Zoombombing

Malicious Office Documents

Bad Google Drive links

TELEWORKER’S GUIDE TO GOOD CYBER PRACTICES

Commercial Internet Home Providers

e.g., Verizon, Comcast

Use APPROVEDTelework-Enabling Technologies

milSuite

CiscoWebex

milDrive

Office 365

MobiKey

ZoomGov

Virtual Private NetworkCyber Attacks

Unsolicited or Suspicious

Emails

Typing Errors

Website Switcheroo

User name / password loss

zoom.us/signin

zooom.us/signin

https://coronavirus.jhu.edu/map.html Corona-Virus-Map[.]com

click

DCS DoD Mobility

EACCVR

APANDoD SAFE

GVS

JabberCfSC

DEPS

meetMe

Outlook Web App

Some examples of capabilities provided below

2

COVID-19: Cyber Actor(s) MethodsUNCLASSIFIED

UNCLASSIFIED

Adversary Tactics and TechniquesPhishing / Spear phishing

Typosquatting / URL Hijacking

Social Engineering

DNS Hijacking

Ransomware / Malicious Apps

Open Redirect

Targeting Remote / Telework Enabling Capabilities

Targeting Remote / Telework Enabling Capabilities

Spoofing collaboration platforms (i.e. ZoomGov) - Making a malicious website look like a legitimate website

Credential harvesting campaigns - Stealing a User Name and Password

Target teleworkers using RDP (Remote Desktop Protocol) or VPN (Virtual Private Network) by exploiting known vulnerabilities

Targeting of home routers to redirect users to malicious websites

Unsolicited technical support scams targeting remote / telework users

• Malicious Cyber Actors (MCA) are capitalizing on the global scale of the pandemic

• Since mid to late JAN, a variety of MCAs have taken advantage of the COVID-19 crisis to conduct activities to further their objectives

• Majority of activity is assessed to be largely criminal in nature • Malicious global cyber activity increased 35-40% since crisis began

Reported Adversary Activity:

Criminals HacktivistsForeign Government Hackers

• Purpose: Steal sensitive information such as account credentials or financial information from a specific victim, often for malicious reasons

• Method: Targets are contacted by email, telephone or text message by someone posing as a legitimate institution

• Fake text alerts in Florida asking you to claim COVID-19 stimulus payment• Live Coronavirus Map used to spread malware• Criminals impersonate WHO / CDC representatives

• Prevention:• Never enter personal information in pop-up windows• When conducting online transactions, look for a sign that the site is secure

(Https or "lock Icon")• Never clink on hyperlinks in emails• Do not copy web addresses into your browser from pop-ups - use

bookmarks or trusted sites to access• Protect your computer with a firewall, spam filters, anti-virus and anti-

spyware software

Fake Website

www.badsite.com

1

2

3

4

Click

www.google.com

www.gooogle.com

Typosquatting / URL Hijacking

• Purpose: Stealing credentials or personal information or deploying malware

• Method: The user is led to an alternative website owned by a perpetrator • Zoom-bombing• Fake Johns Hopkins COVID-19 website(s) requires users to download

software or launch fake map, which open malware• Corona-virus-map[.]net posing as COVID-19 map• CovidLock malicious mobile ransomware for Android

• Prevention:• If possible, access sites via bookmarks you have saved, or access

them from trusted sites• If you type the URL, inspect it for errors before you hit enter• Do not click on links sent to you in emails, especially from unknown

senders

UNCLASSIFIED

UNCLASSIFIED

Phishing / Spear phishing

DNS Hijacking

• Purpose: Criminals display unwanted ads for Phishing; where fake versions of sites are displayed for users to access and criminals steal data or credentials

• Method: Diverts the user from their intended domain to an alternate domain with the intent of delivering undesired content or malware.

• Fake WHO alert – victims observed their web browsers opening up by themselves and displaying a phony message that instructs them to download a s COVID-19 information app called “COVID-19 Inform App.”

• Purpose: • Avoid using public Wi-Fi networks; they are almost always unencrypted• Avoid clicking on suspicious links in emails or on social media

8.8.8.8

18.18.18.18

DNS ServerDesiredWebsite

MaliciousWebsite

www.google.com

X

UNCLASSIFIED

UNCLASSIFIED

Hi Bob, I hear you like spelunking. ~Eve

Info GatheringFacebook InstagramPublic websites

Absolutely! Bob

Sweet, check this out <link>

Ransomeware

Click

Social Engineering

• Purpose: Profiting off of the COVID-19 pandemic by manipulating people into performing actions or divulging confidential information

• Method: Online scams in the form of charity, financial gain, online shopping, romance or extortion.

• Fraudulent sales of hard-to-obtain products• Medical Center in New Jersey received batch of fake masks

• Fake COVID-19 Medicine / Treatments• Prayer + Peroxide treatment kits lead to arrest (California)

• Prevention:• Be suspicious of unsolicited contacted from individuals seeking internal

organizational data or personal information.• Do not provide personal information or passwords over email or on the

phone• Do not provide information about your organization.

FreeVirusScan.com

You Have Malware

Trojan Horse

Ransomware / Malicious Apps

• Purpose: Target organizations critical to fighting the pandemic, and request those organizations to pay a ransom to resume critical medical / healthcare functions. Threaten to release an organization's data, acquired by the attack, as an additional incentive to compel organizations to pay the ransom

• Method: Targets primarily via emails – falsely claiming information from the government, which encourages recipient to click on infected link or attachment

• Medical administrators and health employees locked out of site, limiting ability to disseminate accurate/updated COVID-19 information

• Champaign-Urbana Public Health District's Website (U.S.)• Hammersmith Medicines Research (London)

• Prevention:• Frequently back-up computer files• Store back-ups on a separate device that is not connected to a network

UNCLASSIFIED

UNCLASSIFIED

• Purpose: Steal sensitive information such as account credentials or financial information from a victim (i.e. email credentials, credit card details, cryptocurrency wallets, browser data, and system information

• Method: Redirects a victim to a fake website after they enter their credentials on a legitimate page

• U.S. Department of Health and Human Services (HHS) users redirected to deliver the Raccoon Stealer malware

• Prevention:• When available, adjust your Internet Browser's security settings from

allowing automatic redirection requiring action from you• Inspect links sent to you - do not click links such as:

https://example(.)com/redirect.php?go=http://attacker(.)com/phish/, that include "redirect"

Open Redirect

Desired Website

Malicious Website

Trusted Website

Open Redirect