The NHS’ contact-tracing app will cause a spike in phishing attacks in the UK, cybersecurity experts have warned today. The app is being rolled out by the NHS’ digital arm, NHSX, as part of the UK’s effort to relax its coronavirus lockdown. However, cybersecurity analysts claim that the uncertainty surrounding the app and its rollout is likely to be exploited by cybercriminals.
Phishing attacks have already risen dramatically in the UK and elsewhere since the beginning of the coronavirus pandemic. In April, security firm KnowBe4 reported that phishing emails rose by over 600% worldwide in the first quarter of the year, while Google said it was blocking around 18 million phishing emails related to Covid-19 a day.
Now, the confused deployment of the much-anticipated NHS contact-tracing app risks exacerbating this picture in the UK. At the same time, other contact-tracing apps risk doing much the same elsewhere in the world.
Jonathan Martin, the EMEA partner director with cybersecurity firm Anomali, warns that the NHS contact-tracing app will invite numerous dangers. The biggest of these will be phishing and smishing attacks, both of which the app’s rollout will increase.
As he tells me, “No-one knows where to get the app from, so consumers can expect floods of emails with bogus links (to convincing looking domains) to download the app from.”
Martin predicts that the links in such phishing emails will “simply be a web page that will ask people for more personal information than the genuine app, and will then not even have an app to download. The information will be used in future attacks against the individual.”
Likewise, Jonathan Miles, the Head of Strategic Intelligence & Security Research at Mimecast, also expects that the NHS contact-tracing app will create more opportunities for fraudsters and cybercriminals.
He told me that with “the rollout of an app of such importance, malicious actors will seek to exploit the continued uncertainty and confusion of these unprecedented times to exploit the vulnerable.”
As with Jonathan Martin, Jonathan Miles warns that cybercriminal activity related to the NHS contact-tracing app is likely to “be in the form of emails seeking to steal credentials or trying to encourage potential victims to download the latest version of the app. There is further potential for smishing techniques, again preying on vulnerabilities and the public’s need for information on the new app.”
In fact, smishing scams–which involve sending fraudulent text messages–could be more dangerous than their email equivalent.
“Due to the smaller screen real-estate, people will be less able to check the veracity of the link so will be more trusting and will click it,” Jonathan Martin suggests.
In the case of the NHS contact-tracing app, the phishing risks are likely increased compared to contract-tracing apps being rolled out and developed in other nations. That’s because the deployment of the app is currently in disarray.
On the one hand, the UK government is currently conducting a trial of the app on the Isle of Wight, with a majority of the British population supporting the use of the app, and with people wondering from where they can obtain it. But on the other, after the app in its current form was criticised by parliament, there are now growing reports that the NHS is building an alternative.
The status of the NHS contact-tracing app is therefore in semi-limbo, something which will only add to–and prolong–the confusion which cybercriminals will exploit.
However, while phishing and smishing are likely to be the biggest dangers, the app’s rollout will also give rise to others.
For one, Jonathan Martin warns of so-called ‘drive-by attacks.’ In his own words, these are cases where rogue actors “develop apps that beacon out pretending to be an infected person. For example, the attacker walks down a street so that near-by phones will receive the alert and inform the owner that they have to self-isolate and test.”
Basically, such an attack enables criminals and bad actors “to force large numbers of people off the streets.” According to Martin, this is potentially destabilising on a political and social level, since the “apparent swift increase in numbers of infected people (for example caused by the drive-by attacks) [might cause] unrest in the population which leads to the PM/Health Secretary/etc. resigning.”
This is perhaps a worst-case scenario, but the NHS contact-tracing app will likely create other worrying risks.
Most notably, Jonathan Miles warns that NHSX have so far failed to provide sufficient detail and transparency “on how the collected data (including their PII and movements)” will be used, and on what options people have for “preventing processing or onward dissemination where applicable.”
Miles also worries about the use of Bluetooth, which isn’t an entirely secure method of data transfer. He says, “the use of the short-range Bluetooth signal for data transfers is concerning as ‘man-in-the-middle’ attacks (data in transit attacks) are on the increase.”
Taken together, such risks are disturbing, particularly when trust will be vital to ensure the necessary level of take-up for the NHS contact-tracing app, as well as other apps elsewhere in the world.
But it’s the raised dangers of phishing that will perhaps be the most disturbing for many members of the public, since it’s often phishing that affects them more than data violations. For example, anything from 50% to 75% of organisations have been hit with phishing attacks in the past couple of years, while as many 7% of people reply to phishing mail.
It’s therefore concerning that the NHS’ and other contact-tracing apps could add to such figures. More worryingly, the increased anxiety over the coronavirus may make them more willing than usual to click on uncertain links.
Content Source: Read More