COVID-19 phishing scams have skyrocketed over the past weeks, as hackers exploit anxiety and faltering vigilance in this strange new working world.
But our analyst Diego Valero Marco is fighting back with his DROPi tool, enabling CISOs to give remote teams the power to detect and avoid malicious COVID-19 domains.
New tool to protect against COVID-19 phishing scams
Interviewer: Diego, you’re an experienced cyber security Managed Detection and Response (MDR) specialist – can you give us a brief sense of why this positions you strongly to develop a tool that protects remote workers from COVID-19-themed phishing scams?
Diego: Well, it was more of a natural thing I would say; the MDR team decided to start monitoring phishing domains for our customers, so I just had the idea of transforming that thought into a proactive initiative. Instead of waiting for clients to click on links and generate a ticket after the event, we could just omit that ticket and directly help them through their browser.
Interviewer: But remote working isn’t new – so tell us why a phenomenon like COVID 19 potentially means CISOs face a far greater remote working risk than they did before.
Diego: This is down to a couple of things. Firstly, it has to do with the reasons individuals open phishing mails and type their details in – the goal of an attacker is always to take people out of head space where they are thinking carefully about every decision, and into a situation where they are reacting without thinking. A global pandemic causes individuals to be afraid and distracted, and this makes people more likely to click.
Secondly, end users need to be supported by security controls, and those controls need to be tested and evidenced. These controls are most often layered through the traditional perimeter, meaning that, in the current situation, both the users and the security defenders are in fact remote from their defences. Users need more help and support when they are on their own, not less!
Interviewer: How were you able to spot the malicious activity gathering around COVID-19? What kind of monitoring and intelligence do you have in place to see, track and understand these trends as they emerge?
Diego: We are currently content matching against a number of different sources. These include a bot to crawl new domain name registrations containing key words like ‘COVID’ and ‘coronavirus’, and checking with urlscan afterwards for potentially suspicious domains, and a number of other data sources, together with looking at domain registration data to find the latest domains.
Interviewer: Your response to the rising threat you spotted was to build a unique tool – DROPi – that helps keep workers safe from hackers’ attempts to capitalise on people’s fear and anxiety around the pandemic. Can you explain briefly how the tool works, what it does, and why remote workers in particular can benefit from using it?
Diego: Using it is easy, you just need to install it on your browser and it will silently check domains visited (in real time) against the database we maintain, and will generate an alarm if we spot something suspicious in the user’s browser. It is meant to alert the user as they visit the suspicious domain, but we will not block or interfere with the user’s action at any time; hopefully the alert will cause the user to be extra cautious of that domain.
This is also helpful for remote users as many people right now may be using their personal laptops as work laptops, meaning if that endpoint is not logged properly, and they did already have some malware in their systems, DROPi could flag suspicious connections to the domains we have mentioned, alerting the end user that something untoward was happening, despite the device not being defended by the corporate security estate.
Interviewer: You created the tool very rapidly, from scratch – how do you and your team manage to be so technically agile?
Diego: I would like to use this question to properly thank my co-developers Andrea and Lukasz. To be completely honest, at first we started with a totally different project and changed the idea to DROPi after the first day and a half of a Hackathon we were participating in. I would say communication is key – we spent a lot of hours on Discord talking and planning what we needed to build everything.
Interviewer: How many instances of malicious activity has DROPi successfully managed to flag and / or block? How many remote workers do you estimate it has kept protected in this way?
Diego: We have in our database more than 200k domains flagged as suspicious, but that said, the app is not collecting any kind of information from the user to remove any privacy concerns and make it easy for all customers to adopt it. We’ve had great feedback and thank you’s from a number of customers.
Interviewer: Can DROPi potentially be adapted – either by you or by organisations you choose to partner with – to tackle phishing activity around other high-profile social phenomena too?
Diego: We are already working on a version 2 for DROPi with a new idea (watch this space!) The good thing about this tool is that it can be adapted to track anything we want – it’s a browser extension with a mySQL database on the back-end, and that simplicity enables us to modify it however it’s needed to track any other campaigns or social phenomena if we want to.
Interviewer: And finally, where does a remote worker go to start using the tool?
Diego: If they are using Firefox or Chrome as their main browsers I would recommend watching this 3 minute video to see how to install it – it should be pretty easy for all kinds of users.
So there it is: protection from COVID 19 scams, in the click of a mouse, wherever and however your remote teams and colleagues are working – and it’s all down to always-on security awareness from Diego and his collaborators.
CISOs – spread the news!