Scam websites have tricked over 10,000 people in the U.S. to visit a fake shop selling a book for $37 which can actually be downloaded for free
Beware of another attempt by scammers to use the coronavirus pandemic to their advantage, in this case by selling you an e-book for $37, which actually is available for download for free. The title of the book is Pandemic Survival and it contains a collection of tips and advice allegedly used by the government. The tips include advice on how to quarantine properly, “isolated in a tent outdoors”, and recommends the use of “BioImmune”, a supplement to “support your body to help fight off harmful germs and viruses”, which the e-book conveniently links to. From April 1 until April 20, we have seen more than 10,000 attempted visits by U.S. users to the shop website, over 900 visits from the UK, and over 600 from Canada and Australia each. Avast blocks the shop URL and the URLs of fake websites promoting the shop.
The main element of the scam website is a video player designed to mimic YouTube. The purpose of the video is to persuade users to buy the e-book. The checkout process is handled by the website BuyGoods.com where the users are redirected if they attempt to buy this book. When the money is transferred, the user will receive a link to download his newly purchased book. This link leads to the site psurvival[.]org.
Host site for Pandemic Survival ebook.
The interesting part is that no security precautions are taken to deliver the e-book. So anybody can download this ebook for free without any verification. The certificate and “whois” information does not look like they belong to a serious business.
Whois record of pssurvival.org
The phone number listed in the whois record has some negative reviews left by users.
Reviews left by users
Our data shows that there is a decent amount of activity around this scam campaign. A reason for this may be that this campaign not only spreads via email, as confirmed by cybersecurity blog OSINT Fans, but also via malvertising, which means cybercriminals purchase ad space from an ad network to display malvertising, malicious advertisements promoting the campaign, on scam websites.
Image credit: OSINT Fans; The spam email advertising PandemicSecrets[.]org.
We took a closer look at the scam website healthylifeupdate [.]com, and noticed that the threat actors take advantage of popular media brands to create a sense of trust among readers. So if users visit healthylifeupdate [.]com, they will encounter a website with the logo, look, and feel of CNN’s, CNBC’s, and People’s websites, stealing their brands.
The websites healthylifeupdate [.]com and usmagazine-trending-news[.]com both contain redirecting links to the scam shop, PandemicSecrets[.]org.
Both of the following scam websites contain redirects, which take users anywhere attackers want.
Both healthylifeupdate [.]com and usmagazine-trending-news[.]com contains redirects to PandemicSecrets[.]org.
healthylifeupdate [.]com comes with subpages boasting different popular U.S. media brands, including CNN, People, and CNBC, tricking the user into thinking they are on a trusted news site
What about those redirects? We can confirm that the main infection vector was through email. The final redirect sends the user to the landing page pandemicsecrets[.]com and always ends on the IP address 50.23.130[.]135 which belongs to the infrastructure of MaxWeb, an Affiliate Network.
We were able to replay this campaign via many different redirection chains: