A COVID-19 vaccine is expected to be approved by the FDA this week. While there is plenty to be excited about, there is cause for concern.
Information Technology attack vectors have been known to use big news, fads, and trends to trick users. A COVID-19 vaccine will be the biggest news in over a decade… and since social media became big.
COVID-19 has ensnared the public; economically, physically, and emotionally. It has the hallmarks of a horrifyingly efficient way to trick people out of money and information.
We haven’t seen an attack yet, but your users should know that any messages or posts about the COVID-19 vaccine from any source should be treated with scrutiny.
Even the FTC is issuing warnings: https://www.ftc.gov/news-events/press-releases/2020/12/ftc-issues-consumer-tips-avoiding-covid-19-vaccine-scams
We highly recommend reviewing our article from 2018 about detecting phishing emails. The information within still applies.
For the time being, notify your users that the only information they should trust on COVID-19 vaccines is from their doctor and the national news networks; no one else.
No random posts on Facebook, no text messages claiming to be the COVID Vaccination Program, no emails claiming the same, nothing.
If they still feel the need to go down the rabbit hole on this vaccine they need to use their personal email address and information!
The notice ends here, but in case you need to read one possible way this scam can play out, here it goes:
- Your user sees a Facebook post regarding sign-ups to get the new COVID-19 vaccine. They click the link on a work computer. Luckily the site does not contain malicious code and a virus is not downloaded.
- The user is taken to the sign up form. Because they think the companies spam filtering is better they use their work email to sign up for alerts.
- A day or so later they get an email. This email claims to contain an encrypted message and uses the term Operation: Warp Speed. The email claims the message is encrypted to protect the users health information, and it is from a trusted source. The user opens the link.
- The user is taken to a page that wants them to log in with their work email and password to decrypt the message. After the user logs in, the site crashes. The user may try a couple more times, and then shrugs their shoulders and says they’ll try later it must be busy. From this point, your company is breached.
- Armed with your users username and password from the harvesting site, an attacker is now logged into the users account, downloads all the users emails, current and previous; all the users contacts; the users calendars; the folders the user has access to. Your user has no warning this has happened.
- Over time the attacker monitors the users communications, but does nothing. They just harvest data, for months. The attacker finds intraoffice memo’s and documentation containing information about who is what in the company. The attacker also learns about the companies procedures and policies.
- A Spear-Phishing campaign begins.
- The financial department is targeted and the newest financial employee receives a message claiming to be from the CEO/President. A request is put in to send money somewhere. Because the attacker knows procedure and protocol, the message appears to comply with everything and the new employee obliges the request. Thousands of dollars are lost. There is no recovery possible.
- Know this, at this point there is no reason for the attacker to stop. They could target another user, or multiple users at one time. Statistically, only 40% of companies survive this point; and this includes multinational, multibillion-dollar companies!