Cybercriminals have always used a crisis as an opportunity to scam people. Many in the tech industry have noticed new scams and campaigns aimed at taking advantage of people's uncertainty around the coronavirus/COVID-19 pandemic, especially after it was declared a health emergency. The United States Computer Emergency Readiness Team (US-CERT) recently warned of scams tricking people into revealing sensitive information or donating to fraudulent charities or causes related to the coronavirus. The Federal Trade Commission has also warned about similar scams.
Multiple security vendors have reported that threat actors have used this scareware tactic to spread malware, including Emotet, LokiBot, RemcosRAT, TrickBot, and FormBook. The Zscaler ThreatLabZ team has been actively monitoring scams and threat campaigns around the coronavirus health emergency and the Summer Olympics. Here are some of our findings.
Recently, there has been a lot of discussion about the impact of the coronavirus on several global events, including the 2020 Summer Olympics. While many of these events have been postponed or canceled, people are waiting to see if the Olympic Games will be held as scheduled, postponed or canceled. We observed newly registered domains (NRDs) trying to exploit this curiosity. One such domain is coronalympics2020[.]com, registered on March 7, 2020.
Figure 1: This shows a "well-known" hidden directory for a coronavirus-related newly registered domain.
We have previously seen the Shade/Troldesh ransomware campaign abusing hidden "well-known" directories in HTTPS sites and reported about it here.
Some of the other domains we have seen based on the Olympics theme are CoronavirusOlympics[.]com, registered on 02-26-2020, and CoronaOlympics[.]com, registered on 03-05-2020.
Exploiting a crisis for profit is not new for threat actors, and the COVID-19 pandemic is no different. We have come across quite a few websites that promise a miracle cure or absurd treatments for COVID-19. Below is a site that claims to protect you from COVID-19. A closer look reveals this site to be fake.
Figure 2: A fake site promoting a "Corona Antivirus" solution.
This site claims to have a "special AI" mobile app developed by Harvard researchers that can protect you from COVID-19.
Figure 3: A mobile app claiming to "protect" users against COVID-19.
It also provides a subscription service for the app. Notice the gibberish under “No credit card required.” This site appears to have been taken down.
Figure 4: The subscription model for this fake coronavirus protection app.
While the Centers for Disease Control (CDC) has been scrambling to provide COVID-19 test kits, fake vendors have already started accepting pre-orders for a "Corona Virus Home Test". Yet it turns out this is another scam to exploit users. We urge users to follow only credible sources, such as CDC and World Health Organization (WHO) for any information regarding COVID-19.
Figure 5: A site claiming to sell home tests for the coronavirus.
We have also come across cases where threat actors are using "corona" or "covid" keywords as part of their phishing URLs. This is an attempt to target users who are anxious about the virus.
Figure 6: An Outlook phishing page using the "corona" keyword in the URL.
In this particular case, no matter what user credentials are provided (or not provided), the user is directed to a cdc.gov URL. The page is used as a credential harvester.
Figure 7: The redirected CDC article, which is a known credential harvester.
Newly Registered Domains
Since the coronavirus/COVID-19 has been declared a health emergency by the WHO, there has been a lot of misinformation about a possible cure, vaccines, and the use of masks for protection. We noticed that threat actors are taking advantage of this panic by registering domains during the past couple of weeks.
Figure 8: Number of Coronavirus/COVID-19 NRDs during the past couple of weeks.
We looked at the type of content served by these NRDs and a snapshot of it can be seen below. We noticed that the majority of the NRDs are currently parked (ie, holding it for later use).
Figure 9: The type of content served by coronavirus/COVID-related NRDs.
We have also been monitoring our Zscaler cloud for traffic related to “Corona/COVID-19” newly registered domains and, during the past couple of weeks, we have seen around 30,000 hits.
Figure 10: Traffic observed in Zscaler Cloud related to Corona/COVID during the past couple of weeks.
A popular keyword that we have observed in these NRDs is masks. During the past two weeks, there have been more than 200 newly registered domains just for masks. Here is a snapshot of some of the interesting domains:
Figure 11: Fake NRDs related to coronavirus “masks”.
We have also noticed the use of “corona/covid” keywords in the attachments or filenames in threat campaigns. Here is an instance where a SpyGate Backdoor campaign was flagged in our Zscaler Cloud Sandbox utilizing “covid.exe”.
Figure 12: The Zscaler Cloud Sandbox detection for the SpyGate Backdoor using the “covid.exe” filename.
As people search for live information about coronavirus cases, attackers are propping up malware-laced websites utilizing a map from Johns Hopkins University. The AzoRult InfoStealer was seen being delivered in this manner.
Now that the coronavirus/COVID-19 has been declared a pandemic by WHO, threat actors will continue to prey on misinformation and fear to trick unwitting users into clicking links or opening attachments that claim to offer information about or a cure. We encourage users to exercise caution when doing searches, clicking on links, or opening attachments (in emails) with a coronavirus/COVID-19-related subject line.
The WHO has also issued an alert to be on the lookout for criminals trying to impersonate this organization. The WHO has stated that it will never ask you to log in, open attachments, or ask for money.
The Zscaler ThreatLabZ team is continuously monitoring online activity to ensure that Zscaler customers are protected from these and other threats.