Threat Research

How do Covid-19 scams happen?

Threat Intelligence Team, 14 April 2020

Taking advantage of people’s emotions, attackers aim to deceive victims into sending money and sharing personal information

 Covid-19 scams are spreading through the use of some familiar techniques. An increased amount of people are vulnerable, as many of us actively try to stay up to date on pandemic-related information.

These Covid-related scams may be hiding in plain sight, sitting in your inbox or even on your social networks. They can also target you in the form of text messages that include a link. Their message may promise important information, offer protective products or ask for a donation to help charitable causes.

From what we can see, fake shops are the most common scam variant, selling discounted medical equipment, like face masks or sanitizer. Some are even claiming to sell treatments or self Covid-19 tests. Anyone can set up a shop online under almost any name, including scammers. Some online sellers falsely claim to have in-demand products, like cleaning, household, and health and medical supplies. But, as you might guess, you never receive the goods after placing an order.

Beware of suspicious offers on unknown online stores

Always research the seller by searching for the person or the company’s name, phone number and email address, online, including words like “review,” “complaint” or “scam.” If no red flags appear in your research, you should still be cautious and pay using a credit card or PayPal. Always keep a record of your transaction.

The following example shows a simple web design used for many different scams, which were essentially the same shop with different product portfolios. A critical red flag is that none of these sites include any contact information to reach the alleged sellers.

image17
image12-1

An almost empty Whois domain lookup shows that the domain name is only eight days old. By discovering the site’s IP address NOE, we found more than two thousand domains, many of them with the same purpose.

image10

image8

Fake products

If you or someone you know has been infected with Covid-19, you’ll likely try to find as much information as possible regarding potential treatments. Unfortunately, this may lead you to run into another pile of exploitive scams. Websites often offer medical supplies that supposedly prevent one from getting sick or miraculously help an infected person to recover. These "cures" can take the form of pills, drinks, powders, and more.

image1

World Health Organization’s name exploited

Scammers are also including “World Health Organization (WHO)” in their fraudulent schemes. Most scams including references to WHO are circulating as emails, but there are also rogue websites, as well as text messages. Many of these scams request detailed information and/or money from individuals, businesses, or non-profit organizations with the promise that they will receive funds or other benefits in return.

Others ask for donations to support the treatment of sick patients or registration fees for conferences allegedly sponsored by WHO. Another type of scam proposes employment opportunities with WHO. These scams try to be more convincing by including the WHO logo, and originate from or refer to email addresses made to look like the message came from WHO or the United Nations.

Many different types of emails are being reported on social networking sites. See the screenshots below.

image13

image5

image6
image21

Not just emails, but text messages, too

Scammers are also targeting victims by sending out text messages (SMS) appearing to be sent from a legitimate company. These messages typically include a link taking the potential victim to a site that may look real, but in reality is just a simple web page designed to gather personal information like credit card details, login credentials, and even home addresses.

If you receive an unexpected message that includes a link, typically in the form of a URL shortener (such as bit.ly or similar), don’t open it. If you do click on it, don't click on anything on the website and simply close the page. The following example shows an attacker trying to get people to click on a link included in a fraudulent message:

image14
image9

By analyzing the IP address of the links sent in these messages, we discovered more suspicious domain names that can give us insight into the size of the entire campaign.

image7

Suspicious links in scam text messages will bring you to, you guessed it, a suspicious web page. In the case illustrated below, we are seeing a web page that looks like a brand new page relating to the coronavirus. However, analysis reveals this page was getting web traffic back in summer 2019. This clearly shows how cybercriminals trying to exploit the current coronavirus public health scare by reworking older scam sites.

image11-1

Final thoughts

In times of health pandemics, it's critical to remain well informed about current health and government guidelines. However, it is vital that you always remain vigilant to potential fraudulent information and messages, whether they come from websites, emails, text messages, social media or any other digital platform. Stay informed and stay safe.