The Latest COVID-19 Scam Lures: Stay-at-Home Pay & Vaccine Test Results

Threat Alert
David Bisson | Wed, 05/06/2020 - 16:24
covid numbers

Malicious actors didn’t waste any time in exploiting people’s fears surrounding coronavirus 2019 (COVID-19). Troy Gill, manager of security research at Zix | AppRiver, couldn’t agree more:

"In mid-March, we began seeing a large spike in spyware and banking trojans attempting to be delivered under the guise of Covid-19 updates. The most prevalent malware threats leveraging the pandemic has been Agent Tesla and Adwind/jRat."

These digital threats have abused a variety of distribution vectors to prey upon users. Email has been one of their favorites. Indeed, digital attackers have integrated a variety of creative lures into their email campaigns in order to exploit human weakness. Let’s look at a couple of these email attack attempts below.

Someone Got Their Wires Crossed…

This first scam is a doozy. Arriving with the subject line “Fw: COVID 19 STAY AT HOME COMPENSATION,” the email pretends to originate from a staff member for Mark Meadows, an American politician and the current White House Chief of Staff to President Trump. It goes on to offer $20,000 as stay-at-home compensation in its email…via the use of absolutely deplorable grammar. Let this sentence sink in:

“We issue compensation relating to COVID 19 Pandemic which is affecting your jobs, freedom, relations and happiness and even loosing our love one’s and family members.”

The interesting thing is that this email doesn’t make sense from a policy standpoint. In the first sentence, the staff member states that they’re authorized to make this offer of compensation under EC Regulation 261/2004. Had they done the research, the scammers might have realized that this regulation serves residents in the European Union by helping them to apply for and receive compensation for canceled flights. It therefore doesn’t make sense that the White House would be prosecuting an EU regulation and giving people “stay-at-home” money for missing their flights…especially to the tune of $20,000!

Perhaps out of ignorance or a belief that the recipient wouldn’t notice, those behind the scam informed the user that they could apply for the compensation by opening an attached .ZIP archive. That file contained an executable that dropped malware on their computer.

A Clever Vaccine Test Results Scam

The second scam that Zix | AppRiver came across claimed to offer results from a human vaccine test conducted by the World Health Organization (WHO). To pull off this ruse, the email’s sender address spoofed the WHO by appearing as “healthcaresuppot@who[.]int.” The email went a step further by including WHO’s logo, and it even named Tarik Jasarevic, an actual media relations professional at the organization, as the sender.

But like the first email, there are several logical inconsistencies with this email. Jasarevic works in WHO’s media office, which can be reached at mediainquiries@who.int. (He has his own email address, as well.) In an ironic twist, the attack email also claims to include an embedded link to a “Myth-busters” page. The legitimate WHO website does have such a page; the first item included on the resource is a notice that “there are currently no drugs licensed for the treatment or prevention of COVID-19.” That would include the “vaccine” mentioned by this scam email.

It’s therefore not surprising that the sender email address is actually not “healthcaresuppot@who[.]int” but “healthcaresupport=who.int@mg.prozor-rama.org.” (Prozor-Rama is a municipality in the federation of Bosnia and Herzegovinia.) Nor is it astounding that the attached .ISO file contained something other than vaccine test results.

How to Defend Against Scammers’ Ongoing Abuse of the Coronavirus

Gill said that digital attackers will likely continue to exploit COVID-19 as a lure in their email campaigns for the foreseeable future.

"The current Pandemic to them is a great opportunity. As soon as the topic began to gain media traction, attackers were quick to start tailoring their attacks to exploit the situation. In many ways, this scenario is a dream come true for them. One of the most prevalent social engineering tactics that attackers rely on is creating a sense of urgency and whenever possible fear or panic, as well. They do this to garner a more 'emotional' response from their intended targets. When successful, the result is more people who would otherwise know better start clicking a link, responding to an email or opening an attachment that they wouldn’t under normal circumstances."

Acknowledging this, organizations need to supplement their human security awareness training with strong technical controls that can analyze incoming email messages on multiple levels while still allowing the flow of legitimate correspondence. Learn how Zix | AppRiver can help.