Among everything else that has been happening in the past few weeks and with the elderly and infirm at particular risk, the cyber criminal community has managed to stoop particularly low and take advantage of the Coronavirus situation. We’ve already seen a series of phishing attacks designed to extort personal credentials and money from some of our most vulnerable people, often, under the guise of credible institutions such as the World Health Organisation.
In these times of crisis, the one thing that people are desperately grappling for is information. With this in mind, hackers (presumably criminal gangs and lone hackers – I don’t want to think about the implications of nation states being associated) have constructed phishing emails and bogus websites to lure people in with the promise of information and even financial incentives associated with the pandemic.
None of this is particularly surprising, even if it is distasteful. Social Engineering goes back as far as human history. In Greek mythology, Ulysses used a “baiting” technique to trick his enemy into thinking the Greeks had given up their siege. He left a large gift outside the city gates… a large wooden structure, better known as the Trojan Horse.
Cyber criminals, too, have a long track record in taking advantage of the vulnerable through basic social engineering techniques. The art of exploiting human psychology and using the techniques of the “confidence trickster” in cyber is almost as old as cyber itself with the first phishing attack thought to have occurred in the 1994-1995 period. By 1999, the “Melissa” virus (one of the first very effective and disruptive pieces of malware that leveraged spreadsheet macros and email to propagate) and others started to reveal the extent of damage that could be created using a combination of social engineering and a hacking technique.
What concerns me (other than the fact that fairly basic and rudimentary social engineering technology is still working in a huge amount of cases – this can only be about lack of education) is where the criminal fraternity takes this next.
By most people’s estimations and in one form or another, our species is in for some other huge bumps in the road in the coming decades. Some will be related to disease, others related to climate change and, inevitably, these and others will be contributors to a financial crisis. The criminals know this… Social engineering will continue to be a mainstay of cyber attack and the introduction of Machine Learning, Big Data and AI into the mix could prove to present security challenges that we will not be prepared for without serious consideration on the social as well as technical elements of cyber defence technique.
Use of AI to mimic voices and to increase the virility and success of phishing attacks has already been seen in the wild. Are we sure that the ways in which we are leveraging advanced technology to protect ourselves are in advance of what the criminals are up to? My worry is that the dark web is now full of “Cyber Attack as a Service” (I’m collectively referring to them as “CAaaS”) offerings that are becoming very advanced and do not require a great deal of technical knowledge to put into action.
We should expect criminal activity around the Coronavirus pandemic to track the virility of the virus itself. We need to ensure that our employees and our loved ones are alert and ready to spot these types of attacks. Perhaps more importantly, security leaders across the CISO communities, vendor landscapes, government and insurance industries should be building strategies that give a heavy amount of thought to social engineering, how far well-financed criminals could take it and what that will mean to security and risk posture as the world faces human crises in the future.
In the meantime, give the people that need it some advice when it comes to using their emails and the internet… SLOW DOWN, BE SKEPTICAL, DON’T JUST CLICK ON THE LINK/OPEN THE ATTACHMENT. DO YOUR RESEARCH. The last thing that the vulnerable need right now are the extra stresses caused by cyber crime. Let’s look after each other.