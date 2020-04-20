KUCHING: Social engineering attack is the easiest and fastest way to exploit an individual or organisation in Malaysia amidst the current Coronavirus Disease 2019 (Covid-19) pandemic fears, warned a global leader in broad, integrated and automated cybersecurity solutions.

In a statement, Fortinet pointed out that as the world is fixated on the global health emergency, cybercriminals are taking advantage of the fear and uncertainty to deploy social engineering scams and attacks on unsuspecting targets.

It noted that during the current pandemic, cybercriminals would typically try to manipulate those who attempt to provide financial support by creating fake charity websites in order to get donors to transfer money to help the victims, and with so many major events being cancelled, cybercriminals may also try to take advantage of this situation by luring them with phishing scams on refunds and fake news to get victims to reveal their credit card information.

Fortinet Malaysia country manager Alex Loh advised users to keep a ‘cyber distance’ by staying wary of suspicious requests, unknown attempts at contact, and unsolicited information.

“Malaysians have been practicing social distancing over the last few weeks to protect against viruses and illness. Likewise, we should consider cyber social distancing ourselves from attackers. Be the protector of your information, your networks, and your health.

“Social engineering constantly preys on humans, the only vulnerability that cannot be patched. Nobody is safe from these efforts – from administrative employees, contractors, and even business partners can be targets to obtain access to their networks and sensitive information, and for those who are connecting to the office through home networks, even children are potential targets. It is a perpetual bombardment, every day, every minute of the day,” he said.

There are six ways attackers are exploiting the Covid-19 Crisis for financial gain. Four ways via digital attacks are phishing or spearphishing, social media deception, pretexting, and waterholing, while two are phone-based: smishing and vishing.

Phishing or spearphishing are defined as email-based attacks that target everyone or a specific person or role within an organisation in order to entice individuals to click on malicious links or enter credentials or other personal information.

Through social media deception, adversaries create fake profiles to befriend victims while posing as a current or former co-worker, job recruiter, or someone with a shared interest on social media, especially LinkedIn. Their goal is to trick the victim into providing sensitive information or downloading malware to their device.

In pretexting, attackers focus on creating a good pretext, or a false but believable fabricated story, so that they can use it to pretend to need certain information from their target in order to confirm their identity.

WaterHoling is an attack strategy where attackers gather information about a targeted group of individuals within a certain organisation, industry, or region as to what legitimate websites they often visit. Attackers look for vulnerabilities in these sites in order to infect them with malware. Eventually individuals in the targeted group will visit those sites and then become infected.

Smishing is a text-based message attack that impersonates a legitimate source in order to lure a victim into downloading viruses and malware onto their mobile device.

Vishing, also known as voice phishing is a phone-based attack in which adversaries call a mobile phone pretending to be from a legitimate source, such as a bank, as a means to try and convince the target into divulging sensitive information such as credit card information or social security numbers. Tactics used by these scammers often rely on “caller ID spoofing”. ID spoofing allows them to generate phone calls that appear to be from a legitimate or local sources.

To protect one’s personal and proprietary information, Fortinet advocates the practice of five simple steps.

Firstly, be suspicious of any email or text message requesting sensitive information or financial transactions, especially third-party sources spreading information about Covid-19.

Secondly, hover over and review all hyperlinks prior to clicking to confirm they are from legitimate sources.

Thirdly, use multi-factor authentication for gaining secure access to sensitive systems and databases.

The fourth step is to ensure all browsers, mobile devices, and computer systems are updated with the most recent protections.

Last but not least, never re-use passwords across multiple accounts and devices. Password uniqueness and complexity are paramount to safeguarding against additional risk to networks.