In his next column for Digital Health, Davey Winder explores what lengths cybercriminals are going to during the Covid-19 pandemic. 

As I write this column, I am awaiting imminent surgery on my cervical spine; surgery that was postponed because of the pandemic. By the time you read this, I will be recovering at home. This is good news and bad news. Good because 18 months of pain and increasing muscle weakness will soon be a thing of the past, bad because it meant I had to cancel my COVID-19 vaccination jab.

I was notified of my vaccination spot by way of a SMS text message from my GP surgery, with the booking itself accessed by way of a link in that message. Others are using email, and even letters through the post. There doesn’t appear to be any single one format for such invitations. Which means that it comes as no surprise that, given that most people are keen to get vaccinated as soon as possible, scammers and cybercriminals have spotted an opportunity to exploit this confusion.

Spotting the scam

Unless someone one close to you had already ready received a vaccine invitation, the chances are you’d not know what one looked like. Even if you have seen the real thing, an email purporting to come from a government domain, linking to convincing sites that mimic NHS design, could easily fool those eager to get on with the vaccination process. And that’s exactly what security researchers at Mimecast uncovered during February.

According to Carl Wearn, head of e-crime at Mimecast, the campaign “looks to steal both personal and financial information, which can then be used in future attacks or even sold on the dark web.”

This is a cleverly constructed campaign, informing recipients the NHS is now selecting vaccination candidates based on family genetics and medical history, and one which Mimecast attributes to organised crime.

A crime group which has apparently increased the volume of phishing emails it usually sends by 350% to take advantage of the vaccine rollout.

“At Mimecast, we have seen a rise in campaigns like this one during the pandemic with many adapting to fit news stories at the time,” Wearn says.

Although the calm logic says who would hand over credit card details to book their free NHS vaccination, pandemic anxiety and an overwhelming desire to move past this stage of our lives can easily override common sense.

Beware of ransomware

As I reported in my first Digital Health column of 2021, ransomware gangs have been specifically targeting hospitals and healthcare providers, knowing they are highly stressed right now. Indeed, these gangs are performing recon missions before executing their payloads so as to ensure the most operations-critical networks are hit. NHS hospitals have proved to be pretty resilient so far, which is great news, but there is no room for complacency.

Especially as it’s not just cyber-fraudsters targeting individuals or ransomware operators that are riding the COVID-19 crimewave: nation-state actors are as well. Sam Curry, chief security officer at Cybereason, warns of a year-long campaign from foreign powers.

No time for complacency 

The pandemic attack surface is massive, and still growing. The vaccine research and distribution supply chain alone opens the doors to both organised cybercrime and hostile nation-states alike.

It’s the perfect opportunity for the latter to disrupt at both an economic and societal level. Be that North Korea reportedly attempting to steal Covid-19 vaccine data from Pfizer or as yet unknown attackers hacking machines used to purify and prepare biochemical samples, including for coronavirus research, at the Oxford University ‘Division of Structural Biology’ labs.

The takeaway is the same in all these incidents: Covid-19 uncertainty is far from over both domestically and internationally which means that pandemic predators will continue to up the cyberattack ante while they can.

Healthcare providers, pharma and the public all need to be on their cybersecurity game and remain alert to the very real risk posed by attacks of all varieties. I would say this is not the time for cyber-complacency, but to be honest there’s never such a time.