Maksim Kabakou - Fotolia

Security Think Tank: Why and how cyber criminals exploit world events

In our globalised world, high-profile events such as Covid-19 have huge business impacts, some of which may be felt by CISOs. What responsibilities do security professionals have in such circumstances?

Cyber criminals, APT actors and others who pose a threat to businesses and individuals are impacted and influenced by world events just like the rest of us. However, they will also use these events, as well as cultural events, to give them an advantage through exploiting our normal routine.

Many financial frauds, for example, take place on a Friday evening, particularly before a bank holiday Monday. This was typified where criminals had acquired banking details but needed to get the SMS codes sent by SMS to the account holder.

They do this by requesting a new SIM in the name of the account holder and getting their mobile number transferred to the new SIM so that they received the second factor codes. The account holder’s mobile would now stop working, but being a Friday evening, they may not do anything about it until the next working day and being a weekend even if they noticed the money was missing, it would be more difficult to contact the bank and for them to track the money. 

Attackers will often mount attacks out of hours and at weekends hoping that their activities will go unnoticed until the next working day. Attackers also follow regular working patterns and have holidays which can help attribution based on the times of day they are active to identify a time zone. Which days they are and are not active can help determine their cultural background, too.

As well as exploiting routine, attackers will also exploit world events either for social engineering, or to exploit an organisation at a time of vulnerability.  Criminals will exploit emotional concerns and worries. Following natural disasters, there are always those who will see a disaster as an opportunity.

In the past, there were several examples of phishing emails using the Ebola outbreak to masquerade as a charity or government body asking for donations for disaster relief and using the responses to gather personal banking information as well as taking donations. Ebola was also used as a social engineering ploy to get people to click on links and download malware to mount attacks on individuals and companies.

We are already seeing the same thing happening again with the outbreak of Covid-19 with phishing campaigns and now customised Covid-19 malware embedded in a PDF giving advice and information and I suspect this will escalate with people anxious for any information.

If not already done, now is the time to warn staff of the threat both in their personal life and at work to be vigilant when it comes to emails on these topics and if possible double down on detection, even blocking external emails appearing to be on these topics.

When we ourselves are affected and we need to put fallback plans into action because of flooding impacting business premises, or preventing employees coming into work, we may unwittingly be more vulnerable to attack.

A typical disaster recovery plan will provide for staff relocation to another site in the event of folding of their normal offices. Some businesses may plan on having staff work remotely. In the case of people trapped by floods, or self-isolating to avoid infection, this may be the only option.

However, this will probably not have been planned or tested as part of a fall-back plan. Is everybody equipped to work remotely? Does the remote access server have the capacity to cope with the numbers who may need to use it? Those who work directly to the cloud may not have these issues, but those in more traditional work environments or with cloud access through a central point will need to consider the impact of fragmentation of the workforce in this way.

Fragmentation of this type may also change ways of working, for example, make people more vulnerable to attacks such as whaling. Whaling typically works where a senior is out of the office. Spoof emails purporting to be a finance manager or another senior person, possibly from a hacked account, ask to make a payment on their authority.

Verification

When both the senior and the target of the email are out of the office, these requests are probably more likely to slip through, reinforcing the need for proper verification of such requests. Any emergency change to operating and security processes need to be considered carefully and where possible mitigations put in place.

Remote workers are always more vulnerable because they have the same face to face contact and are less likely to be able to double check. Isolating many more who normally work in a team is going to increase the overall vulnerability to social engineering and also make it more difficult to respond to an attack.

Many won’t have considered a scenario where they may have many staff working remotely in isolation for whatever reason and even if they have, they may not have tested it. Some businesses may have many staff working from home and/or remotely and so such a situation may not be far from the norm, but for centralised businesses with little home and remote working, it is definitely something to think about.

Read more on IT risk management