Howard Solomon @howarditwc
Published: March 25th, 2020
IT World Canada
Canada and the U.S. are working with security companies and Internet providers to stop fraudsters from taking advantage of COVID-19 fears. The head of the Canadian Centre for Cyber Security says it is working to take down fake coronavirus sites. And over the weekend the U.S. Justice department got an order closing a website selling what it claimed was a virus vaccine. Social media sites like Twitter and Facebook are also trying to take down fake posts. Still, criminals keep finding new ways to exploit people’s worries. One way is by sending phishing messages about alleged information or products on COVID-19 with malicious links in an email. Security vendor Kaspersky has found attackers using another trick: They infect a smartphone with something unrelated to the virus, probably through a link. But this malware triggers a process that makes a web page pop up claiming to be a Coronavirus Finder. For a small fee payable by credit card it will show people nearby you who are infected with the virus. Of course, the scam is to get your credit card number.
A commentary yesterday by a researcher at a security firm called Sophos paints a picture of how criminals work. Their email spam campaigns will shift when a new or sensational topic is popular. So, early in the year one group was trying to lure people with email with a subject line about shipping and delivery notices, which were fake. When COVID-19 came on the scene, the topic of the email switched to “health advice.” But the text of the message itself still is about invoices and deliveries, with the same infected attachment. Even the most innocuous mention of something by a politician or a celebrity about coronavirus can be used in a new email campaign to try to sell you something. So, be suspicious of any text or email messages about COVID-19 with attachments or links.
I report on a lot of organizations that suffer data breaches. But sometimes a company that an organization partners with — a supplier — is the way their data gets hacked. For example, a few years ago the Target retail chain was hacked through the computer network of the company that looked after its heating and air conditioning systems. The latest example is General Electric, a huge international company that makes and finances airliner engines, medical imaging systems and more. GE wasn’t hacked. Instead it was Canon Business Process Services, which processes benefits documents of tens of thousands of GE employees. According to a notice filed in California, early last month an email account at Canon was compromised, letting the attacker copy documents that had been uploaded by current and former staff. That information included names, drivers licences, passports, birth certificates, marriage certificates, tax forms, social security numbers, bank account numbers and more. In other words, everything needed to impersonate people. Here’s the lesson: Hackers don’t have to break into databases to access sensitive data. They can get a lot just by reading email. So company managers need to remember that email login security in every organization is vital. As I repeat many times, companies have to add two-factor authentication to as many applications as possible.