Scam websites tricked over 10,000 people to visit a fake shop selling a book which can actually be downloaded for free
Beware of another attempt by scammers to use the Covid-19 pandemic to their advantage — in this case, by selling you an e-book for $37, which actually is available for download for free.
The title of the book is Pandemic Survival, and it contains a collection of tips and advice allegedly used by the government. The tips include advice on how to quarantine properly, “isolated in a tent outdoors”, and recommends the use of “BioImmune”, a supplement to “support your body to help fight off harmful germs and viruses”, which the e-book conveniently links to. From April 1 until April 20, we have seen more than 10,000 attempted visits by users in the United States to the shop website, over 900 visits from the United Kingdom, and over 600 from both Canada and Australia. It's important to note that Avast blocks the shop URL and the URLs of fake websites promoting the shop.
The main element of the scam website is a video player designed to mimic YouTube. The purpose of the video is to persuade users to buy the e-book. The checkout process is handled by the website BuyGoods.com, to which the users are redirected if they attempt to buy this book. When the money is transferred, the user will receive a link to download their newly purchased book. This link leads to the site psurvival[.]org.
Host site for the Pandemic Survival e-book
What's interesting is that no security precautions are taken to deliver the e-book, so essentially anybody can download this e-book for free without any verification. The certificate and Whois domain information does not look like they belong to a serious business.
Whois record of pssurvival.org
The phone number listed in the Whois record has some negative reviews left by users, as are shown below.
Our data shows that there is a decent amount of activity around this scam campaign. A reason for this may be that this campaign not only spreads via email, as confirmed by cybersecurity blog OSINT Fans, but also via malvertising, which means cybercriminals purchase ad space from an ad network to display malicious advertisements promoting the campaign, on scam websites.
We took a closer look at the scam website healthylifeupdate [.]com, and noticed that the threat actors take advantage of popular media brands to create a sense of trust among readers. So if users visit healthylifeupdate [.]com, they'll encounter a website with the logo, look, and feel of top news publications' websites, including CNN, CNBC, and People.
The websites healthylifeupdate [.]com and usmagazine-trending-news[.]com both contain redirecting links to the scam shop, PandemicSecrets[.]org.
Both of the following scam websites contain redirects, which take users anywhere that attackers want.
healthylifeupdate [.]com comes with subpages boasting different popular U.S. media brands, including CNN, People, and CNBC, tricking the user into thinking they are on a trusted news site
We can confirm that the main infection vector was through email. The final redirect sends the user to the landing page pandemicsecrets[.]com and always ends on the IP address 50.23.130[.]135 which belongs to the infrastructure of MaxWeb, an Affiliate Network.
We were able to replay this campaign via many different redirection chains:
Detection hits for April
As mentioned before, Avast protects our users by blocking the web shop and the malvertising sites pointing to the book. In general, users should always pay attention to a website’s URL and whether it matches the content displayed on the site. They should also use common sense when looking for advice on how to best stay healthy and safe in the midst of the Covid-19 pandemic. Official sources like the Johns Hopkins Coronavirus Resource Center, the World Health Organization and the National Institutes of Health are reputable places to seek valuable advice.
Our Aposemat Team has been testing the capabilities of IPv6 and how malware could take advantage of it. One of the topics explored was exfiltration of data via the IPv6 protocol, which we discuss in this post.
Popular banking services, including PayPal, Revolut and Venmo, allow users to request money from others with a few easy steps. Although simple, this functionality could increase the likelihood of related spearphishing attacks.