As you might expect, the bad guys are trying to use the global Covid-19 pandemic for malicious purposes.  The hunger for information, plus the disruption from half the world going into lock-down, perhaps combined with increased receptiveness to community support, all make this a pandemic rich and morally decrepit online hunting ground.

The purpose of this post is not to add fear or reduce receptiveness to (online) community support.  But we do think it is important to know what sorts of things are going on, and to be on the look-out for them, particularly in this early period where everything is changing quickly.

What should you do (or not do)?

We’ve put this at the top, because the defence here is both simple and consistent, across time and across exploits.  We recommend you treat these as general maxims that you use at all times when you are online or processing email and text messages.  These can be found in wiki pages at:

Here’s a quick summary of those points:

    1. Don’t download any application that you didn’t go looking for
    2. Don’t click on web links in unexpected SMS text messages, in particular
    3. Don’t click on web links in unsolicited or unexpected emails
    4. Think carefully about who an email appears to be from, and what they’re asking you to do
    5. Carefully check any link (hover, but don’t click on it)
    6. Manually copy-paste the links into a web browser tab
    7. Then scrutinise the domain that the link is pointing at
    8. Do not enter any usernames, passwords or private information into any such page you end up visiting
    9. If you think you have spotted some phishing, or something else questionable, report it

What are we seeing?

In terms of active exploits relating to Covid-19, we and others in the industry are seeing things like:

  • Text message scams

    • These are SMS text messages containing links which try to download software onto your device (bad!)
    • Text messages that try to entice you to click on links are called “smishing” (SMS phishing)!  Kinda fun to say, and you heard it here first (probably, maybe)…
    • This is happening mostly in Australia, but is likely to happen in New Zealand also.
  • Email phishing

    • There is one particular email relating to the World Health Organisation (WHO) purporting to collect for a Response Fund (which doesn’t exist of course).  Remember, charitable donations and the like are not a significant part of the world’s response to Covid-19.
    • There are others purporting to give information on Covid-19 and pandemic survival.  These contain links which you should of course not click on.
  • Fake Coronavirus maps

    • Graphical information is so useful at simplifying and demonstrating large, rapidly changing global events, and there have been some wonderful maps and infographics relating to Covid-19.
    • All of the legitimate maps are online, accessible via your browser.  You should go and search for those in a secure browser like Chrome or Firefox, and if you receive a link to one you should take a defensive stance and apply normal scrutiny as above.
    • None of these legitimate maps need to be downloaded to your PC or device, so refer to the general advice above about downloading apps you weren’t otherwise trying to install.


Regulatory/Governmental updates

  • Here’s the official and regularly-updated advice from CERT NZ.
  • Here’s a detailed update from the ASC ACSC on the malicious cyber activity they are seeing around Covid-19.