By: Nikhil Mahadeshwar
All of us recently read about the Twitter hacks of the richest men in the world by bitcoin hackers. But what did not make news was the money lost by the common man, Mr. Sharma within India, whose money was more valuable to him during this lockdown than Bill Gates and Elon Musk, both billionaires with little to lose with their wealth. At the same time, the billionaires were facing their minor hacks, India was prey to a disproportionate amount of cyber-attacks due to tensions between India and China. According to an advisory circulated by the Maharashtra Cyber Cell last month, more than 40,000 cyber-attacks were attempted on India by China in the last few months according to statistics available in the public domain. Predominantly, critical IT infrastructure and the banking industry were targeted in these attacks and most of these originated from Chengdu, China.
With the help of techniques such as the ‘threat intelligence technology’, it has become possible to predict future attacks and even stop some of them, if your intelligence is actionable intelligence. Also, threat intelligence technology can track and provide records about ‘region to region’ cyber-attacks that were initiated. Indians remain soft targets due to our innate dissonance for paying for security. But as a culture, we do not believe in paying for services for prevention, we only pay as a cure or a solution. This will be an expensive habit in this particular threat to data security as most of the Indian population is unaware of the myriad ways on how they can be victims.
Expanded tactics and targets
Denial of Service attack (DOS), phishing attacks were initiated on critical Indian IT and banking infrastructure. In DOS attacks, huge (gigabytes) traffic is generated which the infrastructure is unable to handle, leading to a service shut down. Another method is where ‘Phishing’ attacks are created with fake links either to crawl data of an individual or an organization or getting credit or debit card details. Further, this data is sold on the dark web. Cybersecurity experts and threat intelligence analysts also noticed a recent spike in fake domain names that were registered during COVID-19 to target victims using phishing attacks. These domains were offering fake medicines for the COVID-19 treatment and for surreptitiously collecting money from people who are searching corona medicines on the web. Some cybercriminals were doing this on the dark web so that they cannot be traced by the authorities.
As people increased their usage of streaming apps like Netflix and Amazon prime in the lockdown, cybercriminals have targeted them too. Fake links in the name of free or discounted prices are sent to potential victims and made viral. Hapless victims are prompted to enter their credit card credentials stating they will not charge on your card as they only need this information for verification. Unsuspecting victims enter their credit and debit card credentials and this is how all their details are compromised. Plain naiveté and greed for free Netflix and Amazon Prime accounts lead people to fall prey to these phishing attacks and compromise their financial details. Another ingenious method is to give you a fake version of a free video streaming app and inject a spy application that binds with this app in stealth mode which in turn spies on your smartphone. This data is further used for cyber extortion. Fake links were created in the name of the PM Cares Fund and millions of dollars were collected using these fake links.
Work from home employees was targeted in this pandemic by fake emails from their superiors at work soliciting confidential information and leading them to download malicious attachments for ransomware attacks which will result in encrypting their critical financial and personal data. This type of attack is called an email phishing attack. Further, this data will be decrypted only if you pay a ransom in bitcoins to the attacker. Bitcoin is a non-traceable currency; you cannot trace the attacker too. The healthcare industry was a major target for ransom attacks during this pandemic situation as they could afford to keep their data encrypted for a long time. Hospital data may include reports of COVID-19 positive patients and other patients too which is sensitive data. If the data is not decrypted hospitals cannot resume their operations. Hence, they end up paying the ransom to cybercriminals just to get their data decrypted and resume operations.
A country and work culture unprepared
It is human nature to ignore perceived risks until we face some life-changing incident. For example, when the Indian government launched the Arogya Setu app, hackers all over the globe discovered critical vulnerabilities in the app. Some attackers hacked the data of COVID positive patients in Karnataka State and tweeted it by hiding a few details. After this attack and few other similar attacks on the Arogya Setu app, the Central Government initiated a ‘bug bounty’ program up to INR 3 lacs for reporting critical vulnerabilities in the Arogya Setu mobile app. Similarly, most of the organizations were not prepared for a ‘work from the home environment’, and employees were not trained on how they can identify such attacks. A major amount of critical data that was never allowed to be taken home, is now being allowed due to the lockdown situation. Despite all this, the Government of India has not mobilized any large scale campaign to educate the masses on how their data is under threat.
Earlier, data security was designed considering office network infrastructure and not work for home infrastructure, so the data remains vulnerable as most WFH employees are on open networks. Once we get some fraudulent links we forward it without even verifying the information as a habit. By doing so we help attackers in promoting such phishing links and putting our data at risk. The data transmission which was only allowed on office assets is now being transmitted using personal phones and laptops of the employees working from home. It may be a Government or private organization, no one was fully prepared for facing such cyber-attacks and the financial loss, as a result, was unanticipated. You cannot see this invisible threat coming in, but you can see the outcome in terms of data and loss of funds.
Prepare for the next wave
The use of anti-phishing solutions will minimize the risk of being a victim of phishing attacks. Imagine, if before clicking on any suspicious link we could scan it? With such solutions, we may save our data from being hacked and from becoming a victim of phishing attacks. Also, before responding to any email from a known or unknown person or organization, if we verify the email address, we may minimize the risk of being prey to email phishing attacks. Deploying data leakage protection solutions on company assets that are provided to employees for work from home and also minimize threats. Deploying robust monitoring policies for threat intelligence and creating a reporting structure for reporting the threats goes a long way for companies to secure their critical data.
Large organizations may be already conducting these exercises, but in this situation, small and medium-sized businesses or individuals also need to work on the same as they have more to lose with their limited resources to fight this threat. The risk is higher at the organizations where business processes are outsourced, as it is ambiguous if they have any such solution in place or are prepared for a work from home infrastructure with adequate security protocols in place for data protection and cybersecurity threats. In most cases, human error is the biggest loophole in information security.
Individuals at risk as much as organisations
Organizations have deployed some basic data security for business assets, but the same vigilance is required on personal phones and laptops which employees are using to transmit critical data. We take our smartphones everywhere, from the bedroom to the boardroom. Adequate solutions should be deployed on all employees’ personal phones and laptops too as nobody is free of this risk and the Government is not allocating the necessary safeguards or awareness from an institutional standpoint to safeguard citizens from these threats.
Training should be given to employees on a regular basis about how they can identify such attacks and report the same to the concerned authorities, which in this case is the State Police’s Cyber Crimes Cell and nothing more. As an individual or a small business or an organization, using free security apps for securing your data is sometimes more dangerous than not using any. With free solutions, you may get something malicious with spyware bound within the app and you may lose your personal or professional data, without ever knowing it existed.
More than Digital India, the Government should be pushing for a ‘Digitally Secured India’. As we start inculcating a culture where we value data and personal security as a precautionary step and not as a cure, we must constantly prepare ourselves for asymmetric attacks from our neighbors and safeguard our data. As someone so eloquently put it a few years ago, data is the new oil. Indeed, this holds true even for the middle-class common man whose savings are being stolen using his own WhatsApp messages.
Nikhil Mahadeshwar is a Certified Security Analyst, Computer Hacking Forensics Investigator, Certified Threat Intelligence Analyst and ISO 27001: 2013 ISMS Lead Auditor
Your email address will not be published. Required fields are marked *
Save my name, email, and website in this browser for the next time I comment.
Sign me up for the newsletter!
Notify me of follow-up comments by email.
Notify me of new posts by email.
2014 The Global Indian New Network (TGINN)