Threat Research

Financial scams with a Covid-19 twist

Threat Intelligence Team, 19 May 2020

Scammers are using new tactics to take advantage of those trying to make the best out of a tough situation

Amidst the Covid-19 crisis, where many people are struggling to find work and scrambling to find new ways to make money, scammers are taking advantage of the situation and seeking to make a profit.

Like a fleet of Trojan horses, seemingly non-threatening emails are sent to recipients offering the chance to make some quick income, only to lure them straight into a trap. This has been a particular problem in Europe, especially in Poland, Germany, and Italy.  

The contents of a PDF attached to a malicious email

A quick summary

  • Number of victims: More than 17,000 during May 10-17, 2020

  • Platform: Email with attachment

  • The trap: Tricking people into sharing their personal information via registration

What’s the attack?

  • Setup: The rise of Covid-19 has severely impacted not only stock markets, but most businesses around the world, thereby bringing about hard times for a great many people. This increases people’s susceptibility to offers they would not normally consider, but that seem to present some kind of chance of financial relief.  

  • Email attack: Scammers have prepared convincing emails that outline a simple and alluring guide with steps leading to an easy way to supposedly make a monthly income. It’s as easy as 1, 2, 3. Create a registration, make an initial deposit of $250, and make a profit trading cryptocurrency or stocks. So far, the emails that have surfaced are in English and German. But we have reason to believe that there are more translated variants based on the country it’s spread in. The emails have simply a subject line and attachment, containing no additional text other than the text within the attachment itself. 

 
A scam email with an attachment

  • Redirection and misdirection: Inside the attachment resides a bit.ly link that will direct the user to a domain with a blank page. Then, they are redirected through a series of URL redirectors, until finally landing on the scammers landing page on a newly registered domain. Depending on the user’s IP address, the content is automatically generated to produce text of success stories that are filled with links that direct them to the registration page.  

A scammer’s landing page for the UK, Czech Republic and Poland

  • The result: Should the recipient fall victim to this scam, the user is motivated to register giving their name, surname, email, and phone number, thereby compromising their personal information. 

 A registration form on detector-million[.]t500track12[.]com

Pop-up after filling in the registration form

Why is this attack effective?

  • A convincing email and landing page: The attachment linked to a convincing landing page, bolstered with fake Facebook comments with positive feedback and success stories, along with its attractive, and seemingly reliable design, could be enough to persuade many users.

Fabricated stories used to corroborate the scam 

  • Timing: Given the current situation, people may become more willing, even eager, to try new ways of making an income — making it easy for them to fall victim to this kind of trap set on a shady site offering easy money.

Number of links detected by country

Scammers are trying to turn as many heads as possible at a time where people’s heads are already spinning with the crisis. Even a simple website without any sophisticated source code could do the trick if they create an offer convincing enough, and if the trap is set at just the right time.