Interview: Mike McLellan, Senior Security Researcher, Secureworks

Despite all of the hype and research claiming that there has been a surge in phishing and spam messages related to COVID-19, one company claimed that from what it has seen, there has not been a noticeable increase in detections across customers’ managed security controls since the beginning of 2020.

In a blog posted at the start of April, researchers from Secureworks said that despite a lack of a spike in cyber-criminal activity, there is clear evidence of well-established cyber-criminal and government-sponsored threat actors leveraging general interest in COVID-19 to entice victims to open malicious links and attachments.

Speaking to Infosecurity, senior security researcher Mike McLellan explained that Secureworks had been watching the situation, but what it saw was not an increase in the threat, but there was an increase in confirmed incidents. “We are seeing more reporting about more domains and all of that, but based on our research, we’re not seeing a high-end threat,” McLellan said.

“What we are seeing is that the threat actors have all pivoted to using COVID-19 as a social engineering ruse, and getting people to click on attachments or give up credentials. So it is the same threat but with a slightly different feel to it.”

This has led attackers to essentially all be working on the same subject as an attack vector, so where usually an event like a sport tournament or a major news event would cause some attackers to use that theme, they are now all using COVID-19 as the subject.

McLellan said this is what many researchers believe to be the cause of a major number of spam messages. “The challenge is, what do people mean when they say ‘more’ of something? If we’re talking more email traffic, there might be, we tend to look at what happens after the email is sent and where it lands and if it does something when the recipient clicks on it,” he said, pointing out that this is where there is not an increase in activity. 

“If there were an increase in successful attacks, that would suggest that, prior to COVID-19, these actors were not as successful as they wanted to be, and COVID-19 allowed them to be much more successful at attacks,” he explained. “From what we are seeing, it is not like organizations were always successful at defending against this stuff prior to COVID-19.”

“It works no matter which country you are targeting as everyone is concerned about it”

McLellan added that attackers are “continuing to be as successful as before” but using a different trend as the initial way to get in. However, he did admit that people are probably more susceptible to the current fears and confusion around COVID-19, as well as fake news, and “there is a chance that people are more susceptible to social engineering.”

Secureworks researchers did see more common malware tools being used to adapt the COVID-19 trend, for example Trickbot was initially targeting Italy when the country was first in lockdown and people were at home more and doing online banking, and researchers observed Italian banks being added to TrickBot web inject configurations, but this was really about attackers following the money.

“The only exception to that is that some nation state actors have started to target global bodies and research institutes, but that has not affected the vast proportion of society,” he said.

Will tactics change with a majority of the workforce now based at home? McLellan said that as long as people open macro-enabled documents, these attacks will continue to work. “We may see an increase in scanning of internet-facing systems and businesses have remote access solutions for business continuity purposes, and that becomes the main way for an organization to communicate with itself and its employees, so some attack surfaces have expanded,” he said. “There is a chance we will see attempts to disrupt that sort of infrastructure like VPNs and video conferencing. We’re not seeing that yet, but if some of these set-ups persist and organizations get used to this way of working, that may likely change how actors go after their targets.”

In terms of nation state actors, McLellan said that Secureworks is seeing threats “playing on a government theme and advice on coronavirus” and that was mostly evident in Asia, while most cybercrime was standard with themes of invoices, but there were also COVID-19-themed phishing emails like “Health Advice from the World Health Organization” or some other body being used as a trick.

“We normally see a spike at certain times of the year; tax is usually a theme in the USA and UK, so we see a spike of tax-themed emails at the time of tax season, “but the thing about coronavirus is that it has been going on for a long time and it is globally applicable, so we are seeing everyone pick the same theme – and it works no matter which country you are targeting as everyone is concerned about it.”

McLellan concluded by saying that is why there is a feeling of “there being a lot of it out there” as everyone is converging on it at the same time.

What’s Hot on Infosecurity Magazine?