Threat Intel Digest

June 2020

Scammers and COVID-19

Every holiday and event seems to include phishing emails. COVID-19 triggers not just a regular event, but a global pandemic. Yes, the World Health Organization has officially declared COVID-19 a pandemic.

COVID-19 initiates a domino effect, shaking the global economy, global politics, and almost every aspect of human life. On the digital security side, the bad actors are using it to bring more pain to other people by distributing phishing campaigns to infect the already suffering users. The attackers send emails that appear to come from HR about travel and health guidance, or emails that appear to come from vendors about mask and hand sanitizer sales, or emails about other topics related to COVID-19. Some emails contain a malicious document that opens a back door on the user’s computer, or a malicious Microsoft Word document that downloads and installs malware on the unsuspecting user’s computer. Also, most of the phishing emails in the wild contain a suspicious link that can lead users to more threats.


A Lateral Move

Attackers can easily access your machine system if they have a password or access code. Brute force takes longer to gain control of your computer. Mostly bad actors take the easier path.

One of the most common techniques used to gain access to your computer system is credential dumping. In a computer system, credentials are stored in one form or another, and they are also encrypted in a variety of ways. First, attackers needs to know which operating system they are trying to access. Then, they will use different techniques to gather and dump the credentials found on the computer. These credentials are often taken offline for decryption. Finally, the attacker goes back to the same computer to use the stolen credentials. A faster way is using another technique known as Pass-The-Hash, wherein the attacker uses the same authentication without worrying about decrypting the credentials. It is always a bit safer to log in as a regular user and avoid using admin-level credentials.