“There must be loads of cybercrime going on during this pandemic!”
This was a message from a former colleague of mine. I was thinking the same thing. However, like many people I’ve been struggling psychologically with the impact of the pandemic, so it took me a while to start digging into it.
The headlines are indeed worrying: “Criminals prey on coronavirus fears to steal £2m” being the latest from BBC News (more on that article later…)
In reality, the picture isn’t so clear. Of course, the first thing is to establish what we mean by “cybercrime”. Setting up a website to sell phony virus testing kits might be considered part of it, for example. But to keep things manageable for this article I’m going to focus on one key strand: the sending of spam email to spread viruses and steal money.
So there are three key questions: is more spam email being sent? Are more virus infections occurring? Are the cyber criminals making more money?
Is more spam email being sent?
Certainly, the criminals seem to be gearing up for a coronavirus campaign: the UK’s National Cyber Security Centre (NCSC) teamed up with the US Department of Homeland Security to release an advisory on COVID-19 exploitation by cyber criminals. It included a list of 2,500 scam websites created to cash in on the pandemic (coronavirusmap, covid19govt, etc).
And in the BBC report above, the editor of a privacy website claimed more than 62,000 had been registered in March alone.
But the registering of new scam websites has not, it appears, led to a boom in the number of dodgy emails being sent. Microsoft scans millions of inboxes daily and found around 60,000 COVID-19 related malicious attachments or URLs, which as they point out is less than 2% of the total daily total. As they conclude: “the overall volume of threats is not increasing”.
That matches the assessment of the NCSC: “the overall levels of cybercrime have not increased”. Instead, the cyber criminals have simply switched tactics. Whereas before they might have sent out spam warning of an overdue tax payment, now it’ll be “urgent” coronavirus advice.
Question is: is the change of tactics proving effective? Are they getting more hits as a result?
Are more virus infections occurring?
The main virus mentioned by NCSC is Trickbot, which along with Emotet form a pair of long-in-the-tooth hacking tools that allow criminals multiple options for exploiting an infected machine.
As far as I know there’s no official source for figures on these viruses. Secureworks, a subsidiary of Dell which counts some very large organisations among its 4,000-or-so customers, told me they’ve seen no significant rise in infections from either type of malware during the coronavirus pandemic.
Then there’s ransomware, the cyber criminals’ cash cow of choice over the last few years and a symptom that often results from a Trickbot or Emotet infection. Again, there’s no reliable, central repository of information about ransomware infection rates, but according to some sources, there’s actually been a decline. Cryptocurrency researchers Chainalysis state: “ransomware attacks — or, at least, ransomware payments — have decreased significantly since the Covid-19 crisis intensified”. The middle bit of that sentence is key – Chainalysis don’t look at infection rates themselves, but rather the ransom amounts being paid via currencies like Bitcoin – which brings us to the third question.
Are the cybercriminals making more money?
According to Chainalysis data on ransomware, no. They reckon ransoms paid in March ($500,000) were a third of their February figure. True, the amounts always vary massively month-to-month and February was unusually profitable – but if coronavirus was proving such a boon to ransomware peddlers, you wouldn’t expect to see March’s amounts drop off so heavily.
Part of the reason is the decline during the pandemic in the value of Bitcoin – still the leading ransomware currency. HODLers have seen its value almost halve in five days last month. And because most ransomware strains demand payment in a fixed cryptocurrency amount (a tenth of a Bitcoin, for example), rather than in dollars or pounds, the drop in value has hit them hard.
Of course, ransomware infections are not the only one way to make money from spam. Trickbot and Emotet can hijack online banking sessions, so we may see a future jump in such thefts. But even without using viruses, you can use spam email to trick people into visiting a dodgy website and ask them for their credit card details, which is the kind of crime it seems was being referenced in that BBC article mentioned above. Let’s go back to it now.
It’s based on figures from Action Fraud, the UK police hub, which show £2m lost to coronavirus-related fraud this year. You’ll notice the figure is an absolute number rather than a proportion. There’s a good reason – the proportionate figure would make a far less dramatic headline, because according to Action Fraud UK victims lose about £17m every three months to cyber crime . Even that may be an underestimate: a few months before the coronavirus pandemic I was sent information from a contact which showed that in just one ward in London (population: 12,000) residents had lost £1m to cybercrime in a single month.
Of course, any losses from cyber crime are unacceptable, and having interviewed many fraud victims I deeply sympathise with those who lost money to scammers. But the evidence shows they’re not part of a coronavirus-related boom.
Is it all a myth?
In terms of general tech security risks, no. The sudden, unplanned shift to home working has created big headaches for IT managers who are furiously racing to secure their organisations. There will be breaches. Zoom chats that should have been private will be leaked.
In addition, some industries appear to be being disproportionately targeted by cybercriminals. Tech security firm Carbon Black, part of VMWare, found a rise in financial institutions being hit (although that may be due to an uptick in activity both those behind the Kryptik virus).
Government hackers, too, have used coronavirus-themed emails as part of their everyday attempts to break into rival countries’ organisations.
But in terms of the bread and butter of cybercrime, the sending of spam email to infect machines and make cash, COVID-19 has apparently not created a bonanza.
So it’s a non-story? Not quite, the failure of such a boom to materialise might be a story in itself.
Given the potential for spammers to capitalise on coronavirus, their failure to do so raises an intriguing question: are they already operating at maximum capacity?
We tend to think of cybercrime as a computer-controlled business, but as Don Smith, director of Secureworks’ Counter Threat Unit points out, for all its automation cybercrime is still ultimately run by humans.
Once you’ve used a virus like Emotet to wheedle money from someone’s computer, you have to transfer it to a bank account and, ultimately, extract the cash so you can spend it. All of that requires people (right down to the money mules who visit the ATMs and withdraw the banknotes). To increase turnover you have to recruit more people, and during the middle of a pandemic that’s not so easy.
It could well be coronavirus is hurting cybercrime as much as it’s helping it.