Cheating injection: COVID-19 vaccines in scam campaigns
The COVID-19 pandemic has brought millions of people online. The need to reduce physical contact has led to much of life shifting to the internet, increasing humanity’s dependence on online platforms. Massive fraudulent campaigns have blossomed on the rise of trust in online platforms. Vaccines have become one of the most popular news feeds for these campaigns. In this post, we’ll cover malware, spam, phishing schemes, and sites related to COVID-19 vaccines.
Spam campaigns
We recorded spam campaigns using the covid vaccine theme as early as Q1 2020, even before the global lockdown. The first to hurry up were the malware operators Emotet, Fareit, Agent Tesla and Remcos.
Emotet
The spam campaign to spread this malware began just after the New Year and targeted healthcare, manufacturing, banking and transportation industries in the United States, Italy and Canada. More than 80 different variants of malicious documents attached to letters were used to spread the Trojan. Their names contained the word “COVID” as the main factor in attracting attention:
Daily COVID reporting.doc
DAILY COVID-19 Information.doc
NQ29526013I_COVID-19_SARS-CoV-2.doc
GJ-5679 Medical report Covid-19.doc
Here are some of the subject lines that potential victims have received:
COVID-19 Vaccine Survey;
RE: RE: COVID-19 Vaccine Clinic with Walgreens To Do Now;
Re: #TuOficinaSegura. Pfizer anuncia Vacuna contra el Covid. Novedades Oficinas YA! 10 de Noviembre de 2020.
More than 100 control servers located in 33 countries were used for this campaign. After cybersecurity experts conducted an operation to intercept control of these servers, the campaign died down.
Fareit
This malware steals personal information and credentials stored in browsers, email and FTP clients. A spam campaign was also organized to distribute it, which used topics related to covid vaccines:
Corona-virus (COVID-19), Common vaccine;
Corona-Virus Disease (COVID-19) Pandemic Vaccine Released;
Latest vaccine release for Corona-virus (COVID-19).
The names of the attachments to the letters also contained references to the COVID vaccine:
Corona-virus vaccine.arj
COVID-19 VACCINE SAMPLES.arj
COVID-19 Vaccine.arj
vaccine release for Corona-virus (COVID-19) _pdf.rar
The attackers used WHO representatives and the names of doctors as sender addresses. Germany, the USA, Italy, China, Spain and Israel have suffered the most from Fareit.
Rest
The topic of coronavirus vaccines was actively exploited by operators of other malware, for example, Lokibot, Agent Tesla, Formbook, Remcos, Nanocore.
In November 2020, Zebocry ransomware operators sent out malware posing as the pharmaceutical company Sinopharm, which produces COVID-19 vaccines. To distribute the code, the attackers used a virtual hard disk (VHD) file containing two files: a PDF with Sinopharm’s presentation and a Microsoft Word document with malicious macros.
Phishing
The shortage of vaccines in Europe and the United States has led to the fact that people, frightened by the disease, began to look for ways to get a life-saving shot faster. The scammers were quick to take advantage of the demand. One such campaign was carried out on behalf of the UK’s National Health Service (NHS). The phishing email invited the user to get vaccinated and asked the user to confirm their consent.
Regardless of whether the user clicked on the “accept” or “decline” link, they were taken to a landing page with a form that prompted them to enter their full name, date of birth, address, and mobile phone number. We found this campaign in the UK, Germany, USA and the Netherlands.
Another campaign targeting Mexican citizens masqueraded as the actual Chopo medical laboratory. The phishing site was outwardly identical to the real one.
Victims were asked to provide their name, age, address, gender, mobile phone number and email address. After “registration” they were required to receive a digital certificate of the National Vaccination Card, after which they were asked to wait for the cards to be activated. Through the same site, users were allegedly able to sign up for vaccinations; to confirm the entry, they had to pay 2,700 Mexican pesos (about $ 130). The page even had fake contacts: email addresses, a Facebook page, and a WhatsApp consultation number.
Another phishing campaign, discovered in September 2020, involved equipment for the safe and reliable transportation of vaccines: scammers sent out letters disguised as a commercial offer; the attachment was an HTML file with a phishing page.
This is not an exhaustive list of all the vaccine and vaccine phishing campaigns we have encountered during the pandemic. The imagination of scammers practically knows no boundaries. They offer to purchase vaccination certificates, a place in the vaccination queue and the vaccines themselves for individual use. The cost of fake vaccination certificates in the United States is $ 20, and there is a discount for a “small wholesale” of four fakes – they will cost only $ 60.
Some scammers conduct SMS scouting by impersonating a pharmaceutical company. The message states that the recipient is eligible for vaccination, but this requires registering with a contact number. Those who called the number were told that there was a charge to register for vaccinations and were asked to pay a small amount.
Fraud
In 2020, DomainTools began providing free curated list potentially harmful domains associated with COVID-19. Using this list of domains and data from Trend Micro Smart Protection Network, we have compiled a list of 75,000 domains that can be used to spread malware, phishing, and fraud.
In 2021, we saw an increase in the number of malicious domains with the keyword “vaccine”. According to the DomainTools report, this surge began in November 2020. At the same time, since June 2020, the number of domains with the word “covid” has been decreasing. Our analysis identified about 1000 malicious domains with the keyword “vaccine”. For example, in November 2020, 100 domains were registered that mimic the names of trademarks of various coronavirus vaccines:
Gam-COVID-Vac
BioNTech’s BNT162 vaccine (COVID-19 mRNA vaccine)
EPI – VAK – KORONA
PiCoVacc
Sputnik V
Decoy sites are installed on such domains, such as, for example, a fraudulent site disguised as the site of a medical university. On this site, visitors were invited to buy vaccines by paying for them with cryptocurrency. Most surprisingly, there was no guarantee that the vaccine was genuine or that buyers would in principle receive anything after payment.
The darknet’s anonymity made it the perfect place for cybercriminals to trade illegal vaccines. A recent report mentions a site whose operators claimed to have developed a vaccine that is not only ready-to-buy, but also available to ship worldwide.
On another similar site, vaccine buyers had to first send their personal data and even information about coronavirus infection and other diseases by e-mail. Payment was also accepted in bitcoins.
The spread of vaccine scams via Facebook and Telegram has become a new trend. One fraudulent Telegram channel has more than 4,000 subscribers and offers vaccines from well-known brands.
The channel redirected gullible buyers to a fraudulent resource disguised as the website of the Delta Express delivery service.
Recommendations
A consequence of the ongoing health crisis in Europe and the United States is that people are looking for ways to buy the vaccine. However, active citizens should be careful, as this trend is exploited by scammers. What’s more important? fake vaccines can be harmful to health if the scammers actually deliver something after receiving payment.
And although in the Russian realities there are neither months-long queues for vaccinations, nor a shortage of vaccines, people can also become victims of fraudsters, trying, for example, to buy the “proven” Pfizer vaccine instead of the Russian “Sputnik-V”.
The coronavirus vaccine fraud has become so widespread that it is necessary to be vigilant about the information circulating on the network. Here are some tips for detecting misinformation:
get information about vaccines from trusted sources, which can be local health authorities and medical institutions;
Think before clicking on an enticing link and avoid forwarding COVID-19-related emails or messaging without being verified by reputable search engines and news sites to contain the spread of fraudulent and misleading information.
detect fake or malicious emails and websites – typos, grammatical errors, incorrect names and logos of well-known institutions can be signs of forgery – although this method does not always work, as some scammers use high-quality copies of legitimate emails, websites and platforms used by official organizations; it is best to double-check the information on official websites and social networks;
attend cybersecurity training: raising awareness of online fraud and other forms of misinformation can help identify these patterns.
A free, multi-platform tool can be used to detect misinformation, fraud, and similar online threats. Trend Micro Check – It is based on artificial intelligence and provides fraud link detection, email, text, visual and audio security checks for misinformation, and news validation in news broadcasts. Since its launch, it has already identified more than 2 million cases of fraud and 3 million cases of disinformation.
