COVID-19 Scam Roundup – April 27, 2020 | Tripwire

COVID-19 Scam Roundup – April 27, 2020

Posted on April 27, 2020
COVID-19 Scam Roundup – April 27, 2020
The coronavirus 2019 (COVID-19) scam onslaught continues. Per Threatpost, digital attackers ramped up their activity over Q1 2020 to the extent that they were sending approximately 1.5 million coronavirus-themed attack emails by the middle of April. How can we then be surprised by ZDNet's reporting that the number of digital crime reports received by the FBI had quadrupled in number, with many of these disclosed attacks featuring COVID-19 as a theme? The above-mentioned statics demonstrate how important it is to stay on top of the latest COVID-19 scam attempts. We at the State of Security couldn't agree more. With that said, let's look at some of the latest ruses that have made headlines.

The Annoying Mess that is CoronaLocker

In the middle of April, security researcher Max Kersten learned that his friend had suffered an infection at the hands of a program called "wifihacker.exe." The researcher took a look and found that the malware extracted VBS files and a batch file once installed. It then used these resources to create an annoying screenlocker that informed victims that they had suffered a coronavirus infection.
Screen-Shot-2020-04-24-at-11.19.04.png
The CoronaLocker screenlocker at work. (Source: Bleeping Computer) Bleeping Computer found that users could type in "vb" into the screenlocker prompt to regain access to their desktop. The only problem is that this "CoronaLocker" malware already created several Registry keys to hide the Desktop icons, disable the Start menu and prevent other tools from working properly. The exact means of distribution wasn't known at the time of writing, but the computer self-help site named malicious YouTube videos or Discord as likely culprits.

Give It a Rest, Trickbot!

Like all other security research teams, Microsoft's Security Intelligence has been analyzing the growing number of digital attacks that are exploiting the ongoing pandemic to target users. They found something interesting in the process. Specifically, they observed that Trickbot features as the most common malware payload in these attack campaigns. https://twitter.com/MsftSecIntel/status/1251181180281450498 Microsoft's Security Intelligence went on to share a recent Trickbot campaign in which attackers had targeted users with hundreds of macro-laden documents. Those files came attached to attack emails that claimed to originated from a non-profit organization offering free COVID-19 tests.

Hoax Health Site Harboring Fake COVID-19 Harmful Links

Digital fraudsters are attempting to capitalize on people's search for information regarding the coronavirus pandemic. In that spirit, malicious actors created a fake website designed to impersonate the official site for the United Kingdom's National Health Service (NHS). A screenshot of this website is visible below.
27565066-0-image-a-17_1587662466102.jpg
A screenshot of the fake NHS website. (Source: Daily Mail) As reported by Daily Mail, Kaspersky found that the website contained numerous links that claimed to offer updates about COVID-19. But clicking on the links yielded no such information. Instead, they all summoned a pop-up box that prompted the visitor to save the file "COVID19.exe." Those who consented to this prompt inadvertently infected their machines with information-stealing malware.

Dark Web Ploys: From Ventilators to..."Pure Frequency"?

Malicious actors are flooding underground web marketplaces with all kinds of scams these days. A few of the more interesting ploys recently attracted the attention of Bleeping Computer. In one of those schemes, a scammer placed a promotion for a type of ventilator commonly used in hospitals on a dark web forum. Another offered an Israel-created "vaccine" that sold for $99. Perhaps the most bizarre of these scams came in the form of a posting offering a "pure frequency." The post informed users that they simply needed to listen to the same .MP3 file 3-6 times a day in order to eliminate the coronavirus from their home and their surroundings.
Screen-Shot-2020-04-24-at-17.13.54.png
An ad pushing an MP3 file that supposedly kills the coronavirus. (Source: Bleeping Computer) It's unclear from Bleeping Computer's reporting what this link did when clicked. More than likely, it secretly loaded a malicious file that sought to steal a victim's information.

An Investigation into a Multi-Million Euro Face Mask Scam

And now for some good news! According to BBC News, Gardaí (Irish police) collaborated with banking authorities to freeze a €1.5 million payment that a German company had deposited into a bank account operated by an Irish firm based in County Roscommon. The company was under the impression that it was making a down payment on 10 million marks valued at €15 million. As it turns out, the company made the purchase on a fake Dutch website created by scammers. After learning of this money laundering attempt, local authorities brought in an Irish citizen for questioning. They did not arrest the individual, however.

Over 2,000 COVID-19 Scams Taken Down by NCSC

BBC News also shared the success of the United Kingdom's National Cyber Security Centre (NCSC) in its fight against coronavirus-themed scams. In March 2020 alone, NCSC took down over 2,000 COVID-19 ploys. Those ruses included 471 fake online shops that claimed to sell coronavirus-themed items such as those discovered by Bleeping Computer. NCSC's efforts were also integral in the dismantling of numerous phishing websites, malware landing pages and nearly 900 advance-fee fraud schemes. Have you seen a coronavirus-themed scam? If so, let us know by reaching out on Twitter.

Check out our other COVID-19 scam roundups below!

Join over 20,000 IT security pros who get our top stories delivered to their inbox every week!