Dark Net Flooding with Fake COVID “Vaccine” Offerings
December 2020 by Check Point
Security researchers at CPR are sharing four examples of coronavirus vaccine scams they found on the dark net, following the recent warnings of vaccine scams from the FBI and Europol. In one example, CPR found vendors advertising the ‘opportunity’ to purchase the approved Pfizer vaccine on the dark net for as low as $250. Below, a vendor claims to have stocks of Pfizer’s newly-approved vaccine available to buy and ship from the UK, U.S. and Spain.
Other advertisements found by Check Point researchers tout headlines such as, “available corona virus vaccine $250", "Say bye bye to COVID19=CHLOROQUINE PHOSPHATE", or "Buy fast. CORONA-VIRUS VACCINE IS OUT NOW". All vendors discovered insist on payments in the form of Bitcoin, which researchers speculate is a way to minimize the chances of a vendor being traced.
In one particular instance, Check Point researchers began a dialogue with one of the vendors, by asking the question: where can I buy it? The vendor responded with an offer to sell an unspecified Covid-19 vaccine for 0.01 BTC (around $300), claiming that 14 doses were required for remediation.
In another example, a vendor offered Chloroquine as a regular coronavirus "treatment" for only $10.
Sharp rise in Covid-19 vaccine related domains in November Check Point data shows that there were 1062 new domains registered which contain the word “vaccine”, since the beginning of November. Out of which, 400 also contain “covid” or “corona”. The 1062 number is equivalent to the previous 3 months (August, September and October) combined.
Researchers find new vaccine-related phishing email campaigns Threat actors are using vaccine-related news as bait for their phishing campaigns. Hackers are sending emails delivering malicious .EXE files with the name “Download Covid 19 New approved vaccines.23.07.2020.exe”, that when clicked on, installs an InfoStealer capable of gathering information, such as login information, usernames and passwords from the user’s computer to enable threat actors to take over accounts.
Another recent email campaign detected by Check Point Research contained the subject “pfizer’s Covid vaccine: 11 things you need to know” (in English and Spanish) and contained a malicious executable file named “Covid-19 vaccine brief summary”, which has been detected as Agent Tesla. Agent Tesla is an advanced RAT functioning as a keylogger and information stealer capable of monitoring and collecting the victim’s keyboard input, system clipboard, taking screenshots, and exfiltrating credentials belonging to of a variety of software installed on a victim’s machine, including Google Chrome, Mozilla Firefox and Microsoft Outlook email client.
Oded Vanunu, Head of Products Vulnerabilities Research for Check Point said: “As the vaccine gets rolled out, I think it’s logical to assume that people will seek a variety of different ways to get hold of the vaccine first. One of those ways is via the dark net. We are already seeing a number of vendors advertising the opportunity to buy the coronavirus vaccine on the dark net. It’s too soon to tell if these vendors are legitimate or if they are traps, but it’s unlikely they are legitimate. What is clear to us is that hackers are going all-in on exploiting the coronavirus topic, as seen by the surges in COVID-19 themed email phishing campaigns and overall domain registrations numbers we have just published.”
How to stay protected from COVID-19 themed email phishing campaigns
• Check the full email address on any message and be alert to hyperlinks that may contain misspellings of the actual domain name.
• Verify you are using a URL from an authentic website: One way to do this is not to click on links in emails, and instead click on the link from the Google results page after searching for it.
• Beware of lookalike domains: spelling errors in emails or websites, and unfamiliar email senders.
• Protect mobile and endpoint browsing with advanced cyber security solutions, which prevent browsing to malicious phishing web sites, whether known or unknown
• Use two-factor authentication to verify any change to account information or wire instructions
• Never supply login credentials or personal information in response to a text or email.
• Regularly monitor your financial accounts
• Keep all software and apps up to date.
• Always note the language in the email: Social engineering techniques are designed to take advantage of human nature.
* Data used in this report present data detected by Check Point’s Threat Prevention technologies, stored and analyzed in ThreatCloud. ThreatCloud provides real-time threat intelligence derived from hundreds of millions of sensors worldwide, over networks, endpoints and mobiles. The intelligence is enriched with AI-based engines and exclusive research data from the Check Point Research – The intelligence & Research Arm of Check Point.