Millions of people are working from home around the world as the coronavirus pandemic spreads and authorities plead for people to stay at home to slow the rate of contagion.
Though people staying and working from home helps stop the spread of the virus, it increases the likelihood of companies getting hacked through weaknesses in employees’ home networks and misuse of VPN.
“The cats are away so the mice are playing,” said Karim Hijazi, CEO of Prevalion, a company that monitors cyber threats and tracks infected businesses. “The mice being malware,” he added.
Chris Drake, CTO of Iconectiv, a network and operations management company owned by Ericsson, told Yahoo Finance that individuals and companies should expect “omnichannel” attacks: robocalls, texts, email phishing scams, and compromised apps from the App Store and Google Play.
Because people are working from home, they’re also more likely to answer their phone when an unknown number calls, or be more susceptible to calls faked to look like their own phone numbers. They might think a co-worker is calling or their defenses might be down with kids at home and a general heightened level of stress.
“[Threat actors] see people in a state of worry, and that heightened emotion is perfect as an ingredient for being scammed,” said Drake.
VPN seems like a solution, but it can be a problem
The mass work-from-home scenario might weaponize something that people view as safe: the virtual private network or VPN, which provides an encrypted connection from a computer to a network.
Hijazi describes them as “just a safe tunnel through the ‘bad neighborhoods’ of the internet.” A VPN, for example, can’t make your computer secure, it just makes the connection between you and your office secure.
This means that if a hacker compromises your computer by phishing or taking advantage of a home Wi-Fi network with weak security, the VPN can essentially turn into a direct channel for a hacker to get into an organization’s network — that a company’s network might implicitly trust because it’s coming via a secure connection.
“If someone’s Xbox is compromised and it uses this trusted [VPN] channel, [a hacker] can get into the organization,” Hijazi said. “I don’t know if people understand that.”
Already, Hijazi has seen an uptick in compromises correlated to the rise in people working from home. In Italy, for example, the firm saw “huge” spikes of malware infestations at corporate environments. Some key targets: large automotive companies, industrial groups. Essentially any large network with a lot of people working from home.
“Companies have been in a rush to get VPNs set up for remote users,” said Hijazi. “Even with seasoned security pros, that doesn’t work well — even the savvy ones.”
The massive influx of people VPN-ing in is essentially a ton of new vectors for potential malware that could compromise a system. In normal times, when an employee is on the road and VPN-ing in from a hotel or coffee shop, a company usually knows about it and can deal with it by monitoring the connection for malware or attackers.
“Now, companies are going to have to do that at scale,” said Hijazi. “Are they going to have the teams there ready and willing to receive the deluge of connections and monitor?”
The answer is probably not.
A tough decision
“Companies have to think long and hard about whether to open up the [VPN] tunneling aspect to home users,” Hijazi said. “The risk for corporations is, unless you’re going to deliver everything to you, you run the risk of a shared environment.”
The parallel between a computer malware virus and the coronavirus is not lost on Hijazi, who says it’s actually helpful for people to understand. When you have a shared environment, computer or otherwise, you need to practice good cyber hygiene and even good cyber social distancing.
That means keeping devices that aren’t as vetted off the wi-fi, partitioning wi-fi, or even choosing not to use VPN. Just as many companies give workers temporary devices with less access to the corporate network when they travel to certain countries, companies could advise workers only to log in when they need a critical system that requires VPN.
This wouldn’t solve the problem if someone’s computer was compromised, but it would slow down the speed of contagion from a home network to a company’s, said Hijazi.
What to do
One thing everyone can do is to check their wi-fi at home to make sure they’re following some best practices: using a long, fresh password, disabling features like remote access and WPS (wi-fi protected set-up), and choosing “WPA2” encryption on your router’s settings panel for more security.
Both Hijazi and Drake pointed to phishing as potential vectors for malware. If you’re not sure whether a message is legit or not, verify and double check from trusted sources. For example, if a hospital calls and tells you you can “pre-pay for your place in Covid-19 tests,” you should hang up and call the hospital back and verify that they’ve just called you.
According to Drake, that “pre-pay” scam is something that a lot of people will see — and they’ll typically ask for people to pay via Amazon gift cards.
“Taking Amazon gift cards as payment — that’s always a red flag,” he said.
The same thing goes for phishing. If you get an email from your “CEO” asking you to login via a link, follow up with your company’s IT department.