Cyber Crime Unit.
That capacity is to be expanded further through planned work with business and academia, including Cyber Resilience Centres established in connection with the National Police Chiefs’ Council’s National Cybercrime Programme. Each NPCC programme is chaired by a Chief Constable. The chairmanship of the Cybercrime programme has just moved from the Chief Constable of Derbyshire (home of global aerospace players like Rolls Royce) to the Commissioner of the City of London Police.
We can therefore expect more attention to the needs of the UK as a secure and trustworthy location for on-line transactions, whether local or global.
How that will fit with NCSC priorities for UK cyberwarfare capabilities and protection against national state actors has yet to be seen.
9) Conclusion
Large organisations who are serious about protecting themselves and their customers need to co-operate with their peers and other stakeholders. That includes at the political level.
The next online meeting of the DPA Cybersecurity Group. scheduled for Monday 14 September at 14.00 on Zoom, is due to “discuss the role of authorities in addressing cyber risk, building on its previous discussion of its growing significance and changing nature as those working remotely connect to the networks of their organisations and return to their offices. Remote working and growing reliance on information technology and digital communication have significantly increased the attack surface for any would-be adversaries.
The meeting, chaired by Baroness Neville-Jones, will include discussion on planned work with business and academia through Cyber Resilience Centres with Andrew Gould, National Cybercrime Programme Lead for the National Police Chiefs’ Council, who will brief members on a current technical project.
Please email [email protected] to register your attendance.”