The Great COVID-19 Phish

COVID-19

It’s a busy time. If you are a medic or a carer, first responder, or key-worker, you’re busy. But, if you are a scam artist, would-be cyber-criminal or phisher-man, you’ll be even busier.

This type of opportunity doesn’t come very often. The COVID-19 health crisis along with the crazy conspiracy theories that accompany it are fertile ground for phishing and scams. Think about these:

At some point, the flat-earthers will find some way to leverage this crisis by claiming that Coronavirus was caused by the theory of Atlantis or Ancient Aliens.

It’s worth considering the latest wave of scams and phishing alerts that have turned up over the last couple of weeks.

Fakers Target TikToK

So the headline of this piece from HackRead read’s like there is a major vulnerability in the TikTok application, but like all these types of scaremongering articles that feed the FUD, this one is over-egging itself. Fortunately, HackRead has included the link into the original source.

This is the blog post of the researchers who discovered this trick. And that’s really what this is… a weakness, not a glaring, CVSS 10 vulnerability.

So, the weakness that the researcher has discovered is that TikTok uses plain-old HTTP to download its content from the CDN network. HTTPS should be the default here, because then it would prevent this type of attack, which is a man-in-the-middle attack on the TikTok application. No vulnerability in the application itself, just a weakness in the way it addresses and downloads its content.

The attack this group describes is easy when you control all the infrastructure and it may be quite straightforward if you have time and a targeted, suitable location, such as a public wifi hotspot. An attacker can very easily conduct an ARP poisoning attack to gain man-in-the-middle and then you are free to poison the videos, providing you have all those videos ready to go somewhere else.

The trouble is, HackRead tags this with the COVID-19 label and it has nothing at all to do with this subject what-so-ever.

Let’s keep digging and see what other FUD we can detect.

Fake Coronavirus mobile apps

HackRead again pops up with this cutie. They latch on to a threat intel report from Trend about a potential new threat vector in the middle-east. This appears to be a weak attempt to leverage Coronavirus to install a piece of mobile spyware. It leverages the notifications API and uploads the results off to some hidden nasty.

It all reads quite nasty, but the truth is this vector fairly weak. The threat is in the incubation phase and is being carried out by a threat that probably doesn’t understand what they are trying to get into. The code is poor quality and the vector is probably via a weak and obscure app-store. iOS vectors like this are difficult, so the people using a back alley app store for an Apple device have probably already rooted their device. That’s asking for trouble.

There’s a Theme

It’s true that FUD will drive us to do the strangest things, including tracking all the COVID-19 related FUD circulating the drain of the internet, and that’s just what the cybercrims want us to do and this has the threat intel “good guys” wringing their hands in glee.

There’s TA505 using COVID-19 to deliver SDBbot RAT and ultimately, Locky and Dridex, as highlighted by IBM.

Cisco’s Talos group rock up with PoetRAT, a SCADA targeting remote access trojan, doing the rounds in Azerbaijan, which utilises COVID-19 rhetoric in old Word documents.

Microsoft is doing the sharing, this time, with a nice report about Trickbot spreading itself around like the proverbial Coronoavirus, but using Coronavirus linked fake documents.

They are not the only ones. TrendMicro gets in on the act with data on Gamaredon APT and their COVID-19 flavoured phish to hook their victims.

Kick ’em when they’re down

So, as Trump continues with his petulance in his daily White House meltdown, Mike Pompeo sneaks out a weak statement about cyber attacks on Czech hospitals. This statement really says:

too bad about those Czech hospitals, but I’ll be quite unhappy if anyone were to think about attacking our American hospitals.

big brother

It’s quite an interesting statement which reminds other states that the U.S. promotes a framework of responsible behaviour in cyberspace, including non-binding norms, but cautions that when states do not abide by those non-binding norms, they are held accountable.

On the surface, it reads like brave America protecting the world again, but really the U.S. is trying to throw its weight behind non-binding norms. If the norms are non-binding, who is going to bind to them? Also, if this is America’s framework, it appears that they believe everyone must adopt this whether they want to or not.

If America really wanted to help then they would do the decent thing and release any threat intelligence data about said Czech hospital cyberattacks.

STAND-UP, Google! Time for your pat on the back

Finally, Google spouts about their awesome spam filter chopping out 240 million COVID-19 related daily spam messages. This is another attempt to feed us spam about the great machine learning monster in Google’s datacentres.

So long, Google, thanks for all the memories.