During the coronavirus pandemic, Contact Tracing is being used to slow the spread of the virus. Contact Tracing is the process used to identify, trace, and contact people potentially exposed to a highly infectious virus such as COVID-19 in the recent past. Contact Tracing is a critical capability needed to re-open businesses to avoid a second and potentially more devastating wave of infections. Hi-tech companies such as Apple and Google have released contact tracing apps for their mobile phones, but are not yet formally coordinating with US government entities.
Beside obvious privacy concerns with the data being generated by Apple and Google in their Contact Tracing applications, another insidious risk exists. Hackers have begun to release bogus, malicious contact tracing applications of their own.
How might hackers attack with a bogus contact tracing app?
The first attack method, which has been used since the start of this pandemic, is through contact tracing related phishing attacks. Hackers are sending hospital notifications to unsuspecting email recipients. The email notice states that a friend, colleague, or family member tested positive for COVID-19 and the recipient of the email has been exposed. You are to download and complete a “pre-filled” form to schedule your test and prevent the virus’s spread. Unfortunately, the attachment contains malware that compromises your computer.
A second method of attack is where hackers create a malicious Contact Tracing applications for your mobile device. One study, by Anomali – a threat Research company, claims cyber-criminals have impersonated 12 government contact tracing apps for countries such as Italy, Russia, Singapore, and Columbia to infect unsuspecting users. These bogus apps install trojan malware such as Anubis, or Spynote enabling the app to steal the user’s personal information. While these apps were not found in Google’s Play Store or Apple’s App Store, users trusted the government moniker even to install and infect themselves with the malware.
How to Avoid these Threats
Always be vigilant with the actions you do online, especially when asked to install something on your device.
- Never install apps except from Google’s Play store and Apple’s App stores.
- Install mobile security software to protect your mobile device from viruses. Again, only install this from Google’s Play store or Apple’s App Store.
- Do not click any links in emails you did not expect.
- Watch out for links to potentially fake COVID-19 websites.
- Visit only reputable COVID-19 websites. Safe sites include:
- Avoid phishing emails by watching for these Red Flags in your email:
- Generically addressed emails (Dear Sir, Dear Madam, or Valued Client).
- Receiving an unexpected email urging you to take action.
- Poor spelling, grammar, and punctuation.
- Email containing attachments. Never open attachments you did not request, even from people you know without checking with them first.
Every company benefits from regular employee awareness training on emerging cyber-threats and perennial attack methods such as weak passwords, phishing emails, and social engineering attacks. Therefore,
- train employees on cybersecurity topics and best practices at least monthly.