Cybercriminals moved in soon after Hurricane Michael slammed into the coast of the Florida panhandle in October with phishing exploits aimed at stealing email credentials of people who wanted to help in the aftermath of the storm, according to researchers with cybersecurity vendor Proofpoint. The fact that bad actors saw an opportunity in the chaos wrought by the monstrous hurricane--the storm made landfall with 155 mph winds--was not surprising, the researchers said. High-profile events that attract a lot of people and money tend to bring the attention of attackers seeing a chance to steal a lot of money and personal information in a short amount of time. Hurricane Michael fit that bill.
“This is extremely common,” Chris Dawson, threat intelligence lead at Proofpoint, told ITPro Today. “Everything from the Olympics to tax season to the holidays, as well as natural disasters, always turn up in spam, phishing and malware lures. Natural disasters, political campaigns and other events that inspire people to donate money are all prime targets for stealing funds directly or phishing payment information. However, any event that has wide recognition and can create a sense of urgency is a likely candidate for a lure.”
Cybersecurity solution vendors, federal and state government agencies, and organizations from AARP to banks continue to warn people about the threat of online scams in the wake of natural disasters. After Hurricane Florence ravaged the Carolinas in September, the U.S. Computer Emergency Readiness Team (US-CIRT) issued a warning about such scams, urging people to “remain vigilant for malicious cyber activity seeking to exploit interest in Hurricane Florence. Fraudulent emails commonly appear after major natural disasters and often contain links or attachments that direct users to malicious websites. Users should exercise caution in handling any email with a subject line, attachments, or hyperlinks related to the hurricane, even if it appears to originate from a trusted source. … Users should also be wary of fraudulent social media pleas, calls, texts, donation websites, and door-to-door solicitations relating to the hurricane.”
AARP similarly has a website for members outlining the different ways bad actors try to take advantage of people eager to donate or help in other ways following a natural disaster, whether it’s a hurricane, tornado, flooding or other events.
“Some of the bogus websites seek your credit card number to collect supposed donations, possibly also using that information later for identity theft,” the organization warned. “Others infect your computer with malware that can ferret out sensitive information, such as your account numbers or passwords.”
There are myriad examples of such scams, including those perpetrated during high-profile sporting events. The Olympics Games earlier this year in South Korea were a target for multiple attackers, including some nation-state groups suspected of being linked to the governments of North Korea and Russia. And organizations routinely put out warnings about fraudulent ticket websites that crop up around such events as the Super Bowl and World Series. This summer, for example, security firms including Kaspersky Lab, Radware and Check Point issued warnings about phishing and other scams surrounding the 2018 FIFA World Cup in Russia. The threats ranged from ticket schemes and data theft to nation-state sponsored cyberattacks.
Politics also is an easy target for scammers. A group of anti-malware researchers known as the Malware Hunter Team in September said it had detected a campaign named for former President Barak Obama that include both ransomware and malware used to mine the Monero cryptocurrency. The group also talked about similar campaigns leveraging the names of President Donald Trump and German Chancellor Angela Merkel.
This summer researchers with Cisco Talos said bad actors who were likely part of the group of North Korean hackers called Group123 launched a spear-phishing campaign that took advantage of the summit between Trump and North Korean leader Kim Jung Un.
So, given all of this, it should not have been surprising that phishing campaigns cropped up during Hurricane Michael. What was unusual, according to Proofpoint analysts, was that, rather than trying to steal credit card numbers through fake donation websites or money through fraudulent donation, many of these campaigns sought to steal credentials--in some cases leveraging the Microsoft Azure cloud to host phishing templates.
“The phishing schemes stand out because the threat actors are directing recipients to credential theft pages for both corporate and personal email rather than credit card or financial theft,” the researchers wrote in a blog post. “This is consistent with dramatic increases we have observed recently in corporate credential phishing. However, this should also serve as a warning for recipients who are accustomed to entering email credentials to log into multiple services. Threat actors are capitalizing on both this desensitization and our desire to do good. While none of these are new tactics on their own, the combination is of interest to defenders and potential victims.”
Proofpoint’s Dawson said anyone looking to donate to a charitable organization or seeking help “should go directly to websites associated with known disaster relief organizations and should never enter webmail or social media credentials to enable donations.”
In addition, people should be wary of unsolicited emails about major events and avoid clicking on links or opening attachments from unknown senders even if they appear to relate to events of interest, he said. Organizations should use layered defenses at the email gateway, network edge and endpoint to protect against malicious content, links and other threats.