The rise of fearware and how to fight back

A new kind of email filtering protects against fraud

Got Tips?

Sponsored We've had malware, ransomware, and spyware. Now, prepare yourself for the latest in a litany of online nasties: fearware. Thanks to the pandemic, cybercriminals are finding new and more sophisticated ways to fleece us – and it's going to take a new approach to pinpoint, stop, catch and fight back against those attacks.

Hackers have always played on people's emotions, because they're easy for others to manipulate but difficult for the victims to control. Phishing emails appeal to greed (get-rich-quick scams), pride (fake degrees) and compassion (donation requests for charities that don’t exist). Of all the human emotions, though, fear is the most effective fulcrum of all.

Fear peaks during a crisis, and online ne'er-do-wells never let one of those go to waste. When a disaster occurs, the scam spam soon follows, appealing for donations to help victims or pretending to offer government help in response for some account information.

Hacking people's emotions

Those scams and the digital toxins they bring are the basis for fearware. It's a type of online attack that exploits our need for security and certainty during volatile times. It has been with us for years, but it took a global disaster affecting everyone to give it a real platform. So when the COVID-19 pandemic changed the world for everyone this year, online criminals took fearware to the next level. SARS-CoV2 wasn't the first coronavirus, but it affected people in new and worrying ways. The only clear fact in the early days was that it was hospitalising lots of people and spreading quickly. People were short on information and burdened with anxiety.

Fearware attacks soared quickly, fuelled by an efficient online system geared towards the mechanised registration of new domains at scale. According to zscaler, phishing and malware attacks targeting remote users exploded by 30,000 per cent from just 1,200 in January to 380,000 by April. Those attacks come from over 130,000 suspicious newly registered domains with pandemic-related key words and themes.

Over 10,000 COVID-19 relted domains were generated every day, with 90 per cent of them are malicious or generating sales of fake products. One researcher even created a site that documents new coronavirus-related scams in real time. It shows a digital fearware pandemic unfolding right before your eyes.

An onslaught of malicious domains

AI-powered cybersecurity company Darktrace saw a sharp rise in the proportion of pandemic-related phishing emails. Of the advanced phishing attacks blocked by its AI-powered email security technology in April, 60 per cent were related to COVID-19 or tricked employees by referencing remote working.

Crooks can use services offered by some of the big-name domain registrars, such as NameCheap's 'Beast Mode', which lets people register domains en masse for pennies. The situation has become so bad that governments have stepped in. New York attorney general Letitia James wrote to GoDaddy complaining about cybercriminals "registering a significant number of domain names related to 'coronavirus' in recent weeks and using those domains to conduct phishing campaigns and other attacks". Some enterprising and scruple-free domainers had even registered big-ticket addresses like 'coronavirusgive.com' that were particularly convincing and could generate even more traffic. Available to the highest bidder. Lovely.

Snake oil and certainty

Fake charity drives are a popular way to part people from their money during a disaster. The Department of Homeland Security warned about spammers asking for donations to fraudulent COVID-19-related charities.

Another way to capitalise on disaster is to offer people something to cling to in a time of panic. Some opt for quack cures. In the days following the global lockdown, the US Attorney General filed a civil complaint against a site purporting to offer a vaccine. Crooks can also proffer information. In one case, Brazilian attackers used an infected PowerPoint file offering a list of hotels infected by the virus.

One example of a phishing attack involved emails supposedly from the US Center for Disease Control (CDC) that Darktrace spotted recently. Tailored to the recipient and highly convincing, it contained malware hidden behind text offering the latest health guidance, infection rates and travel guidance.

In another example, by impersonating the US Small Business Administration, one group of crooks in Japan was able to assume an air of authority by attracting phishing victims to a fake SBS site running on a compromised Brazilian server. It then persuaded them to give up their personal information by registering for fake financial relief.

A new kind of email filtering

As these campaigns get more advanced, legacy phishing detection tools struggle to catch them. Traditional tools tend to focus on discrete data points such as the senders' IP address, the URLs in the reply-to field, and the hashes of attached files, checking them against a list of known bad actors. The problem with that is that the scale and sophistication of these mails are growing, which makes it harder to keep up.

The CDC fearware illustrated this problem perfectly. One of the domains used had only been registered two hours before the email arrived, which meant that it wouldn't show up on any blacklists. Consequently, traditional security tools waved it through.

These legacy tools examine emails in isolation rather than exploring the relationships between them. That makes it difficult to identify novel attacks over time or to re-examine previously accepted emails in the light of new evidence.

Darktrace's Antigena Email uses machine learning to go beyond matching an email's characteristics against a known set of malicious ones. Instead, it examines the entire corpus of email spanning the whole organisation to learn what constitutes a normal pattern. Then, it watches for anything deviating from those patterns.

This enables the system to examine those data points in more context, drawing more inferences about them. It can map those against prior activity, asking questions such as whether a user had just visited a sender's domain before the email arrived (which could indicate that they'd requested the email as part of a subscription). It can examine any prior relationships between the recipient and the sender, along with any anomalies in the content, and even look at the time the email was sent to spot variations in known patterns.

Taken in context, these factors can help spot not only emails with obvious known bad IPs or file hashes, but also more subtle attacks such as business email compromise supposedly sent from real business contacts. That's important during a time of upheaval when criminals could use changes in companies' working and communication patterns to conduct fraud.

In the case of the fake CDC mail, Darktrace checked the email domain against not just the organisation's email history but against all network activity. It noticed that the email's sender had no prior history with the recipient company, and the email address had never even been seen in the body of another mail. It also noticed that no one in the organisation had ever visited the link in the email before.

A more advanced approach to phishing and fraudulent email detection will become important as attackers continue to innovate and capitalise on COVID-19.

Preparing for a fraud-filled future

This AI-powered approach to email security is crucial for fraud detection because, just like SARS-CoV 2, there's no sign that the threats will die out. The virus will be with us forever as will the new working conditions it has created.

That's why fearware exploiting the rush to work from home will become a perennial blot on our landscape. Cybercriminals are already using online presentation sites like Canva and Sway as attack vectors in phishing campaigns, driven by the increased usage of such sites during the pandemic. Others have focused on sending offers for fake versions of legitimate VPN software that can infect the machines of users working from home and harvest valuable enterprise data.

People working from home are often heavy mobile users, and these platforms are fruitful ground for phishing attacks. Mobile devices' small screens and touch interfaces often encourage people to flick through emails and process them quickly, making malicious ones harder to spot. Attackers have used this fact to send phishing emails encouraging people to install damaging apps on their phones, such as fake contact tracing applications and even apps supposedly providing access to coronavirus masks.

The economic uncertainty that came with the pandemic will also be here for a while, which is why we're seeing other fearware campaigns offering financial help. These fearware attacks hits all the necessary emotional buttons. People are in dire economic need, which makes them more willing to believe a phishing email offering them money.

The physical measures we take against the coronavirus – social distancing, masks, and home working – aren't the only ways we should be defending ourselves. It will take a break with old cybersecurity models and an investment in new technologies to inoculate us against a pernicious new breed of online pathogens.

Sponsored by Darktrace

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020