Bengaluru, NFPost: Unscrupulous marketers and cyber-criminals have seized upon concerns over the emergence of the COVID-19 global pandemic as bait for spam, phishing attacks and malware. In recent weeks, the use of “coronavirus” and “COVID-19” in domain names, potentially unwanted email messages, and phishing and malware delivery schemes has skyrocketed.
We’re continuing to work to identify, detect and block these threats. We’re also engaging with the security community to help defend more broadly against the surge in COVID-19 related threats. Joshua Saxe, Sophos’ chief scientist, has launched a Slack channel for open collaboration on taking on pandemic-themed threats. We’re also publishing indicators of compromise we discover for related threats in a public GitHub.
In this report, we’ll examine some of the trends we’re seeing in pandemic-themed spam and scams. The data we present here is just a portion of what we’ve seen so far, and we continue to assess intelligence data as it becomes available.
The surge of spam
The spam we found to be carrying an installer for Trickbot malware earlier this month was just one example of how spammers and criminals are using hunger for information about the pandemic to lure in their targets.
While COVID-19 emerged as a crisis in China in December, references to the virus in spam and phishing emails only really began to emerge in January—and like the virus itself, they grew exponentially. By early March, COVID-19 and Coronavirus already represented a significant percentage of the spam traffic we measured.
Spam campaigns detected by Sophos included:
- A sextortion scheme threatening to infect the target’s family with COVID-19 if they didn’t pay.
- A scam purporting to be a fundraising plea from the World Health Organization, asking for donations in Bitcoin to fund COVID-19 research.
- Messages purportedly from WHO, but carrying documents with dropper malware
- Marketing for “emergency supplies,” including filter masks.
- A sales pitch for a $37 video download, purporting to offer insider information from a “military source” on how to survive Coronavirus
Building spamming and phishing infrastructure
COVID-19 has left a huge mark on the Internet’s namespace over the past two months. Certificate transparency log data from the major certificate authorities has shown a significant rise in the number of SSL certificates registered for sites using “corona” or “covid” in their names.
To get a sense of how big that change has been, we looked at log data over the past six months for new certificates issued for hostnames with “corona” or “covid-19” in them. To establish a baseline from before the outbreak became global news, we looked at the same period a year ago (September 2018 to March 2019) for comparison.
Before January, most certificates that contained “corona” referred to a locality, service or legitimate brand name. These accounted for an average of 288 certificates activated per month. References to “covid” did not exist in any certificate registrations we could find record of prior to 2020, and the only domain that really stands out belongs to Arizona-based A/V accessory manufacturer COVID, which owns the .com domain.
Attackers are also increasingly impersonating the WHO (World Health Organization), CDC (Centers for Disease Control and Prevention, North America) and the United Nations (UN), as evidenced in scams tracked by SophosLabs. Attached are a few new examples.
Sophos Principal Research Scientist Chester Wisniewski said cybercriminals are wasting no time in shifting their dirty, tried and true attack campaigns toward advantageous lures that prey on mounting virus fears. It’s easy to see, for example, that the attackers behind a new Chloroquine scam (attached) are the same as those behind a recent herbal Viagra scam.
“With global spam volumes estimated to be in the hundreds of billions, for 2-3% of those to be COVID-19 themed is significant. Similar to A/B testing of advertisements and web pages, criminals often dip a toe in the water when there is a new or sensational topic in the news. If the new topic proves a more effective lure than the previous scam bait they begin switching to new lures,” said Sophos Principal Research Scientist Chester Wisniewski.
Sophos Principal Research Scientist Chester Wisniewski said in fact in one of the spam campaigns we tracked this week, there was evidence of exactly that.
“These particular criminals had been using fake shipping and delivery emails to convince unsuspecting victims into opening attachments and infecting their computers with the Kryptik Trojan. Now the main body of the email pretends to come from [email protected] with “health advice” in the attachment, but when we carefully inspect the plain text body, we see it matches a previous spam campaign from this same criminal using a lure pretending to be about invoices and deliveries,” said Sophos Principal Research Scientist Chester Wisniewski.
Sophos Principal Research Scientist Chester Wisniewski said the increases that is happening are likely due to two important factors. First, as time passes more and more criminal groups are joining the party on using all this interest in COVID-19 to steal money from people. Secondly, it takes time.
“Any given criminal group has to handcraft the spams to convince the recipient to take an action. In the research community we call this the call to action. The call to action might be to open the attachment, visit the website or, in the case of the WHO Bitcoin scam (attached), to donate cryptocurrencies to criminal controlled Bitcoin wallets. Crafting these messages takes time, especially for those who are not native English speakers,” said Sophos Principal Research Scientist Chester Wisniewski.
Even the most innocuous mention of something by a politician or a celebrity can lend a scam credibility or present a new business opportunity. Two recent examples come to mind. One spam campaign offering to tell you about the government cover up and attempting to sell you a COVID-19 survival guide used celebrity Gwyneth Paltrow as a lure in its subject line. A tipoff the email is a fake is the incorrect spelling of her first name as Gwenith (attached), but this could easily be missed or glossed over.
A few days ago President Donald Trump mentioned the possible efficacy of a drug called Chloroquine against Coronavirus immediately leading to WordPress blog comment spammers switching from pitching herbal Viagra to instead attempting to sell you Chloroquine, which can be quite dangerous when not taken under the supervision of a doctor. And within only two days of the WHO creating a charity called the Solidarity Response Fund, criminals were soliciting Bitcoin donations pretending to be the charity, even implying your donation is fully tax deductible in the US or Europe.