Criminals are apparently not taking any time off during this pandemic, and in fact by all accounts have increased their attacks, particularly targeting entities whose attention is diverted to dealing with the fallout of the Covid-19 crisis. In particular, educational institutions across the country have faced a recent onslaught of ransomware attacks, often crippling an already vulnerable infrastructure just as classes were set to resume. Check Point Research recently published a report advising that cyber-attacks targeting academic institutions increased 30 percent between July and August (with upwards of 600 attacks per week). Although the research does not reveal why the surge occurred, it is likely not a coincidence that Covid-19 has compelled schools to utilize and vastly expand the use of new and unfamiliar technologies that allow remote learning, which in turn may have opened up new opportunities for cybercriminals to attack. In addition, although financial resources were spent on acquiring new technologies, the same expenditures were not necessarily invested in associated security. Often times cyber-attacks start with a phishing-email, that once opened allows cybercriminals to gain access to an organization’s infrastructure over time. As attention has been diverted to dealing with emergency Covid-19 issues, organizations have less resources focused on cyber-attacks. Accordingly, as the Covid-19 emergency persists, educational institutions must be sure not lose focus on monitoring cyber-attacks. Failing to expend the additional resources on cybersecurity prevention and monitoring, could very likely cost the school significantly more in the long run.
You probably heard about the recent hack of Twitter accounts that took place on July 15, 2020. The hackers took over several prominent Twitter accounts, which resulted in a scam that netted over $118,000 in bitcoin for the hackers. One of the most startling things about the cyberattack was that it was led by a 17-year-old along with his accomplices. The hackers took over the accounts of well-known individuals including Barack Obama, Kim Kardashian West, Kanye West, Bill Gates, Elon Musk and many others, and tweeted a “double your bitcoin scam” from these Twitter accounts directing people to send bitcoin to fraudulent accounts.
The New York Department of Financial Services (NYDFS) issued a detailed report last week regarding this hack into the social media giant. The report found that “the Twitter Hack happened in three phases: (1) social engineering attacks to gain access to Twitter’s network; (2) taking over accounts with desirable usernames (or “handles”) and selling access to them; and (3) taking over dozens of high-profile Twitter accounts and trying to trick people into sending the Hackers bitcoin. All this happened in roughly 24 hours.”
How did the hackers do it? According to the report, the first phase of the attack started with the hackers stealing credentials of Twitter employees the old-fashioned way by using social engineering. The hackers posed as Twitter IT employees and contacted several Twitter employees claiming there was a problem with Twitter’s Virtual Private Network (VPN). The report stated that the “hackers claimed they were responding to a reported problem the employee was having with Twitter’s Virtual Private Network (VPN). Since switching to remote working, VPN problems were common at Twitter. The Hackers then tried to direct the employee to a phishing website that looked identical to the legitimate Twitter VPN website and was hosted by a similarly named domain. As the employee entered their credentials into the phishing website, the Hackers would simultaneously enter the information into the real Twitter website. This false log-in generated an MFA [multi-factor authentication] notification requesting that the employees authenticate themselves, which some of the employees did.”
The hackers then went surfing within the Twitter system looking for employees with access to internal tools to take over accounts. This led to the second phase of the attack: taking over and selling access to original gangster (OG) Twitter accounts. According to the report, an OG Twitter account refers to accounts designated by a single word, letter, or number and adopted by Twitter’s early users. The hackers discussed taking over and selling the OG accounts in various online chat messages. On July 15, the hackers “ hijacked multiple OG Twitter accounts and tweeted screenshots of one of the internal tools from some of the accounts to the accounts’ respective followers.
The final phase of the hack involved taking over various cryptocurrency company accounts and directing users to a link to a scam bitcoin address. According to a tweet sent out by Twitter on July 16, approximately 130 accounts of high-profile verified users (those Twitter accounts that you see with the blue check mark) were taken over by the hackers with tweets asking people to send bitcoin, with the promise that the high-profile user would double the amount to be given to a charity. The bitcoin address was fraudulent, the tweets were not sent by the actual users, and the hackers were able to collect more than $118,000 in bitcoin.
The NYDFS began its investigation because the cryptocurrency companies are regulated entities. According to the report, the department instructed the cryptocurrency companies to block the hackers’ bitcoin addresses if they hadn’t already done so. This move prevented over a million dollars’ worth of fraudulent bitcoin transfers.
We write all the time about the critical importance of cybersecurity practices and protocols such as multifactor authentication, employee training regarding phishing, and using secure passwords. The general consensus appears to be that the Twitter hack was not a sophisticated one, but that the hackers knew what they were after and knew how to accomplish their goal. The NYDFS report stated that “the Twitter Hack is a cautionary tale about the extraordinary damage that can be caused even by unsophisticated cybercriminals. The Hackers’ success was due in large part to weaknesses in Twitter’s internal cybersecurity protocols.”
It has been widely reported that hackers are taking advantage of the pandemic to perpetrate scams and frauds. We have seen attacks against workers of companies through phishing emails that include an attachment or link offering information or access to specialized treatment for COVID-19 to lure people to click on them. Once they click on the link or attachment, the attacker infects the system with malware or ransomware. Cyber criminals know that people are concerned about the coronavirus and looking for more information to protect themselves and their family members, and they also are preying on the distraction of working from home.
It has become such a problem that the Department of Justice (DOJ) instructed the National Center for Disaster Fraud (NCDF) to gather coronavirus-related complaints from the public and assist with information sharing about scams. The NCDF has received more than 76,000 tips on COVID-19 related wrongdoing, and the FBI’s Internet Crime Complaint Center has received more than 20,000 tips about suspicious websites and media postings. This doesn’t include the successful phishing campaigns using COVID-19-related information to trick people into clicking on malicious links or attachments.
The United States Attorney’s Office for the Western District of Louisiana issued a reminder this week for “members of the public to be vigilant against fraudsters who are using the COVID-19 pandemic to exploit American consumers and organizations…In particular, the department is warning the public about scams perpetrated through websites, social media, emails, robocalls, and other means that peddle fake COVID-19 vaccines, tests, treatments, and protective equipment, and also about criminals that fabricate businesses and steal identities in order to defraud federal relief programs and state unemployment programs.”
In addition, the notice states “Moving forward, the department also is concerned about, and will aim to deter and prevent, attempts by wrongdoers to prey upon potential victims by leveraging news about anticipated approval of a COVID-19 vaccine or about the potential enactment of new disaster relief bills that extend or expand upon CARES Act relief.”
The notice is a good reminder to each of us personally as well as employees of the continued threat and to need to remain vigilant to combat these scams. The DOJ “encourages the public to continue to report wrongdoing relating to the pandemic to the NCDF and to remain vigilant against bad actors looking to exploit this national emergency.”