OTTAWA—Cyber criminals are “pivoting” their operations to scam Canadians out of emergency COVID-19 benefits using imitations of government websites and phishing campaigns, according to a previously unreleased threat assessment from Canada’s cyber defence agency.
In an April 27 memo, the Canadian Centre for Cyber Security warned it had identified more than 1,000 “malicious imitations” of federal government websites, mostly mimicking the Canada Revenue Agency or the Canadian Emergency Response Benefit (CERB).
While the cyber defence agency turned over information to try and have those sites taken down, they warned more than 120,000 new COVID-19-themed domains had been registered, “a large proportion of which was considered malicious or related to fraudulent activity.”
“Cyber threat actors know that affected populations are anxious about the future and less likely to act prudently when presented with emails, SMS messages, or advertisements involving COVID-19 that would otherwise seem suspicious,” the threat assessment, obtained by the Star, reads.
“Recent COVID-19 lures have pivoted to take advantage of the emergency benefits and economic stimulus packages being stood up by governments across North America and Europe.”
Canadians were an early target for cyber criminals and state-backed hackers, according to the documents.
As early as March 10, Canadians were being targeted with phishing emails impersonating the Public Health Agency of Canada, which included malware disguised as “an important COVID-19 update.”
A couple of weeks later, a SMS campaign claiming to be from the Canadian government directed people to go to a “Canada-alert-COVID19” website that prompted them to download more malware.
Another phishing campaign preyed on Canadians trying to access the CERB, an emergency benefit aimed at keeping people afloat while the economy remains shut down. The operations included a link where victims could “access their benefits, but only once they divulged personal financial details.”
“I’m a little bit surprised we haven’t heard more about (this) from Canada and the Canadian government,” said Brent Arnold, a partner with Gowling who specializes in cyber security law.
Arnold noted that the U.S. government has been warning for a month that cyber actors are trying to leech off economic stimulus meant to soften COVID-19’s economic blow.
“They’re taking advantage on the benefits piece … (from) average consumers with an average awareness of what cyber threats even look like. And they’re more afraid than they ever were before,” Arnold said.
While the Communications Security Establishment, Canada’s cyber intelligence agency, has said that the majority of malicious activity related to COVID-19 has been criminal in nature, the threat assessment makes clear that state-sponsored hackers and intelligence agencies are also in the mix.
Countries’ intelligence agencies are already trying to identify targets who work in sensitive or strategic industries, but are working from home due to pandemic-related lockdowns.
“Many Canadians, including federal and provincial government employees across the country, are accessing sensitive data through virtual private networks (VPNs) and cloud computing solutions for the first time, and many are using their personal devices and home Wi-Fi networks that are poorly secured in comparison to corporate IT infrastructure,” the threat assessment reads.
Since January, Canadian and allied intelligence agencies have “observed multiple cyber threat actors” exploiting popular VPNs “to establish persistent access to networks in Canada and other countries.”
That’s a problem that is likely to stay with Canadian businesses for a long time. Shopify CEO Tobi Lutke announced earlier this month that the e-commerce giant — and Canada’s most valuable company — will ditch its trendy offices for a permanent work-from-home model. Other companies, seeing an opportunity to cut down on expenses, may follow suit.
Get more from the Peterborough Examiner in your inbox
Never miss the latest news from the Peterborough Examiner. Sign up for our email newsletters to get the day’s top stories, your favourite columnists, and much more in your inbox.
Sign Up Now
But Arnold noted while company executives may be quite familiar with security measures for remote work, that’s not true of every employee.
“Most of them aren’t as sophisticated or savvy about where is it safe to do this, what do I need to worry about it, because they were never working with sensitive stuff outside the office,” Arnold said.
“So in a lot of cases they have had minimal or no training, because this isn’t something anyone thought they’d have to be prepared for.”