It’s no secret that since the beginning of the pandemic, to enable social distancing, remote working has increased exponentially. And, to maintain business as usual as much as possible under the current circumstances, many organisations have gone through (and are continuing to go through) a dramatic change in their processes and the way employees access the corporate information. Over the last few months, remote access technologies, cloud applications and collaborations services have played a crucial role in this transformation.
Protecting a new workspace
Besides the social, economic, and cultural implications, the main consequence from an infosec standpoint, is that the corporate laptop is the new workplace and the perimeter of the organisation is no longer physical. Instead, it resides with the users themselves.
This new normal means that remote users must be able to access the corporate data from any location, and potentially any device. Traditional on-premises security technologies, such as firewalls, web and email security gateways are no longer suitable, or able, to cope with the level of security required.
Users are the new security perimeter and from an attacker’s perspective, the weak link of the system: they are outside of the physical boundaries of their organisation and even worse, emotionally distressed – due to the current circumstances – so even more vulnerable.
To complicate things further, for less established organisations, the shift to remote working has been driven by a contingency plan rather than a strategic approach. As a result, many of the remote workers haven’t been educated about the risks of the new workplace and aren’t protected by the right technologies.
If an endpoint is compromised, the attackers get the key to the kingdom. Arguably, it has always been this way, but the reality is that the COVID-19 crisis has dramatically increased the attack surface.
Email is the preferred attack vector
According to recent research, 13% of phishing attacks in Q1 2020 were related to COVID-19, with the total number of attacks increasing by 22.5% in comparison to Q4 of 2019.
Email continues to be the cyber criminals’ preferred attack vector and the current situation has made things worse. Thanks to the pandemic, attackers have many more factors to exploit to make their attacks successful.
For example, the mass adoption of collaboration tools such as Zoom, Microsoft Teams, or Cisco Webex, as well as cloud services in general, is fuelling multiple variants of phishing campaigns that use rogue notifications to steal the victims’ corporate credentials. This is done through malicious pages mimicking the target applications.
Even more concerning, is that during the pandemic, these rogue communications typically impersonate the HR department or other emotive things that make the victim – concerned about the future and emotionally vulnerable – to click on the malicious link, without verifying whether the message is legitimate.
But, rogue HR notifications are not the only way to exploit the COVID-19 crisis for phishing purposes. Other common tactics leveraged by the cyber criminals include the stimulus packages promoted by several governments (links to fake pages applying for funding), or even communications sent by institutions involved in the fight against COVID-19, such as the World Health Organisation (links to fake pages for accessing important information regarding the pandemic).
And COVID-19-themed emails are also used to deliver malware, for example, disguised as fake installers of collaboration tools or fake documents sent by institutions involved in the COVID-19 fight, such as the World Health Organization.
To protect corporate accounts, organisations have adopted multiple layers of defences (such as anti-spam, anti-malware, and email tagging to quickly identify messages sent from outside the corporate perimeter). However, these countermeasures are not always 100% effective for the following reasons:
Malicious emails are becoming more and more evasive. For example, a typical evasion trick consists of delivering the phishing page or the malicious payload through a cloud service such as Microsoft Office 365 Onedrive or Google Drive, that is implicitly trusted by the email security gateway – hence the ability to bypass it.
Despite being increasingly common, email labelling is not widely adopted and too often ignored by users.
As mentioned previously, the user is the new perimeter. Remote employees can use the same device to access personal applications and corporate services simultaneously, which implicitly opens a hole in the security posture of the entire organisation. Phishing pages or malware can be delivered through personal email, turning the endpoint into a gateway to access the organisation.
If the user is the new perimeter, relying on legacy security technologies that force backhauling the corporate traffic to a central location (contradicting the connectivity mode of cloud applications) and aren’t able to inspect SSL traffic, simply doesn’t work.
An ounce of prevention is worth a pound of cure
Does this mean that remote users are inevitably exposed to the risks and destined to be hacked? Of course not. Technology plays an important part, but at the end of the day, the human being is the first line of defence. Every single action counts and there are some simple steps that can be taken to mitigate the risk of being hacked via email, with the right level of natural diffidence being the first layer of security.
In tough times like these, it’s better to assume that every incoming email could potentially be a threat, so don’t take anything for granted. Carefully inspect every email, for misplaced details in both the form and the content. Once upon a time, the presence of grammatical errors was a simple but important indicator of malicious origin. Unfortunately, this is not completely true today, since attackers are getting smarter and able to craft very realistic messages in terms of form and content. Nonetheless (especially in case of foreign attackers) there’s always the chance that identifying mistakes can reveal the malicious origin.
If your company applies tags to external messages, pay special attention to those received from outside of your organisation.
Carefully inspect every link in the mail. Drag the mouse over and check that the target URL matches the destination and the context. The attackers might use simple tricks like HTML tags or shorteners, or even more sophisticated techniques like homograph attacks to hide the real destination. Even if the domain looks legitimate, check every single character. ask yourself: ‘can I really spot the difference between a capital i and a lower case l?’
Cloud services are increasingly used to serve phishing pages or to deliver malware, so always check the destination URL and ask yourself ‘why does this OneDrive document come from Dropbox (or Google Drive)?’ Additionally, if the phishing page comes from a cloud service like Microsoft Forms or Google Drive, the page always contains a disclaimer to never submit passwords via the form, so pay attention to every single detail.
The typical phishing message uses emotional bait to entice the victim to click on the link or open the attachment. Typical baits include:
a payment (often with fake invoices)
the request to reset an account after some suspicious activities;
the need to confirm some personal information;
notification of a salary increase or related bonuses;
offers of giveaways, coupons or free ‘stuff’;
things related to personal activities or hobbies, especially in case of spear-phishing (or targeted phishing).
And, as previously mentioned, during COVID-19, malicious actors are leveraging emotional baits specifically related to the crisis, such as:
requests of meetings from HR;
missed notifications from collaboration apps, such as Microsoft Teams and Zoom;
requests to reset the password for a cloud service in use by the organisation such as Microsoft Office 365;
documents from institutions such as the World Health Organization containing guidelines to face the pandemic;
eligibility to apply for a fund related to the economic stimulus packages.
In all these cases, whether they are generic or related to the pandemic, it’s extremely important, before taking action, to ask yourself if you have an account with the potentially impersonated service. If the answer is ‘no’, inspect the message carefully. If the answer is ‘yes’, contact the sender organisation (via the website or a contact number) and confirm that the message has been really sent by them.
The most common email applications allow an inspection of the original message (for example this is the ‘view source’ option in Microsoft Outlook or the ‘show original’ option in the Gmail web interface). More skilled users can use this feature to check the headers and identify if the message was sent by the real organization, or if the sender was spoofed.
Whenever possible, protect every account with multi-factor authentication (MFA), consisting of something you have (like an authenticator app) and something you are (for example, mobile authenticator apps allow the use of a fingerprint to unlock the app itself) or something you know (such as a PIN). Similar policies are usually enforced by the organization to access the corporate services, however, it’s necessary to adopt MFA even for any personal accounts if this feature is available. Motivated attackers will look for every entry point, including personal services.
If possible, avoid using SMS-based or call-based authentication since SIM-Swapping attacks are increasingly common. Maybe you are not a primary target (or you don’t believe you are) but a little bit of additional precaution won’t hurt.
Always consider the corporate device as an extension of the office workplace. Working from home and spending more time with the family doesn’t necessarily mean that you can share your corporate laptop or phone with others for their personal stuff. If they are compromised, your organization is potentially compromised as well. In the same way, your organization would never let someone external enter your office and sit at your desk beside you, so you shouldn’t let anyone else use your corporate device for their business.
Applying these simple steps will reduce the risk of being compromised. The mantra is ‘better safe than sorry’, so if you spot an anomaly in a message, or simply have the feeling that something is not right, do not hesitate to pick up the phone and call your IT department (in general make sure you acquaint yourself with the security incident procedure – every organization should have one). This is the first thing to do if you think you clicked on a malicious link or downloaded malware – and don’t forget to delete the message once it has been verified as malicious.