Where the virus spread, cybercriminals followed

Abstract pathogen coronavirus

Cybercrooks “never waste a good crisis”, said Keren Elazari, cybersecurity analyst, author, and researcher, at Akamai’s Edge Live Virtual Summit for the EMEA region yesterday (July 1).

“They’re always moving, changing their game, coming up with new creative ways to make money,” she added, as she outlined the various fiendish ways cybercriminals have exploited the public’s fears and anxieties during the Covid-19 pandemic.

“They noticed that governments were offering financial payout to people whose livelihoods were affected by the crisis,” explained Elazari, who is also founder of BSidesTLV and Leading Cyber Ladies.

“They started using keywords like ‘wire beneficiary’, ‘cash payout’, ‘grant application’, ‘fund request’, or ‘medical leave’.”

Highlighting criminals’ ongoing quest to exploit public fears in order to fatten their wallets, Elazari cited a scheme directed against UK citizens that spoofed a “small business grant fund with a cash payout” that included an expiration date on the link – a classic “ticking clock tactic”.

As the Covid-19 crisis unfolded, attackers paid close attention to the news. According to Elazari, they initially targeted “mostly people in Europe, the UK and the United States”, but as the virus spread to other parts of the world, “so did the criminals”.

Upping the ante

Already growing before the crisis, the attack surface ballooned during the first half of 2020, as locked-down citizens worked from home and flocked to online platforms to shop, continue their studies, or speak to family and friends.

“More people doing things online means more opportunities for bad guys,” said Elazari, a regular TED Talk speaker.

RECOMMENDED Coronavirus: How to work from home securely during a period of isolation

Interestingly, while malicious hackers have upped the ante against business and government assets, their white hat counterparts have also stepped up to defend.

“In March, at the height of the pandemic, [bug bounty platform] Bugcrowd saw its highest volume of [vulnerability] reports ever,” she explained. “Hackers are paying attention. They know companies need the help and they're putting in the time to do that.”

Elazari also praised the work undertaken by “the CTI League, the COVID-19 cyber threat intelligence league, a group of volunteers from more than 40 countries.

“In the past three months, they have taken down thousands of criminal assets and helped to protect healthcare organizations all over the world.”

‘Extraordinarily large DDoS attack’

In his keynote address yesterday, Dr Tom Leighton, Akamai’s CEO and co-founder, considered the global pandemic’s impact on attack models and trends, based on data generated by the security company’s threat monitoring tools.

Several months after the WHO declared Covid-19 a pandemic, “attack rates continue to be very high,” he said, with attackers “trying to take advantage of the new situation”.

Red triangles pointing like daggers at a red shield shape, on black backgroundAkamai recorded a record DDoS attack in June

Akamai had encountered “an extraordinarily large and sophisticated DDoS attack” in the first week in June.

Clocking 1.44 terabits-per-second and 385 million packets per second, it was the largest such attack ever recorded on Prolexic Routed, Akamai’s DDoS mitigation platform. Nine different attack vectors were identified.

Thankfully, “the customer was able to maintain operations” since Prolexic “automatically and instantly mitigate the vast majority of the attack”, with the rest handled by “experts in the optimized security operations center”.

But this record was eclipsed again just a couple of weeks later, when Akamai recorded a DDoS assault against a European bank that generated 809 million packets per second.

READ MORE OWASP Chapters All Day conference reunites security community in wake of Covid-19

“Attacks are growing in frequency and scale,” said Dr Leighton, noting a 40% year-on-year rise in volume, as well as “getting more complex.

“Every day we’re seeing some attacks that have hundreds of gigabits per second, and tens of millions of packets per second.”

Dr Leighton also reflected on “a huge increase in credential abuse attempts, year over year, nearly doubling”.

‘Chilling moment’

In a talk focused on credential stuffing attacks, Troy Hunt, founder of the ‘Have I Been Pwned’ data breach database, told the Akamai Edge event audience that he was particularly interested in how these breaches are represented in the media, because “that is the lens by which the public view the organization”.

Hunt, also regional director at Microsoft, recounted a recent report of how a “couple described the chilling moment that a hacker started talking to them through a Google Nest camera”.

This was one of countless examples where individuals or organizations were breached based on “compromised passwords, expose through breaches on other websites.

“And this is the pattern that we see over and over again.”

So how do we solve the problem? CAPTCHAs are “painful” to use and a “high friction” anti-automation method.

“Two-factor authentication works fantastically” but “try setting up 2FA for a nontechnical friend or relative” and it becomes clear why adoption rates are so low, he says.

There are YouTube videos showing “ways to easily mount credential stuffing texts for free”, he says, which illustrates the central, still unresolved challenge for the infosec industry: “The complexity of defending against credential stuffing attacks is incommensurate with the ease of mounting them.”

The Akamai Edge virtual conference has finished, but the sessions can still be viewed online.

YOU MIGHT ALSO LIKE Cloud-based cyber-attacks flaring up during coronavirus pandemic