Coronavirus: Online Threats Going Viral - Part 5: Social Media

by David Barnett and Alexandra Midgley

For our final blog in this series looking at the online risks associated with COVID-19, we focus on social media.

The popularity of social media channels means that they are extremely susceptible to exploitation by cyber criminals and other infringers, particularly during the coronavirus crisis. In an earlier post in this series, we discussed the use of social media for the distribution of phishing-related content, but CSC has also noted marked activity relating to the creation of fake accounts relating to COVID-19, and the distribution of incorrect or misleading information.

Many social media pages referencing the coronavirus are simply personal blogs, or feeds providing general information on health and well-being. However, others offer news, tracking, or other updates relating to the spread of COVID-19, in many cases with no affiliation to officially verified sources or channels.

Figure 1: Examples of coronavirus-related profiles on: (top) Instagram (referencing the official website of the World Health Organization); (middle) Facebook; (bottom) Twitter

In our study, we found a range of different content that could potentially be associated with scams, including profiles linking to:

• A site soliciting donations, purportedly for the purchase of supplies for a local hospital
• Sites offering healthcare products for sale
• Sites offering coronavirus tracking services

Figure 2: Examples of sites linked from coronavirus-related social media profiles: (i) a donations page; (ii) an e-commerce site selling face masks; (iii) a site offering a coronavirus tracking service

Numerous cases of the spread of fake, coronavirus-related news across social media have also been reported. This creates significant concern in a climate where the availability of accurate information is crucial, not only to avoid scams, but also to combat the spread of the disease. Some of the most prolific areas of content include anti-vaccination groups, claims that the virus has been bio-engineered by government^[1], and content linking COVID-19 to the spread of 5G technology.

Although some social media platforms are becoming more proactive in combating fake or harmful content, some content will invariably make it through. In these cases, brand owners may wish to consider directly requesting content removal.

CSC has experience in combating this. Most recently, a technology service provider brought an urgent case to our attention, where two videos had been posted falsely stating that one of the company's 5G technology products had caused the coronavirus outbreak, and that it was attempting to cover it up. CSC approached the social media platform and requested removal of the content on multiple grounds, including breaches of trademark and site policy, resulting in a removal of the content within three hours.

What can brand owners do?

CSC's social media monitoring services are able to identify relevant content within profiles and usernames, or individual posts, using a combination of direct site monitoring, information from search engines, and comprehensive data feeds drawn directly from social media sites. We generally advise brand owners to incorporate an element of social media monitoring into any holistic brand-protection service. Many social media sites operate intellectual property protection programmes where brands or their brand protection provider can request the removal of infringing content, although the exact criteria and requirements for enforcement vary from site to site.

If you see social media posts incorporating branded promotional content in conjunction with undesirable material, you should consider contacting your marketing service providers to control the context and placement of your content.

Finally, there will be some harmful content that is not associated with any particular brand, and individual users can contact the sites directly, using public online tools covering all matters outside of intellectual property issues. Due to the nature of scams in general, we normally expect social media sites to be compliant with requests for the removal of such content.

Reference

[1] https://www.bbc.co.uk/news/technology-51646309

This article was first published on 23 April 2020 at:
https://www.cscdigitalbrand.services/blog/coronavirus-online-threats-part-5/

Also published at:
http://www.circleid.com/posts/20200427-coronavirus-online-threats-going-viral-part-5-social-media/

Coronavirus: Online Threats Going Viral - Part 4: Phishing

In part four of this series of posts looking at emerging Internet content relating to coronavirus, we explore phishing.

In times of crisis, cybercriminals invariably take advantage of the growing concerns of the public. In the case of the coronavirus, they have done so by sending phishing e-mails that play on the fears surrounding the spread of the illness.

A number of reports have emerged of e-mails purporting to provide advice or assistance relating to COVID-19, but which are actually 'hooks' to spread malicious content, or to drive people to websites intended to harvest personal details. Many of the phishing e-mails use the names of trusted organisations such as the World Health Organization (WHO) or the U.S. Centers for Disease Control and Prevention (CDC) to add credibility to their content. A report published on March 20, 2020 stated that victims of online scams had lost £960,000 in coronavirus-linked cases since the start of February^[1].

Some e-mails encourage the user to open an attachment that may contain malware. Identified cases include examples where attackers run code on a user's computer or track their movements, steal information through keylogging, or lock files on the user's device and demand a ransom for their reinstatement. Other instances have been reported of malicious files being distributed through copies of healthcare company or government agency websites^[2,3].

Figure 1: Examples of identified coronavirus-related scam e-mails: (i) mail containing potentially-malicious attachments; (ii) mail offering the sale of a 'vaccine' but actually likely to be associated with an advance-fee fraud

Some types of phishing e-mails drive users to lookalike websites intended to harvest log-in details; others directly solicit for payments. One particular case asked for Bitcoin donations, allegedly to aid the CDC in the search for a vaccine^[4].

References to coronavirus have also been used in more familiar types of phishing campaign, such as those targeting financial-services brands. In one example, we identified phishing sites targeting numerous different banks, all hosted on a mortgage-related domain name in a sub-directory named 'COVID-19'. Additionally, a banking client was subjected to a phishing attack using a site hosted on the domain name [brand]covid-19.com.

Fraudulent coronavirus communications may purport to provide benefits. One reported SMS-based scam offered free iPhones to encourage recipients to click a link to a fake site. Other reported scams include e-mails offering payday loans, tax rebates, insurance schemes or trading advice in response to the crisis, or offering products billed as coronavirus cures^[5,6].

Figure 2: Example of a fake government website hosted on a coronavirus-specific domain name, associated with a phishing scam using an SMS message offering a tax refund

As the crisis has progressed, there has been a rise in phishing activity over social media, typically involving fake accounts. Given the speed with which content can spread across social media - particularly in the current climate of fear - such scams have the potential to reach large numbers of people in a short time^[2].

How to keep your customers safe

It is important to keep your customers, as well as your own employees, safe by making them aware of how to spot a phishing e-mail. Tips for spotting phishing emails are generally the same as for most fraudulent campaigns. It may be a good idea to educate your customers as to what to expect from your company, and what a phishing scam may look like. Here are our tips for spotting a phishing e-mail:

1. Pay attention to the originating e-mail address and the host domain of any embedded links; fraudsters may attempt to pass off their messages as being from a legitimate organisation (say, company.com) by using variants of the official domain name, such as company.org, or company-safety.com, in order to construct a convincing sender address. Even if an e-mail appears to use the official domain name, it is possible this information may have been spoofed.


2. Hover over links without clicking them. Many fraudulent e-mails may show the legitimate domain in the visible link text while actually directing elsewhere. Bear in mind that even an e-mail linking to an official site may incorporate a malicious attachment.


3. Look out for anomalies in the e-mail text. A phishing e-mail could have:

• A generic rather than personalised greeting
• Spelling or grammatical mistakes
• Messaging that conveys a sense of urgency or has a deadline by when to act
• Other requests for personal information^[7]

How CSC can help brand owners

CSC’s Anti-Phishing service can aid brand owners in detecting fraudulent e-mails and associated websites that may incorporate their branding illegally to add credibility. Our technology makes use of a combination of honeypot e-mail accounts and other mail sources (i.e. customer abuse mailboxes, and feeds from anti-fraud and security providers) to attract as large a cross-section of general spam traffic as possible to detect phishing e-mails. E-mails are analysed, and embedded links crawled, to identify potentially fraudulent sites. We then use customer-specific rules to look for brand references and other associated keywords, in addition to comparing the fingerprint of the site against other known cases of fake content. When fraudulent content is detected - generally considered a contravention of terms and conditions by a number of internet service providers - we have a number of enforcement options to ensure the swift removal of the website.

References

[1] https://www.bbc.co.uk/news/uk-51964507
[2] https://www.mayerbrown.com/en/perspectives-events/publications/2020/03/dont-panic-stay-calm-legal-strategies-for-addressing-coronavirus-phishing-scams-in-hong-kong
[3] https://www.worldtrademarkreview.com/anti-counterfeiting/covid-19-phishing-warning-uspto-responds-wipo-election-microsoft-sued-news
[4] https://www.recordedfuture.com/coronavirus-panic-exploit/
[5] https://www.forbes.com/sites/mattperez/2020/03/16/coronavirus-scams-watch-out-for-these-efforts-to-exploit-the-pandemic/#443d4eaa6103
[6] https://news.sky.com/story/coronavirus-criminals-exploiting-covid-19-pandemic-with-email-scams-11959433
[7] https://us.norton.com/internetsecurity-online-scams-coronavirus-phishing-scams.html

This article was first published on 16 April 2020 at:
https://www.cscdigitalbrand.services/blog/coronavirus-online-threats-part-4/

Also published at:
http://www.circleid.com/posts/20200423-coronavirus-online-threats-going-viral-part-4-phishing/

Coronavirus: Online Threats Going Viral - Part 3: Mobile Apps

In part three of this series of posts looking at emerging Internet content relating to coronavirus, we turn our attention to mobile apps - another digital content channel that can be used by criminals to take advantage of people's fears about the health emergency for their own gain.

One of the most common attack vectors we have found in our analysis is the use of apps purporting to track the global progression of COVID-19, or provide other information, but which instead incorporate malicious content. In mid-March, CovidLock ransomware was reported. It was distributed through a coronavirus-specific domain name, and threatened to leak users' social-media information and delete smartphone file storage unless a Bitcoin ransom was paid^[1,2]. Prior to this, reports emerged of a number of online resources masquerading as legitimate coronavirus trackers, but which actually distribute malware. In one example, a website directed users to open an applet that could infect their device with AZORult, a piece of malware used to steal log-in credentials and banking information^[3]. An Android app named Corona Live 1.1 also purports to be an official coronavirus tracker that incorporates information from the (legitimate) Johns Hopkins tracker, but actually features malware, allowing attackers to record the victim's location, and access photos, videos and the camera on their device^[4].

In general, mobile apps can be downloaded from two main sources. The first of these is the group of main app stores such as Google Play, iTunes, Amazon Appstore, and Microsoft Store, but there are also a huge number of standalone app download sites. These are often called APK download sites, in reference to Android package file-format used for the distribution of Android mobile apps. Content on the main app stores tends to undergo a much more rigorous verification process for quality and legitimacy, while the APK sites can be less trustworthy, and may feature app versions that are non-legitimate, associated with malicious content, or are out-of-date (therefore lacking the most recent security patches). This said, even the main app stores are not immune to dangerous content. It was reported that the Iranian government distributed a piece of spyware in the guise of an Android app purporting to monitor for COVID-19 symptoms; this app was initially made available on the Google Play store, before being removed due to a violation of the marketplace's terms and conditions^[5,6].

Currently, a relatively small number of coronavirus-related apps are on offer across the main app marketplaces, comprising a mixture of information apps, health checkers, and infection trackers. Across the ecosystem of APK sites, however, a much larger range of mostly tracker apps is on offer. A simple search engine look-up for 'coronavirus' plus 'APK download' returns a significant number of listings. While some of the apps thus identified may be legitimate, they raise the potential for risk, for any of the reasons outlined above.

Figure 1: Examples of listings for coronavirus-related mobile apps on standalone APK-download sites

How can you mitigate these risks?

Mobile app monitoring across all marketplaces and APK sites should form part of any comprehensive brand protection service. CSC's monitoring system can search for brand terms in the name or description of mobile apps, or in the developer or seller names. Third-party apps incorporating branded content are of concern if any of the following apply:

1. The subject matter or app content is non-legitimate or malicious
2. Branding is illegitimately used, either as a means of claiming affiliation to add credibility, or to improve the look-and-feel of the app
3. Branding is incorporated into downloadable imagery or streamed content to increase the app's appeal

For infringing apps, it is often possible to take enforcement action to have the listing removed. Enforcement usually involves completing a webform or submitting an e-mail, detailing the infringement criteria the app meets. As for many areas of brand protection, the likelihood of success is dependent on the level of IP protection held by the brand owner, and specifically on whether trademarks are held in the appropriate classes.

References

[1] https://www.businessinsider.com/coronavirus-fake-app-ransomware-malware-bitcoin-android-demands-ransom-domaintools-2020-3
[2] https://www.domaintools.com/resources/blog/covidlock-update-coronavirus-ransomware
[3] https://www.businessinsider.com/hackers-are-using-fake-coronavirus-maps-to-give-people-malware-2020-3
[4] https://www.cnet.com/news/fake-coronavirus-tracking-apps-are-really-malware-that-stalks-its-users/
[5] https://www.recordedfuture.com/coronavirus-panic-exploit/
[6] https://blog.avast.com/iranian-coronavirus-app-collecting-sensitive-information-avast

This article was first published on 9 April 2020 at:
https://www.cscdigitalbrand.services/blog/coronavirus-online-threats-part-3/

Also published at:
http://www.circleid.com/posts/20200419-coronavirus-online-threats-going-viral-part-3-mobile-apps/

A Cautionary Tale of Reputational Damage: Striking the Right Balance with Brand Protection

by David Barnett, Lan Huang and Alexandra Midgley
with thanks also to Ernriel Bell and Agnes Czolnowska

In early March 2020, a well-known European fashion brand found themselves on the receiving end of a protest campaign on social media. The background to the case was the fact that, in 2019, the brand had launched a cease-and-desist (C&D) action against a small, UK-based company in response to their use of similar product names and sale of associated clothing merchandise. This resulted in significant legal and rebranding costs for the company and is just one of several cases where the brand had targeted other small organisations.

Many observers have viewed these actions as heavy handed, and the subsequent online commentary has generated a significant amount of negative press for the brand. The case "shine(s) a light on the potential negative PR implications when undertaking a brand enforcement programme," an intellectual property expert commented. "Even where a brand is legitimately enforced, brand owners must be alive to where issues may arise in relation to smaller businesses or individual use."

This is not the only organisation to take an (over-)enthusiastic approach to their brand protection efforts. In 2015, the Millennium and Copthorne Hotels group sent a notice to the Village Association for Copthorne - a small village in the UK, and the company's founding location - protesting against their infringing use of the Copthorne name in the association's web address. The hotel group eventually backed down, stating the letter was sent in error^[1].

In another case, Scottish brewery BrewDog issued a C&D against the owners of a pub planning to name it the 'Lone Wolf' - one of BrewDog's product names. BrewDog also eventually withdrew the action, following a campaign accusing the company of behaving like a 'multinational corporate machine.' A branding commentator at the time indicated that the backtracking by BrewDog could ultimately work in their favour, stating, "We've now got a business owner calling off his lawyers and favouring the underdog. That feels right for a challenger brand. Perhaps there's still a win available for them^[2]."

So how should brand owners address the issue of protecting their IP? Here are our top tips for getting it right.

1. Register your brand terms

As a minimum, CSC suggests that brands register all active brand terms in all relevant classes (i.e. product areas) and geographic jurisdictions. If a brand is able to achieve well-known trademark status, this can also open up further avenues for enforcement, making it possible to defend IP rights even in product classes where trademarks have not yet been registered.

2. Have a clear set of goals for your IP protection programme

Just because you can launch an action in a particular case, it doesn’t mean you should. In cases involving, for example, small companies operating in unrelated areas, with minimal risk of confusion, it may be advisable not to enforce. As with the case reported here, the risk is that an enforcement action can cause a large corporation to gain a reputation as a brand bully, and it is important to consider the risks of exacerbating an already inflamed situation. A brand owner should always be clear on the goals of their IP protection programme, and be willing to answer the question - in cases where an action results in backlash - was it worth it?

3. Look at potential infringements case-by-case

At CSC, we advise against sending automated C&D notices; every case is different, and it is important to consider whether a notice is necessary and, if so, what the appropriate style of wording is. C&D language can be overly severe and may not be concise, leaving room for dispute. In cases where notices should not have been sent, there is the risk of counter-claims for groundless threat - in these instances, the brand owner could then be liable for any damage and costs arising from the claim.

Before taking any action on a potential infringement, it is advisable to assess the case against the following questions:

1. Is there prominent and unauthorised use of the trademark?
2. Is there a likelihood of confusion, i.e. is the disputed use likely to mislead a general consumer into believing that the products and services are offered by the brand owner who owns the trademark?
3. Does the use of the trademarked name constitute bad faith or piggybacking on the brand owner's established brands and goodwill (i.e. unfair use for commercial gain)?
4. Does the use of the trademark cause harm or damage to the brand?

If the answer is 'yes' to these four questions, it may be appropriate for a brand owner to take action.

4. Personalise your C&Ds

If a potential infringement is identified, but bad faith cannot be definitively established, it may be best to contact the concerned parties using a personalised C&D. This should include:

• Education on the importance of the intellectual property
• Why and how there is a conflict of interest and how they have infringed; specifically which aspects of the brand use are most concerning
• How this can be mitigated without invoking costly legal battles

It is often the case that legitimate businesses are more likely to comply with infringement notifications, whereas those clearly using a trademark in bad faith are less likely to co-operate.

The general principle should be to treat the most serious cases more aggressively, escalating to a legal route if necessary. Only consider legal action when the infringer refuses to comply without sufficient reason, or if there is a clear case of malicious intent to monetise the trademark. Less egregious offenders can be sent a softer C&D, incorporating educational information. A C&D done well can even positively boost a brand owner's image and public relations.

References

[1] https://www.dailymail.co.uk/news/article-3059658/Village-fights-use-Residents-association-Copthorne-threatened-legal-action-multinational-hotel-chain.html
[2] https://www.theguardian.com/lifeandstyle/2017/mar/27/brewdog-backs-down-lone-wolf-pub-trademark-dispute

This article was first published on 7 April 2020 at:
https://www.cscdigitalbrand.services/blog/brand-protection-balance/

Also published at:
http://www.circleid.com/posts/20200514-reputation-damage-striking-the-right-balance-with-brand-protection/

Coronavirus: Online Threats Going Viral - Part 2: Marketplaces

In this second article about the online risks of coronavirus, we take a look at online marketplaces.

In the midst of the coronavirus crisis and the partial or total quarantines happening around the world, more people are turning to e-commerce for their purchases. This, combined with the increased demand for healthcare and healthcare-related products, is causing surges of activity on online marketplaces.

Perhaps least surprising is the growth in the number of listings for cleaning and hygiene products (e.g. hand sanitiser), as well as face masks, to the point that Amazon.com has reportedly banned new listings of certain classes of product to cope with demand^[1]. Many of the identified listings explicitly reference 'coronavirus' or 'COVID-19' in product titles or descriptions to attract web traffic.

Marketplace sales always carry inherent risks: items may not be as described, may be low quality or ineffectual, or in cases where the offers of sale purport to be for branded products, counterfeit. Therefore, it is important for consumers to carefully consider the sources they use, bearing in mind factors like seller identity and location, item price, product images, buyer reviews, and so on. Similarly, brand owners must implement programs to track activity on e-commerce marketplaces to identify branded listings that may offer counterfeits, use established brand names to drive traffic to third-party products, or sell legitimate items sourced through unauthorised routes in the supply chain.

Of particular concern during the current climate are listings offering coronavirus tests or cures. While tests for the virus do exist, there is no guarantee that those sold on marketplaces are either legitimate or effective and, given the medical nature of such products, counterfeits could have significant negative health implications. Listings for cures are perhaps more concerning still, particularly in view of the fact that (at the time of writing) no cure currently exists, and medical treatments simply aim to relieve the symptoms while giving the body an opportunity to fight the illness^[2]. In one case reported on March 21, a man was charged with manufacturing fake treatment kits containing harmful chemicals^[3]. Fake cures also raise the dangerous possibility of making consumers believe that they are in recovery, making them abandon the efforts to isolate to prevent the spread of the disease.

Figure 1: Example of a marketplace listing for a coronavirus test kit, stating a minimum order of 100,000 pieces with customised packaging options, making it likely to be associated with the supply chain for counterfeit tests

Figure 2: Example of a marketplace listing for an 'anti-coronavirus' essential oil product

As with coronavirus-related phishing attacks (discussed in detail later in this blog series), some listings may also refer to trusted organisations such as the Centers for Disease Control and Prevention or the World Health Organization in an attempt to claim endorsement or provide the appearance of legitimacy. This is not only an IP infringement but, more importantly, could be a danger to consumers.

How can CSC help?

CSC's technology for monitoring known marketplaces uses the sites' own built-in search functions to identify listings containing brand terms or relevant keywords. It then uses scraping and information drawn from APIs to pull information from the listing, such as the seller name, quantity of items, price, etc. Brand owners can make use of CSC's marketplace monitoring services to identify listings in which their brand terms are used. We can also aggregate the information obtained to calculate the total number of items offered by a particular seller, the total value of goods offered, and so on, to identify top sites and sellers.

When infringing listings have been identified, we make use of the various IP-protection programmes operated by marketplaces to have them removed - provided the brand owner has sufficient IP protection, e.g. registered trademarks. Infringing sellers can be suspended from the marketplace altogether or, following a successful takedown, brands can request a seller's contact details for further investigation.

References

[1] https://markets.businessinsider.com/news/stocks/amazon-marketplace-tips-for-sellers-following-coronavirus-uncertainty-2020-3-1029014647
[2] https://www.nhs.uk/conditions/coronavirus-covid-19/#treatments-summary
[3] https://www.bbc.co.uk/news/uk-england-london-51991245

This article was first published on 2 April 2020 at:
https://www.cscdigitalbrand.services/blog/coronavirus-online-threats-part-2/

Also published at:
http://www.circleid.com/posts/20200416-coronavirus-online-threats-going-viral-part-2-marketplaces/