Watch out: Pandemic gives cybercriminals avenues for attacks

The COVID-19 pandemic is the latest opportunity for threat actors and cybercriminals to prey upon the concerns of a worried nation. Some have even gone so far as falsely representing the World Health Organization, the United Nations’ agency responsible for international public health. Jason Cuneo, chief technologist for the Auburn Cyber Research Center and an adjunct lecturer in the Samuel Ginn College of Engineering’s Department of Computer Science and Software Engineering, offers his thoughts on cyber threats during the pandemic.

What would you advise people do to avoid being a victim of:

• False promises of health tips, protective diets and sometimes cures? How are we to know what’s legit and what isn’t?

​The best thing we can all do to avoid computer fraud is to confirm that communications we receive are coming from legitimate sources. As a rule of thumb, if you receive ANY internet communication seeking personal information, login credentials or attempts to confirm account ownership, it is safe to assume these are nefarious requests. As an example, Congress just recently passed the CARES Act into law which allocates funds for a majority of Americans in response to COVID-19 and, as a result, we expect to see a significant increase in communications attempting to defraud Americans of those funds.

• Zoombombing?

​For those using Zoom as a communication tool, you are probably aware of attacks which allowed malicious actors to manipulate both the Zoom application and web interface which resulted in unauthorized session access and access to web cameras. Since the initial security notifications were made public, there have been numerous security upgrades over the last few weeks and updates, such as enabling passwords for every session and giving meeting organizers improved access control through the use of waiting rooms, that have significantly reduced Zoombombing concerns. For those interested in securing future Zoom sessions, the Department of Homeland Security has released the following advisory on best security practices when configuring and using Zoom.

Is there a general rule of thumb for the average American to follow to avoid falling victim to cybercriminals whether in a pandemic or not?

​The internet is a wonderful resource for communication, learning and commerce, but also provides a great opportunity for attackers and cybercriminals to take advantage of legitimate users. I personally use a number of resources to keep up-to-date on security issues and would recommend a few as a starting point to help protect your activities online. The first is the National Cyber Awareness System provided by DHS, which provides updates to subscribers on security-related issues and recommendations on how to avoid becoming a victim of computer fraud.

In addition, Krebs on Security is a fantastic security blog started by reporter Brian Kerbs and provides a great resource to understand how criminals are using computing resources to defraud Internet users and actions that we can all take to protect ourselves online.

How do we know if there have been more cyberattacks so far this year because of the COVID-19 pandemic?

I think COVID-19 specific cyberattacks have materialized though significant increase in COVID related domain registrations, email spam messages and “helpful” COVID phone apps.

You mentioned how Americans can be targeted, but there are reports of attacks on WHO, other health care institutions and research facilities. Are these criminals trying to disrupt their progress in fighting the virus or trying to gain something for themselves?

The answer depends on who the threat actor is. From a national state perspective, attacking those organizations can provide numerous benefits, including spreading misinformation, causing political unrest and gaining cyber advantages over contending nations. From a cybercrime standpoint, attacks against those organizations could result in exfiltration of sensitive data that could be used to extort those organizations if that data proves embarrassing relative to their COVID-19 response.