Extenuating circumstances – a hacker’s paradise?

20th April 2020

Stuart Reed
VP Cyber

It’ll come as no surprise to you if I say that we’re currently in an unusual situation. COVID-19 has dramatically changed many of our lives beyond all recognition and as we find ourselves working from home, balancing child care and work-life, it isn’t a stretch of the imagination to wonder what cyber attacks we’re now open to, as a result of these new circumstances.

We’ve heard the words; ‘untested ground’ and ‘unchartered waters’, but is that the situation we face in cyber?

I actually want to argue the opposite – the threats we’re seeing aren’t fundamentally different at all, in fact, they’re exactly the same as the threats we faced pre-COVID-19. The only difference being a new narrative to speak to.

Let’s have a look at the COVID-19 related cyber threats:


Reports have shown that phishing emails have increased more than 600% since the end of February and many of these are COVID-19 related. They aim to capitalize on the thirst for information around COVID-19 and dupe recipients into clicking links or opening attachments that they may otherwise have recognised as unsolicited and potentially malicious.

It is absolutely true that you should be wary of COVID-related emails and, at a time when we’re all receiving both legitimate and illegitimate emails around the issue, sometimes these scams are harder to spot. But, while phishing may have increased and COVID-related scams have sky rocketed in number, the threat itself remains the same, as does the protection required. So, be extra cautious. Double check who the sender is, reach out to them independently and check links to ensure you’re going to the URL you expect.

Malware distribution

The next logical step from phishing attacks, is malware distribution. The COVID-related phishing attacks are often a vector for malware distribution. Once the malicious actor takes control, this could lead to data theft or ransomware, for example.

While for the user, the key is to recognise the phishing attack and avoid it being able to launch the malware distribution, for organizations, network detection and response is often relied upon to defend against malware. By monitoring the network, detecting malicious behaviour, fast remediation such as blocking can take place and the risk and impact of the attack can be mitigated. What’s more, with threat forensics, the security team can trace back the malware to origin and identify where else it may have launched on the network.

The point stands true here though; malware distribution is largely the same as it’s ever been and the defence remains effective.

Dodgy domains

As a domain registry, Nominet has done extensive work already in removing potentially malicious COVID related domains. You can read more about the more than 180 domains we’ve taken down in Eleanor Bradley’s blog. Not all of these will have been malicious, but it’s certainly worth checking, to avoid web users ending up on a malicious site that may appear to be dispersing information or support around COVID, that is in-fact a honeypot used by cyber criminals.

You may have also seen Ellie on our ZeroDaysLive show recently and she had a similar opinion around the fact that these malicious domains aren’t anything new in terms of the cyber attack method. Yes, COVID related domains are relatively new, but using something topical to set up a malicious domain isn’t new at all. Nominet has been responsible for not only taking done COVID related domains, but many others that will have picked up on a current issue.

Technical defense

The additional technical complications faced by organizations is perhaps the only vulnerability that truly is new. Never has our traditionally in-office workforce moved in such numbers to remote working. Depending on the type of company you are in, remote working may be more or less familiar. Regardless, it definitely presents the security team with more issues.

And these issues vary. From financial institutions needing to update policies and ensure they are being legally compliant, to firms which simply haven’t yet taken the leap to remote working.

The biggest risk is new systems that have been implemented at speed.

There is no single point of failure, however. This is exactly the reason we have layers of security, of network based security as well as endpoint security. It’s why we educate our workforce to identify phishing attacks, but also attempt to prevent them ever entering the network. It’s also true that our security teams understand the risk better than most, they will know where the vulnerabilities lay, and the security precautions needed to minimize this risk.

It’s absolutely true that COVID presents a new and unusual situation. It isn’t worsening attacks or causing a technical infrastructure to fail, however. Facing phishing attacks, malware and compromised domains is not a new situation. Even adapting a technical infrastructure at speed, isn’t necessarily completely new.

The risk is only that our guard could be down.

We may not recognize the phishing email as malicious, we could be seeing more malicious network traffic than usual, or perhaps we believe a COVID related domain is legitimate, when usually it would have raised red flags. The same is true from a technical standpoint. We have the technology to enable remote working and secure it. The risk is that we move too fast to build in the security precautions or in moving we inadvertently open up security vulnerabilities.

So the answer is to not let our guard down. Follow best practice and take the appropriate due diligence when evaluating and implementing security. These aren’t extenuating circumstances for us in the security world. We must keep vigilant and be suspicious.

The COVID crisis could be a hacker’s paradise, but it doesn’t have to be.

Like this? Try these...