Re: [Covidimpacts-workshop] Some COVID-19 security stats
Kirsty P <Kirsty.p@ncsc.gov.uk> Fri, 13 November 2020 17:09 UTC
Return-Path: <Kirsty.p@ncsc.gov.uk>
X-Original-To: covidimpacts-workshop@ietfa.amsl.com
Delivered-To: covidimpacts-workshop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 866CB3A0F4A for <covidimpacts-workshop@ietfa.amsl.com>; Fri, 13 Nov 2020 09:09:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ncsc.gov.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oq7g7o701KZT for <covidimpacts-workshop@ietfa.amsl.com>; Fri, 13 Nov 2020 09:09:21 -0800 (PST)
Received: from GBR01-CWL-obe.outbound.protection.outlook.com (mail-eopbgr110094.outbound.protection.outlook.com [40.107.11.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F160A3A0EF9 for <covidimpacts-workshop@iab.org>; Fri, 13 Nov 2020 09:09:15 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Je7EAcvrPo0NoMaKchFA05udQQsuDOBqXvYnTX25E2+RH8ndfxBKVxiKi9j1dXxCXHBd5XDQtcnTlrm1aMqFLnUIunJ0S+ibLIINN2+HSAeYOzu6C0V9FuQ9G3mteEwnw8Od5MYHVaYQCD6Yixv7qe7+psobGp30CSPW/568l8gsYN5yCp5xNa3hq9aA4M+kF+0K4b2dTH7+c3cJ3wsnU9p3GUNFqneeLrCdgG4JG7VrxsqgUQxWgBhAKFTGvy/J3pjs+Os++lVswRasYnmPzeq7mS0TfRq40Y2a59EhzfIF1hmQi1pDhSI7oTxLTE275nvckP6I/XJdecSJm6Othw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uRnsXL5WGzVHwEE8Y2VIm9/n6IYTVG0o8N9/qlDEsng=; b=EmYxnsZNCys2IcBSIP2f2HMVip9wFUWEsDgykiSCa8P4/d/5TWWIO6iMHQ7SPFtW/hmEFtkwvVjVxO5bN5BOzSc4so4+CbDVdKfg06kGj1ZdiSoXoaC9/OWiYpD3T4zxKUBkkInQQ/ipGr7t7+uvwui3zv/TMTKY32sca9iUDhuVV3f0dyLCdyrdPuhAzLm7uU/LjdM+c25gHXFbG+9yVFoN/ca9TYclePfJgZ7xDNAGaExeJ5uAmVPn+atgidvkTbZUcySXCtQnX7YoaRx0qjatlrPrTq0dJkBMwDruhp8YgTKVQ49GkIDxCG+0kJFN8wTe/Qhy8iHeQOYz2hzPmw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ncsc.gov.uk; dmarc=pass action=none header.from=ncsc.gov.uk; dkim=pass header.d=ncsc.gov.uk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ncsc.gov.uk; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uRnsXL5WGzVHwEE8Y2VIm9/n6IYTVG0o8N9/qlDEsng=; b=eTaWIRu9sekjP8Yuvmo3WZ5cwvhWW1gCKYrsDGHa+eESqIlFDyo5rHTqwMByISftCOVYz2BlD2g83BepuQvxbTU37c+6FfEFd9Bmz0EWpt4OzIBcXkGr6to9cusYpcdwoDyxQfwKpdJb/4ypLt4pIIY4DhHg4dF5L9awz64GCgaBSU3yjVBtKHdmG67/NFicjZLO0eWsYDAyuOfTnc5UsZvudWhtg5UowhJowYCHO7UCFKnhFrRo+afxAS2yFSoJO0pVKcfLugMWjLCV8PDmLqR5cc6MCc++hYLfGwb1yzlINWn8a3oV1L6OPK5nYOuKFEY1LGTHWh3SgMDElFCe7g==
Received: from LO2P123MB3599.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:12c::10) by LO2P123MB2045.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:c6::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3541.22; Fri, 13 Nov 2020 17:09:13 +0000
Received: from LO2P123MB3599.GBRP123.PROD.OUTLOOK.COM ([fe80::9945:276b:5b02:8ab1]) by LO2P123MB3599.GBRP123.PROD.OUTLOOK.COM ([fe80::9945:276b:5b02:8ab1%6]) with mapi id 15.20.3564.025; Fri, 13 Nov 2020 17:09:13 +0000
From: Kirsty P <Kirsty.p@ncsc.gov.uk>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, "covidimpacts-workshop@iab.org" <covidimpacts-workshop@iab.org>
Thread-Topic: [Covidimpacts-workshop] Some COVID-19 security stats
Thread-Index: AQHWuZ/qRmrJ4T2+S0+KHdgxHy6SpQ==
Date: Fri, 13 Nov 2020 17:09:13 +0000
Message-ID: <LO2P123MB35990AF6E46B75B409B7CCC1D7E60@LO2P123MB3599.GBRP123.PROD.OUTLOOK.COM>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: cs.tcd.ie; dkim=none (message not signed) header.d=none;cs.tcd.ie; dmarc=none action=none header.from=ncsc.gov.uk;
x-originating-ip: [51.132.68.128]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2d281941-cb4e-4655-0574-08d887f6d837
x-ms-traffictypediagnostic: LO2P123MB2045:
x-microsoft-antispam-prvs: <LO2P123MB20457ACF620EE4D068FB643DD7E60@LO2P123MB2045.GBRP123.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 4n+KOF4syJUPywvHG9uWERBsQl0Ehiiu6MvRZRwoxba0cSxpb23Z2korq1kjTMOQLnlPj88uOwDAVL4H9nePYhRCKgu3BOrClMPfgzPVWmWFTdhD+cu6xoOAtNNq7+OdQTdfFapofD1/NzAWgufHxs3bd7/k3v7/ew9c7tIT56JvHvxu235FUocW1bV7+yZ4i932wQ3DL2+tQlcbjnoLXDgJCY5v+iYwRMBDa+XVq6Owtre/f5dGgi+kR2hYf6wJZRXTpzfx8QRWYxBqWnoHiBYAI53PBbbaiTdGH6/G+lHmA9aO22YZc8BRhEReayZTjLgzW1O54tEup69FpNn1T/PSBX8l/1zPyZKTNXs8PNE7L1bEunTRJjk0bnHOqYuNzrYJWuA/ufRcrJ2X3FTYmA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:LO2P123MB3599.GBRP123.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(366004)(376002)(396003)(136003)(346002)(39850400004)(316002)(110136005)(6506007)(296002)(2906002)(5660300002)(15650500001)(66574015)(76116006)(26005)(66946007)(66446008)(52536014)(64756008)(186003)(53546011)(66556008)(55016002)(9686003)(19627405001)(8936002)(478600001)(66476007)(8676002)(7696005)(86362001)(33656002)(966005)(71200400001)(83380400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: UHQ0qP3BtZWSkv+cbhX3x4kjV2HzaVK+G/ks+2LtUN58odqc7X25wodqiV4du6s6gJlMy81vQQ0TEKGus94qS7oXl499jAUM+tCDPVqDfbpoLmEQgYiQrnvdVZoLDpq44lLNF2cDDfdDLjXN3J20717P1AG3gNfvOP3HGTur2yYMGrGbSHdnberd+qA1mHAU2isY5hPeyxEqZFJxjsUnk2vj7Sj/ydWLZmb76fKCFN5Xc4EukLlgO5VNB7nHUFfzSBLYe5Zy4nTywPh0ZNS/POQWK2YKi7XZGpCxb/btpklGwb/LXL1KAWl0oa3Ln3GT3gXqe4KYhTQDeD1xks9PPY/BXMqy/5S8X3QerjB6qMHeG2vV5ubkd/Th1Eplb2l3gVnGa/y82sSbN4ySEKSDWW5QSj1iKsx/at0rUlmL9wPnz7krbKg322P+n4QBqBUST2TGhyftNP6u9F32+P5IivsOYDEKrtGVTQp6cPbX3uoBG3+ts3aNi0HZHPcQnbV8Wj3ojle/N7gNpe3iK9koU0sNVCU3AOQRZ/uEKI37wkdrO6RMqrIXve7J1Jsz9/dDeIaUXIe2Sgk2urbaRuCos5P8+wEx569293svJfDP6GsY3eKifPj2h6CFcNZqE+MsOFtPJjLrx0UZdfUyH2hBtY/7LKKR71p4g+5ZZJ+QsvZQx4aSe3mXN5p4XpXnT+p6vktpSpYQidmGDCgFKYfK5KZb1I7rdyTOmOFflqjAIzCMMEEBk3VVmEYCIPrLxG3xYH/qvz4e21Ns7Ll9BI4mgu5lKf4Cut5FxrC/sMcHDGGrLAoJccGUont4Ivh76+OlVvO469i/I54VBVTfstfeDUM3MCkHa66TGolXOdG6t/bG+oysa/X8Zc89szgu8xfcJ0EJir9DEbrtBmw3Co++IQ==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_LO2P123MB35990AF6E46B75B409B7CCC1D7E60LO2P123MB3599GBRP_"
MIME-Version: 1.0
X-OriginatorOrg: ncsc.gov.uk
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LO2P123MB3599.GBRP123.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 2d281941-cb4e-4655-0574-08d887f6d837
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Nov 2020 17:09:13.0929 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 14aa5744-ece1-474e-a2d7-34f46dda64a1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 948BRmf1Vs1uG8+JGAx7J1+NJlnWc4QQNWseH7TFSOmR0IWaxvGeMsT4czmqOsbjZ9wqZQP8FpnWNijfmq6SsQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LO2P123MB2045
Archived-At: <https://mailarchive.ietf.org/arch/msg/covidimpacts-workshop/nG0Ut7Pph-3YY25QLibx-pmmzxk>
Subject: Re: [Covidimpacts-workshop] Some COVID-19 security stats
X-BeenThere: covidimpacts-workshop@iab.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: COVID-19 Network Impacts Workshop <covidimpacts-workshop.iab.org>
List-Unsubscribe: <https://www.iab.org/mailman/options/covidimpacts-workshop>, <mailto:covidimpacts-workshop-request@iab.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/covidimpacts-workshop/>
List-Post: <mailto:covidimpacts-workshop@iab.org>
List-Help: <mailto:covidimpacts-workshop-request@iab.org?subject=help>
List-Subscribe: <https://www.iab.org/mailman/listinfo/covidimpacts-workshop>, <mailto:covidimpacts-workshop-request@iab.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Nov 2020 17:09:24 -0000
Here are some figures for takedown comparison, though to repeat what I said today - focusing on numbers alone won't describe the qualitative shift in patterns we've seen since March, from our handling and managing a variety of incidents. It would be painful to go through the variety and volume we've dealt with and count... so I won't. But I can still say some specifics like - we've seen more attacks (that have been detected) where attackers use VPN vulnerabilities as the access vector; this is likely because of an increase in VPN usage and new rollouts, due to a shift to homeworking. I'd logically conclude this is at least one specific pivot in attacker methods, caused by COVID circumstances. (See also this advisory that was released in response to COVID exploitation by malicious actors, p7: https://www.ncsc.gov.uk/files/Final%20Joint%20Advisory%20COVID-19%20exploited%20by%20malicious%20cyber%20actors%20v3.pdf) That said, for comparison on figures: * in the 2018-2019 year, the takedown service took down 177,335 phishing URLs (23,311 attacks by group) [p12, https://www.ncsc.gov.uk/annual-review/2019/ncsc/docs/ncsc_2019-annual-review.pdf]. * This year (2019-2020), 166,710 phishing URLs in total were taken down, with 15,354 campaigns using coronavirus as the lure since March. * Since the annual review runs 1 September - 31 August, you could draw a flat average across the year, to find rough conclusions about frequency between the two years/expectations for March-August vs. what we saw, if you wanted. However, obviously there are caveats and questions with all data - this is no different. E.g. we don't know what we haven't found, so phishing URLs that are found and taken down are not necessarily the full set of phishing URLs out there. You'd like to think we're getting better at finding them, but it's hard to quantify what increase that means for a year-on-year comparison of much is "us getting better" and "more malicious stuff existing". Even a decrease in campaigns could be for reasons like "each campaign is more successful, so fewer are needed" or "the infrastructure underpinning each campaign is harder to detect and takedown, so the campaign lasts longer". Thanks for the discussions on this topic so far and for organising the workshop - it's been great to see COVID's security impact be a cornerstone of discussions. Kirsty ________________________________ From: Stephen Farrell Sent: Thursday, November 12, 2020 20:49 To: Kirsty P; covidimpacts-workshop@iab.org Subject: Re: [Covidimpacts-workshop] Some COVID-19 security stats Hiya, On 12/11/2020 11:31, Kirsty P wrote: > Stephen asked yesterday if malicious campaigns, scams/fraud overall increased, or if the numbers were the same but it was just a change in lure. > > I think focusing on numbers alone won't describe the full shift in patterns that we saw, but I'll share some stats from our annual review now it's been published (https://www.ncsc.gov.uk/annual-review/2020/docs/ncsc_2020-annual-review_s.pdf - page 98) below. > > It gives an indication of how much effort went to COVID campaigns, the shift in behaviours, and the relative takedown responses: > - 166,710 phishing URLs discovered across all campaigns were successfully taken down. 42,576 URLs were associated with UK Government-themed phishing attacks. The UK-hosted global share of visible phishing attacks further reduced to 1.27 % (from 2.1% last year). > - Since March, the NCSC has taken down 15,354 campaigns which used coronavirus themes in the "lure". These were hosted globally. > -- 8,800 were Advance Fee Fraud (419 scams) > -- 1,156 were associated with fake shops selling bogus PPE, coronavirus products, test kits (and even vaccines) > -- 251 phishing campaigns > -- 2,984 mail servers distributing malware Do you have any info on how that's changed e.g. vs. 2019. Reason to ask is I've seen various claims as to how working from home has affected security but I don't recall any before/after studies. (That may well be because I've not looked though, hard to imagine nobody was doing that.) Ta, S. > > Kirsty > This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk. All material is UK Crown Copyright � > >