As in-house counsel, compliance, and security teams worldwide are adjusting to life amid the global pandemic, so too are criminal and nation-state cyber actors. These actors are now leveraging the pandemic, public fear, and an expanded remote-work attack surface to conduct hacking campaigns. The Department of Justice, FBI, and other law enforcement organizations have prioritized the detection, investigation, and prosecution of criminal conduct seeking to exploit the pandemic. As noted in a joint statement this week from the Secret Service and FBI, “the more catastrophic the event, the more active the fraudsters.” Resource pages developed by the FBI and DOJ are being frequently updated with information and alerts for the private sector and public about evolving schemes and enforcement. Companies can leverage these resources as they adapt to the new environment and educate their workforce. 

To further explore these new challenges, the Aspen Institute recently hosted a discussion with Tonya Ugoretz, Deputy Assistant Director of the FBI Cyber Division, Marc Rogers, Executive Director of Cybersecurity at Okta, and John Carlin, chair of the Aspen Cybersecurity Program and chair of Morrison & Foerster's Global Risk and Crisis Management Group. During the seminar, Marc Rogers elaborated on the new Cyber Threat Intelligence (CTI) League, which has amassed a volunteer force of thousands of security experts combatting COVID-19 related crime and fraud. In just a matter of weeks, the CTI League has taken down thousands of malicious domains impersonating entities such as the Centers for Disease Control and financial institutions and has reported over two thousand vulnerabilities—using open source intelligence tools—to high-risk organizations, such as hospitals and health care systems.  

Below is an overview of priority attack vectors and guidance that every company can build from in light of the pandemic threat and risk environment. 

Business email compromise  

Business email compromise schemes refer to scams that rely of social engineering tactics to trick unsuspecting employees into executing fraudulent business payments, often by compromising the account of and impersonating another company official or a trusted customer or vendor. As reported by the Secret Service and FBI, thieves have recently posed as national and global health authorities, including the CDC and WHO, to conduct phishing campaigns. In one recent COVID-19 related example of such a compromise, an organization received an email from a sender whose address appeared to be almost identical to a CEO's actual address. This message asked to move up a transfer of $1 million dollars—a transfer that was actually scheduled—based on purported urgency “due to the Coronavirus outbreak and quarantine processes and precautions.” Other examples recently highlighted by the FBI concern fraudulent medical equipment purchasing schemes.

Guidance:  Even when business email compromise schemes initially succeed, if a corporate victim can identify the fraudulent payment quickly enough, law enforcement may be able to assist in intercepting and reversing fraudulent money transfers.  The FBI has effectively handled thousands of such incidents through the Financial Fraud Kill Chain (FFKC) process.  Companies can request assistance to intercept fraudulent wire transfers via the FFKC process by providing details via the Internet Crime Complaint Center (IC3) about the incident, originating bank, beneficiary, and other financial transaction information.  The FBI reports that daily complaints to the IC3 website have increased three to four times in recent weeks.  

Other best practices suggested by the FBI include well-trodden mitigation measures that are nevertheless worth highlighting:

  • Watch for red flags in email content, such as unexplained urgency, last-minute changes in wire instructions or recipient account information, and variance from established communication platforms.;
  • Verify changes and representations involving goods, buyers, or other internal matters with a trusted contact, or system of record prior to acting on suspicious messages; and
  • Watch for slight misspellings of domain name URLs in the address or content of email messages. Spoofed URLs such as “corona-virus-business-update,” “covid19-advisory,” or “cov19esupport” have been recently seen and highlighted by the U.S. Department of Homeland Security.   

Malicious apps 

With global workforces operating to a great extent remotely for the time being, people are increasingly jumping between a mix of personal and corporate-designated devices.  In turn, malicious actors have resorted to flooding app stores with fraudulent mobile applications. One malicious Android app, identified by a joint report of the U.S. Cybersecurity & Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (NCSC), purports to provide a real-time coronavirus tracker. However, upon installation, the app seeks administrative access to the user's mobile device and, if achieved, installs “CovidLock” ransomware on the device. 

Guidance The CISA and NCSC joint report provides a series of COVID-19 related malware indicators of compromise (IOCs) along with their alert, which may be helpful for security response teams to review and process.           

Videoconference bombing  

As social distancing, shelter-in-place, and stay-at-home orders rolled out around the world in the past several weeks, many businesses and families turned to video conferencing to continue operations. This has led to an explosion of so-called videoconference “bombing,” or the practice of malicious uninvited users joining videoconferences and disrupting them with pornographic, hateful, or threatening images and content. In response, one U.S. Attorney cautioned, “If you interfere with a teleconference or public meeting in Michigan, you could have federal, state, or local law enforcement knocking on your door.”  

Guidance: DOJ suggests the following practical mitigation steps:

  • Make meetings private leveraging passwords or waiting room features;
  • Do not share meeting links on publicly available websites or social media networks;
  • Change screen-sharing options to “host only”; and
  • Make sure to update to the latest version of teleconference software. 

Scams and fraud targeting individuals

Organizations may wish to educate and empower their remote workforce to be on alert for attacks against individuals, in addition to organizational threat vectors. The FBI warns of social media messages, emails, and phone calls that seek to scam people for money, or to phish account access, under the guise of purported COVID-19 testing, financial relief efforts, or medical equipment. Scammers are looking to take advantage of false promises of treatments or cures—either to extract personal information, swindle money, or commit investment fraud. For instance, in recent days the Department of Justice filed its first COVID-19 related enforcement action: a complaint against the operators of a website called “coronavirusmedicalkit.com” which claimed to offer a cure for COVID-19.

Guidance: Officials urge individuals to maintain vigilance and carefully vet offers of financial relief. The U.S. Attorney for the Eastern District of Virginia cautioned, “We are likely to see an uptick in government check scams tied to coronavirus-relief, including advanced-fee schemes promising government relief checks, student loan relief, and adjustments in other government benefits, such as increased social security payments. Remember, if it sounds too good to be true, it probably is.”

Law enforcement officials have signaled that they will be especially sensitive to victim needs in the context of COVID-19 related incidents—and companies should strongly consider whether notifying law enforcement regarding an incident may offer an opportunity to recover dissipated funds, put a stop to infringing activity, or otherwise assist in remediation. Of course, as we have written before, the decision whether to coordinate with a law enforcement agency on a response to a data security incident brings with it a number of potential benefits that must be balanced against potential risks. 

MoFo's Global Risk and Crisis Management and Privacy and Data Security teams—comprised of several former Department of Justice, FBI, and other law enforcement officials—are helping clients across industries coordinate responses to data security incidents in this rapidly changing environment, including advising them on whether and how to approach law enforcement.   

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP. All rights reserved