The coronavirus pandemic has changed the world, and our way of life. We’re restricted from dining at restaurants, working out at the gym and visiting loved ones. However, for cyber criminals the pandemic has opened- up new opportunities for coronavirus scams on a global scale.
Malwarebytes, an antivirus provider of the computer kind, found numerous emails scams that exploit our fears, anxieties and confusions about the Coronavirus of the humankind. With Australia enforcing social distancing and near total lockdown measures, and with a vaccine months away, these cybercriminals are promising the key to overcome it. They are flooding us with promises of a known cure, or health tips and protective diets.
In addition they’re accompanied by fraudulent e-books, information packs and missed invoices that hide a series of keyloggers, ransomware, and data stealers.
What’s been happening?
These coronavirus scams go further than the standard phishing scams.
As we discover by mid-March, Twitter user @dustyfresh published a web tracker that found a staggering 3,600 COVID-19 hostnames that had popped up in just 24 hours.
Just a few days later RiskIQ reported they tracked more than 13,000 suspect coronavirus scam-related domains and then another 22,000 the very next day.
Now we know there’s are scams surrounding the Coronavirus what are they, and how do they work?
Caronavirus Scams: Impersonating the World Health Organisation
The World Health Organisation (WHO) are being widely impersonated by cybercriminals for coronavirus scams. Preying on public concern, and taking advantage of the crisis these criminals promise the latest on coronavirus using a fake e-book called “My- Health”. The book claims it “includes complete research/origin on the global pandemic, as well as guidance on how to protect children and businesses”.
Once you click on the e-book, it sends malicious code for a downloader called Guloader.
Guloader is then used to load an information stealing trojan called Form. Form is a popular info stealer among cybercriminals.
Caronavirus Scams: Impersonating the WHO (cont.)
Again, impersonating the WHO is a coronavirus scams email campaign with the email subject: “Covid19 Latest Tips to Stay Immune to the Virus!!”
The email claims to have a PDF file signed by a Dr Sarah Hopkins at the WHO called “various diets and tips to keep us safe from being effected with the virus. (Doing a quick look inspection on online there is no media relations representative called Sarah Hopkins)
The victim unintentionally downloads an invasive keylogger called Agent Tesla, that’s able to steal a wide selection of sensitive data.
LastLine, a cybersecurity firm researchers note “Acting as a fully-functional information stealer, [Agent Tesla] is capable of extracting credentials from different browsers, mail, and FTP clients. It logs keys and clipboards data, captures screen and video, and performs form-grabbing (Instagram, Twitter, Gmail, Facebook, etc.) attacks.”
Caronavirus Scams: Impersonating the WHO (cont.)
Another coronavirus scam email campaign impersonating the WHO with the subject “World Health Organisation/Let’s fight Corona Virus Together”. This scam tries to dupe the victim to download a malicious information pack, the file is titled “COVID-19 WHO RECOMMENDED V.gz”. Whilst it looks legitimate victims are again infected with Agent Tesla with the ability to steal a wide selection of sensitive data.
In addition, another coronavirus scam email campaign, this time with the subject “SAFETY COVID-19 (Coronavirus Virus) AWARENESS – Safety Measures.”. Sent from Dr Stella Chungong of the WHO tricks people to install the Netwire Remote Access Rrojan (RATS)
RATS allows hackers to remotely access your computer with devastating effects:
A consequence of an infected machine is to assume that any personal information has been compromised. Importantly you need to immediately update all your usernames and passwords from a virus free computer and notify systems administrator of the potential threat. Secondly, monitor credit reports and bank statements carefully over the next few months to find any dubious activity.
Other Coronavirus scams
MalSpam coronavirus scam campaigns
Coronavirus scams generally seen online are examples of malspam —malicious spam email.
First off is the email subject called “RE: Due to outbreak of Coronavirus,”. The coronavirus scam sender is “Marketing,” signed by “Rafhana Khan” the Admin Executive from the United Arab Emirates. The TRN is a questionable type number, possibly alluding to the Taxation department. We know that the Taxation department would never include your Taxation number on an email.
If you download the attached invoice, once again you have received Guloader.
The second email has the subject line “CORONA VIRUS CURE FOR CHINA, ITALY”. The sender is a “DR JINS (CORONA VIRUS)” listing their place of work as non-existent location and asks the victim to kindly read. Once read, HawkEye (a keylogger) is downloaded which allows it to monitor systems and exfiltrate information.
Targeting victims from the UK promising updated stats on the coronavirus cases within the UK.
The sender “PHE” with the email address of [email protected]. Subject UK coronavirus cases: find out how many are in your area. Again the malicious code GuLoader is installed.
Coronavirus scams conclusion
In a crisis, especially one like COVID-19 where cyber criminals can prey on our humanity, it’s important to take care.
If you are suspicious of the email please don’t click on the link, attachment, pdf or download the e-book.
Ask yourself why would the WHO send me a personal email?
All the information about COVID-19 is available on state and federal government health websites such as https://www.health.gov.au/news/health-alerts/novel-coronavirus-2019-ncov-health-alert