There COVID-19 pandemic an unprecedented global event that is changing our lives and changing our future. In moments of profound uncertainty like these, it is normal to feel lost, to feel confused and apprehensive and to live with concern every day.
They are reactions human, driven by a strong emotional component, but totally understandable. And unfortunately in this climate of emotion, scammers rub their hands: the moment when they are most vulnerable, perhaps to news and information that give us a little hope, or respond maliciously to a concern and for this reason they make us lower the guard.
ESET, who by virtue of his commitment to the fight against cybercrime and fraud has the opportunity to take a closer look and intercept scams and scams on the web, has created a small collection of cases that provide a clear example of the activities that criminals are carrying ahead in these days taking advantage of the climate of apprehension.
Not just fake: news can be dangerous
In a situation of uncertainty like the one we are experiencing it is normal to have a "thirst for news", perhaps in search of positivity, hope and comfort. Or even just to want to understand more deeply a situation that until recently we were unable to contemplate.
Eset highlights how the World Health Organization, the main source of reliable and reliable information on the pandemic, among the authorities that despite itself is more involved in the ongoing scam campaigns. A case that deserves attention where scammers pretend to offer information on the situation with the aim of inducing potential victims to click on dangerous links, which can install malware, steal personal information or try to acquire the user's login and password.
WHO itself, aware of the situation, provided some indications on its website with some advice on how to check the reliability of the sender:
"Make sure the sender has an email address like '[email protected]'. If there is anything other than 'who.int' after the '@' symbol, this sender is not from the WHO. For example, lOMS does not send email from addresses ending in '@ who.com', '@ who.org' or '@ who-safety.org' ".
Another tip is to check the URL address of any links in the emails and verify that they point to https://www.who.int/ and that no other domain is used. If you open an email from your smartphone and you cannot safely verify the URL of a link, always advisable to avoid clicking. Remember a simple principle: "When in doubt, avoid".
In general more important to highlight that WHO has not started sending any e-mails to people who are not subscribers to a service. The advice that you can share that, in case you want to find clear and reliable information, to visit the WHO website directly, or that of the national health institutions. In Italy the reference point is the Istituto Superiore di Sanit. Always doubt links in unsolicited emails or which are not part of a newsletter to which you are registered.
ESET then cites another example, attributable to the category of phishing, where a website mimics the Wall Street Journal and reports completely unreliable news about the COVID-19 pandemic. The URL of this site begins with "worldstreet" and the logo also bears the same wording, while imitating the WSJ brand with an attempt to deceive the visitor. In this case the attackers are not collecting the user's personal data, but still manage to collect profits thanks to the advertising on the site.
Leverage sensitivity and compassion
The exploitation of "emotional switches" the cornerstone of social engineering, which then the engine on which computer and non-IT scams are based (read more on the topic: The scam runs on the online account, here's how). A type of scam that takes advantage of emotional switches is the one that asks us for help to finance the distribution of the vaccine for children in China. Today there is no vaccine for COVID-19 and availability is not expected at least until next year.
In the example cited by ESET, the attacker re-proposed an existing infrastructure and campaign process with COVID-19 content. To people who receive Coronavirus-themed emails they are asked to send Bitcoins to the attackers' accounts. Although this technique is effective only for a few users, when it is performed on a global scale it can be financially interesting for criminals. Here too is a piece of advice: if you want to support a cause, do it on your own initiative, towards reliable and verified structures, bodies and realities. It may be unpleasant, but be wary of requests for help, always trying to verify the reliability of the request.
Exploiting the state of necessity
A final example cited by ESET concerns a fraud in which scammers send spam e-mails promising the potential victim to be able to order masks for the face so as to limit the risk of contagion. Obviously all false and the only purpose is to collect personal information such as addresses and credit card numbers.
Google Trends indicates that search volumes for terms such as "masks" and "hand sanitizer" are reaching unexplored heights: a symptom of the extreme interest of the public generated by fear and concern. These too are very powerful emotional levers in the hands of the bad guys, who exploit them to their advantage.
Today the demand for face masks is very high: if we are experiencing a particular situation that requires its use (and in this regard we advise you to read the WHO guidelines on the topic of masks), the advice is to contact only trusted dealers , whether it's the trusted pharmacist or the big e-commerce sites.
The defense strategy: "trust no one", don't trust anyone
Those exposed by ESET are just some examples of the ways that cybercriminals use at this particular moment, taking advantage of the emotion and vulnerability that intrinsic to all moments of serious emergency. It is important not to let your guard down and follow the "trust no one" principle, not to trust anyone (even if we are currently experiencing the collective need to lean on someone or something). The examples cited must be considered more for the principles that lie beneath them, rather than for the cases themselves: by abstracting the principle of operation, we can become aware of what to expect, perhaps even in forms other than the examples presented.
ESET draws up a short handbook of rules to keep in mind to reduce the risk of falling into unpleasant situations:
- Avoid clicking on any link or to download unsolicited email attachments or from unknown or even reliable sources, unless we are sure that the message is authentic.
- Ignore communications that require personal information. If necessary, check the content of the message with the apparent sender or with the organization it represents, checking outside the received message.
- Be wary of emails that increase the sense of alarm and urge to act immediately or offer vaccines or COVID-19 treatments.
- Use reliable security software tiered that includes protection against phishing.
