The COVID-19 pandemic has catalyzed the use of new transactional technologies for many businesses, but with new technology comes new risk. Since the pandemic began, many companies have turned to cryptocurrency, near-field communication and QR code scanning to meet demand; however, many cybercriminal groups have utilized redirection tactics to profit off of the mostly untested use of these and other tactics, techniques, and procedures (TTPs).
In this article, three of the prevalent transactional technologies during the pandemic will be highlighted, the risks of their use and how to prevent falling victim to cyberattacks when using them.
Cryptocurrency is a digital or virtual currency that uses cryptography to secure and verify transactions and control the creation of new units. Before the pandemic struck, it had gained popularity among users purchasing goods in non-traditional markets. However, the advent of the COVID-19 pandemic has pioneered its expansion into traditional retail markets. This increased usage has drawn attention from cyber threat actors who wish to exploit it for profits.
The Lazarus Group, to whom many major financial breaches have been attributed and which has purported ties to North Korea, has begun launching concerted phishing attacks through LinkedIn ads during the pandemic. A curious tactic in this campaign is that a tailored version of Mimikatz, used to harvest credentials, is looking specifically for credentials tied to cryptocurrency wallets, harvesting the credentials and cashing out in cryptocurrency.
Although smaller than traditional transactions, malware has made it easier to impact cryptocurrencies. To adapt to this, cryptocurrency ledgers should implement risk models similar to traditional banks, conduct monitoring for anomalous activity (institution/customer), determine the maturity of the cryptocurrency and ledger, and scrutinize the endpoint devices where transactions are taking place.
Near Field Communication (NFC)
Another method deployed to reduce contact and provide transactional support to businesses during the pandemic is NFC, a variant of radio waves along the electromagnetic spectrum similar to Bluetooth and Wi-Fi. By operating on very slow speeds and a shorter range, NFC is ideal for contactless payment and generally very secure.
Unfortunately, vigilant malicious hackers are always researching new exploits for monetization. An attack against contactless payment technology would require an attacker to modify or replace the payment reader, and then transfer funds from the victim to the attacker’s controlled account.
The best way to protect yourself from NFC cyberattacks is to enable multi-factor authentication (MFA) for contactless payments. This helps mitigate risk by ensuring that the authorized user is the one requesting to initiate the contactless payment. Also make sure to only use contactless payment with a trusted vendor, and always verify that the payment reader hasn’t been tampered with. It is pivotal to have user education, in addition to security controls, to provide information on the security of an NFC transaction. Users should ensure their device is fully up-to-date, verify the payment method, ensure the payment method (Apple Pay, Google Pay, etc.) is properly configured, and that the endpoint device ingesting the transactional data is from the vendor you wish to complete the transaction. Although there is little visibility on the client endpoint, the risk of data exfiltration takes the same level of stewardship as a credit card transaction, for instance, so the following precautions are some examples of good reminders for Android users:
Both sending and receiving devices must have NFC and Android Beam activated.
Neither of the devices should be asleep or locked.
You’ll get both audio and haptic feedback when the two devices detect each other.
Do not separate your devices until the beaming has started.
You’ll hear audio feedback when the file or content has been successfully beamed.
QR code usage has also skyrocketed in response to the pandemic. QR codes make it easy to present complex data to an end user with one simple scan.
However, QR code usage can be risky if you haven’t taken the necessary steps to protect yourself.
Phishing through QR codes (or “QRishing”) occurs when attackers try to modify a QR code and embed their own code. This can be done by simply altering the QR code image with a variety of tools. Once this is done, attackers can create their own custom landing page meant to dupe the end user; this may be especially hard for users to recognize because mobile devices often use link shortening and the landing page often closely resembles the desired destination. Once the user arrives on the landing page, the attackers can use credential or other fields to lure the unsuspecting user into entering personal information.
Another such misuse of the technology may be to distribute malware via a drive-by download attack. Similar to QRishing, a user is prompted to visit a website and download software onto their device that is framed as a regular process. Once there, any user input may result in malware being downloaded onto the device, with the potential for the attacker to gain access to their information and perform reconnaissance, exfiltrate data and even use it as part of a botnet. A botnet is a group of internet connected devices – workstations, mobile devices or even home assistant devices – that, if exploited, can be manipulated as a cluster, unbeknownst to the users, and used for malicious purposes.
Individuals are not the only targets of QR code attacks. They can also be used at a much larger scale with industrial QR code users.
Large companies use QR codes as a quick way to manage and track warehouse or shipping inventory and can just as easily be the victims of these attacks. Real-time asset/inventory management is crucial to ensure a malicious QR code isn’t inserted into the work stream. With cyberattacks on the rise due to the pandemic, social engineering has become a quick way to gain access to a company’s secure network. An unscrupulous individual only needs to hand one person a package with a doctored QR code to get it into asset circulation. Once scanned by a computer, that QR code could be the initial attack vector into a much larger breach and eventually a ransomware campaign.
To defend against QR code attacks, make sure to take the following steps:
Scrutinize the landing page. Verify the URL to which you are being redirected and ensure the website uses proper encryption (TLS/HTTPS).
Dissemination Control. Do not provide more information than you were originally expecting to give.
Privacy. Ensure all requested personal and financial data is part of the service you are prompted to use with the QR code.
Integrity Check with the specific, reliable vendor to ensure that the landing page and required data is correct.
Unscrupulous cyber actors are consistently attempting to circumvent legitimate processes, especially during this pandemic. Technology, while useful in facilitating public health guidelines, can also be a means by which cybercrime syndicates or state-sponsored actors may exploit human nature for profit. The pandemic has disrupted life beyond anyone’s imagination. However, the risks posed by the new technologies can be reduced and new threats can be mitigated.
Find out how Redpoint proactively counters these and other emerging threats for individual users and enterprises with preemptive security controls on both network and end-user devices.
Sergio Orellana is the Director of Breach Response at Redpoint Cyber and experienced security professional in both commercial and government environments. Connect with him about emerging cyber threats, proactive security, and French Bulldogs on Twitter and LinkedIn.