Defending Against Coronavirus Phishing and Malware Attacks

At OneSpan, we have been concerned and saddened by the impact of the coronavirus (Covid-19). We commend the health and service professionals working to contain the outbreak and wish a speedy recovery to those afflicted.
Beyond the immediate health threat, we have also noticed a new fraud trend. With the widespread media attention around the coronavirus, attackers are already using the topic to bait victims into opening malicious attachments. In this blog, we’ll take a closer look at these phishing attempts and explore security solutions that could identify and help prevent coronavirus-related phishing attacks.
Coronavirus Phishing Attacks
Researchers at IBM X-Force have identified several campaigns where attackers are sending out infected email attachments disguised as instructions around the coronavirus. When opened, the file will silently install an Emotet downloader in the background. Right now most of the messages found appear to be in Japanese, which is due to the outbreak being concentrated in Asia. However, with the fear of the virus being so widespread, we can expect similar tactics to be used in the rest of the world soon enough.
Similarly, Kaspersky just published a blog reporting that the company’s technologies “have found malicious pdf, mp4 and docx files disguised as documents relating to the newly discovered Coronavirus. The file names imply that they include virus protection instructions, current threat developments, and even virus detection techniques.”
While criminal hackers routinely use natural disasters and viral news topics to launch attacks, the coronavirus theme has the potential to affect businesses directly because of China’s role in the global economy. For example, many companies are being asked if their supply chains will be interrupted because of shipping issues with China. An audience hungry for information is an audience ripe for hacking attacks. As a result, we expect to see phishing emails posing as:
- Delivery companies, such as Fedex or UPS, and online sellers, such as Amazon, with messages about goods sourced from China
- Brokers and investment firms with a message about markets crashing
- Targeted attacks from suppliers saying goods cannot be delivered or will be delayed
- Urgent updates from government and global health agencies on how to avoid infection
Now is the time to be extra vigilant, as attackers will be looking to take advantage of the fear and attention around the coronavirus outbreak.
How Banks Can Protect Customers against Coronavirus-themed Attacks
Financial institutions (FIs) should deploy additional safety precautions because of the heightened risk of phishing, social engineering, and malware attacks. Attacks will affect both corporate and retail banking customers as criminals take advantage of the situation.
FIs with fraud detection and prevention systems generally rely on a rules engine to manage fraud. Not all anti-fraud systems are equal, however. Expert rules engines give FIs an advantage by providing the flexibility to activate extra fraud rules during heightened risk periods such as Christmas, Black Friday, and natural disasters when customers have an increased chance of being compromised. Such periods of increased risk demonstrate the need for banks to have dynamic fraud prevention solutions in place to allow them to respond to the fast-paced nature of fraud.
It is also important that fraud detection systems be capable of quickly toggling different controls or operating at a lower level of trust during times of increased risk. Similarly, temporarily changing thresholds for the scoring model and allowing a larger number of false positives in favor of fewer false negatives is also a good practice. When the surge in the coronavirus phishing period comes to an end, reconfiguring the detection will allow the bank to reduce the workload on the fraud team.
Fighting Malicious Attacks with Machine Learning and Risk Analytics
In addition to expert fraud rules, fraud detection systems that make use of risk analytics and machine learning will be better prepared to respond to the changing fraud landscape. With machine learning, the fraud detection system can gather and immediately analyze data from all externally facing access points (i.e., a user’s phone). Comparing each user’s behavior against their history then allows the risk engine to identify abnormal user behavior.
In fact, by continuously monitoring the entire banking session (rather than a single event such as a payment), an advanced risk engine with machine learning can also evaluate data points such as the length of the session, time of the day, and spending patterns – as well as the actual sequence of user actions, which may indicate abnormal user behavior. Should a phishing attack occur, it will be identified by the system in real time, prompting an increase in protections.
What’s more, when the influx of attacks subsides, the risk analytics technology continues to analyze the fraud risk, in real-time, for each individual transaction. Leveraging this more precise security ensures the best user experience, as friction is removed for low risk transactions, and only riskier transactions trigger additional security steps. In this way, a financial institution not only improves the user experience, but automates fraud management, which dramatically reduces the manual efforts of the fraud team.
Finally, modern risk analytics tools may also be equipped with a phishing early warning sign. The machine learning algorithm can detect the likelihood of the HTTP referrer being a phishing page. This can be supplemented by pre-defined expert rules governing how the system should respond to the phishing attack scenario.
Combatting Phishing and the Coronavirus
Sadly, attackers will play upon any fear to increase the impact of their phishing campaigns. In that way, the coronavirus attacks we have been seeing are just the next iteration in an ongoing effort. Vigilance by your fraud team, bolstered by the ability to dynamically adjust fraud rules and enhance your existing anti-fraud tools with real-time risk analytics, is key both to stopping this wave of phishing attacks as well as the ones to follow.