Threat Advisory: SMS Phishing Cyber Attacks & Telework Exploits

April 8, 2020

Herjavec Group continues to track COVID-19 related cyberattacks. We have a complete threat advisory tracking various threats, malware types, as well as a summary of IOCs and domains specific to COVID-19. The full advisory can be found here.

Recently, there has been an increase in the use of SMS phishing and Telework Infrastructure Exploits to execute cyber attacks.

SMS Phishing

According to CISA’s latest alert, COVID-19 related cyber attacks that use SMS phishing have been found to use the UK government as a “lure to harvest email, address, name, and banking information. These SMS messages—purporting to be from ‘COVID’ and ‘UKGOV’ include a link directly to the phishing site”.

Threat actors have also leveraged WhatsApp and other messaging mobile applications to target unsuspecting individuals. Herjavec Group recommends not to click on any links sent through texts from senders claiming to be a government agency. Always open a new browser tab and type in the government agency’s name to check for updates regarding the COVID-19 outbreak.

Exploiting Teleworking Infrastructure

Given the global pandemic, many organizations have deployed new networks and infrastructure to establish a secure remote workforce.

In order to take advantage of this shift, threat actors are beginning to exploit known vulnerabilities in VPNs and other remote working tools.

For example, CISA and NCSC have noticed a rise in threat actors scanning for known vulnerabilities in Citrix, particularly CVE-2019-19781. 

In addition, as organizations increase their reliance on Microsoft’s Remote Desktop Protocol (RDP), there has also been an increase reported in the number of cyber attacks on unsecured RDP endpoints, such as those exposed to the Internet.

Mitigation Strategies

At this time, Herjavec Group recommends that organizations and cybersecurity professionals continue to follow best practices to avoid telework exploits and mitigate phishing attacks:

  1. Follow vendor best practice advice to mitigate any VPN or technology-specific vulnerabilities. Install appropriate updates as soon as possible and follow vendor mitigation advice. Herjavec Group Managed Security Services customers can rest assured that our Managed Services team will engage with the appropriate technical contacts in your respective organizations directly to provide alerts, escalations, actions and or reports based our service agreement with you.
  2. Be aware of the common indicators of phishing attempts, such as:
    1. Suspicious sender’s address: The sender's address may imitate a legitimate business. Cybercriminals often use an email address that closely resembles one from a reputable company by altering or omitting a few characters. 
    2. Generic greetings and signature: Both a generic greeting—such as “Dear Valued Customer” or “Sir/Ma’am”—and a lack of contact information in the signature block are strong indicators of a phishing email. A trusted organization will normally address you by name and provide their contact information.
    3. Spoofed hyperlinks and websites: If you hover your cursor over any links in the body of the email, and the links do not match the text that appears when hovering over them, the link may be spoofed. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net). Additionally, cybercriminals may use a URL shortening service to hide the true destination of the link.
    4. Spelling and layout: Poor grammar and sentence structure, misspellings, and inconsistent formatting are other indicators of a possible phishing attempt. Reputable institutions have dedicated personnel that produce, verify, and proofread customer correspondence.
    5. Suspicious attachments: An unsolicited email requesting a user to download and open an attachment is a common delivery mechanism for malware. A cybercriminal may use a false sense of urgency or importance to help persuade a user to download or open an attachment without examining it first.
  3. Ensure your employees follow best practices to mitigate phishing attacks:
    1. Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
    2. Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information.
    3. Do not reveal personal or financial information in an email, and do not respond to email solicitations for this information. This includes clicking on any links sent in the email.
    4. Don't send sensitive information over the Internet before checking a website's security.
    5. Pay attention to the Uniform Resource Locator (URL) of a website. Look for URLs that begin with "https"—an indication that sites are secure—rather than "http”.
    6. Look for a closed padlock icon—a sign your information will be encrypted.
    7. If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use the contact information provided on a website connected to the request; instead, check previous statements for contact information.
    8. Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic.
    9. Take advantage of any anti-phishing features offered by your email client and web browser.

Herjavec Group’s complete Threat Advisory on how organizations can mitigate cyber attacks that leverage the Coronavirus pandemic (including a summary of IOCs relating to known malware families, and domains specific to COVID-19) can be reviewed here.

For more information on how Herjavec Group can help your organization with an emergency preparedness plan, or secure remote access solutions, please connect with us.

Herjavec Group circulates US – CERT/CISA advisories as this notification warrants attention and may have significance to your Enterprise network environment. If the following advisory is applicable to your environment, Herjavec Group recommends your IT team review the technical details included and monitor your environment for any susceptible systems. Herjavec Group’s analysts are working with applicable vendor partners to apply detection and mitigation strategies where appropriate. For Managed Services customers, our Managed Services team will engage with the appropriate technical contacts in your respective organizations directly to provide alerts, escalations, actions and or reports based on our service agreement with you. If you have questions or concerns, please engage your Herjavec Group account representative directly or contact Herjavec Group.

About Herjavec Group

Dynamic entrepreneur Robert Herjavec founded Herjavec Group in 2003 to provide cybersecurity products and services to enterprise organizations. We have been recognized as one of the world’s most innovative cybersecurity operations leaders, and excel in complex, multi-technology environments. Our service expertise includes Advisory Services, Technology Architecture & Implementation, Identity Services, Managed Security Services, Threat Management and Incident Response. Herjavec Group has offices and Security Operations Centers across the United States, United Kingdom and Canada.

Stay Informed

Follow us on Twitter

Connect with us on LinkedIn