The cybersecurity industry is in an 'arms race' to use AI and stop a huge surge in hackers trying to exploit the coronavirus crisis to steal passwords

Researchers at the cybersecurity firm Proofpoint are citing "the greatest collection of attack types united by a single theme that our team has seen in years, if not ever."

The Silicon Valley cybersecurity company, which focuses on email, social media, and mobile security, says it has observed new highs in the number of phishing attempts — business email scams that try to lure recipients into clicking on attachments and links that allow criminals to steal credentials; specifically, the email addresses and passwords you use to sign into accounts. 

"Criminals have sent waves of emails that have ranged from a dozen to over 200,000 at a time, and the number of campaigns is trending upwards," says Sherrod DeGrippo, the company's senior director of threat research and detection. The company says it is tracking three or four new campaigns a day in English, French, Italian, Japanese, Turkish, and more languages.

More than 189,000 people have been infected with coronavirus in the current global outbreak and nearly 7,500 have died. The US has reported 94 deaths. As a result, and unprecedented amount of the global workforce is working from home, triggering significant cybersecurity issues as employees and their computers are often left undefended by firewalls and other security measures.

Volume coupled with a new sophistication

The number of these attacks is coupled with a new level of sophistication, researchers say. Proofpoint cites "highly-advanced social engineering lures offering coronavirus information."

Some of these emails are convincingly disguised as branded emails from senders like the worker's employer, Microsoft, or health agencies. 

A crafty tactic to watch for is a real, secure link such as https://www.cdc.gov/ spelled out fully in an email, which actually sends the recipient to a fake site without the "https" prefix. No links in virus emails should be automatically trusted, experts say.

Due to the spike in remote workers, Proofpoint "fears a shift in attacks with lures around cloud storage and fake corporate intranet sites, and attempts to access unsecured home WiFi networks."

"Employees working from home are at greater risk in some cases because they're no longer behind company-controlled network protections like firewalls," DeGrippo says. "Those who have switched to working from home should pay close attention to the advice and guidance from their information security and IT departments."

Crafty disguises cranked out in automated programs

Dave Baggett, CEO of the corporate email security firm INKY, says the quality of the branded phishing emails are what sets the latest coronavirus email attacks apart.   

"They are believable, up-to-date, and responsive to something people are worried about," Baggett says. 

Criminals are selling kits on the dark web that allow untrained scammers to send sophisticated branded emails with links that appear to be from official health agencies, but actually go to replica websites that steal your information, Baggett says. Ordinarily such kits appear periodically on the dark web. In the past two weeks perhaps a dozen different kits like this have appeared, he says. "They are completely automated, and the rapidity of their appearance is striking."  

Baggett's company fights that automated volume of fake emails with artificial intelligence that has been trained to look for fake brands by checking that fonts and colors are accurate. If they are not, the AI moves those emails to a spam filter, or adds a text alert to the top of the email. When users mark more emails they receive as fake, the AI algorithms continue to learn. 

Microsoft Outlook and Google's Gmail also use AI to weed out counterfeit emails in their enterprise products. 

'An arms race' in your inbox

If the surge in scams is an irresistible force, the new AI tools are an immovable object. "It's an arms race," Baggett says.   

Criminals are following the virus to vulnerable communities, according to a report from Recorded Future, a cybersecurity research firm, hitting Italy, Iran, and the US with emails that purport to be from the US Centers for Disease Control and Prevention and the World Health Organization. One email disguised as a WHO alert is estimated to have reached 10% of Italian businesses. 

As a result, the US Federal Trade Commission has suggested people visit the known WHO and CDC websites directly rather than clicking on any link in an email that seems to go to those organizations.  

New research from the San Francisco email security firm Abnormal Security has found that students as well as businesses are being targeted. A new phishing campaign is sending emails that appear to be from universities announcing campus virus news. But links in the emails that spell out a legitimate web address lead instead to a malicious link. 

Experts give this advice in fighting virus-themed phishing: 

• Do not click on any link in an email about coronavirus unless you are sure you know the sender. 
• Do not click on any attachments to emails about the coronavirus unless you double check with a sender you know. 
• Go directly to an official website with a secured https web address if you want virus news. Do not click on a link in an email or social media post. 
• If you receive a branded message, scrutinize logos, fonts, and language. Do not assume that a branded email is actually from a business or organization. 
• If you click on a link or attachment you suspect is malicious, contact your company's IT or security staff.