Although the Covid-19 pandemic continues to spread and disrupt our lives, societies and economies, there is now light appearing at the end of the tunnel. Several vaccines are being fast-tracked towards mass production in a race to overcome the Covid crisis and, in the longer term, to improve our response to future pandemics.
Unfortunately, while most of us are watching with hope, there are some watching with greed and malice in their minds, with the intent of capitalizing on our concerns about Covid-19 and our desire to be protected against the risk of catching it.
Coronavirus ’medicines’ and vaccines available on the Darknet – at a price
The news that Covid vaccines are now available and in the process of being administered at scale has driven global interest and expectation. Of course, there are many people who don’t want to wait to get the protection via their country’s official healthcare channels – and there are always vendors on the dark net who claim to be able to serve these peoples’ needs. Check Point Research found a stream of posts on the Darknet from sources claiming have a range of “Coronavirus vaccines ” or “Coronavirus remedies” for sale. In fact, Europol, the European Union Agency for Law Enforcement Cooperation, has already issued an early warning notification on vaccine-related crime during the pandemic.
The range of medicines advertised by these vendors is extensive, from “available corona virus vaccine $250” to “Say bye bye to COVID19=CHLOROQUINE PHOSPHATE”” to “Buy fast.CORONA-VIRUS VACCINE IS OUT NOW.” Of course, we have to take the vendors’ word about whether what they are selling are genuine.
All of the vendors we found insist on payment in bitcoin, as it minimizes the chance of them being traced, casting further doubt on the authenticity of the medicines they are selling. In communications with one vendor, they offered to sell an unspecified Covid-19 vaccine for 0.01 BTC (around US$300), and claimed that 14 doses were required. This advice contradicts official announcements which state that some Covid vaccines require two shots, given 3 weeks apart, per person.
Sharp rise in Covid-19 vaccine related domains in November
November’s positive news about vaccine trials and imminent availability has also driven a surge in new web domains that relate to Covid-19 or vaccines being registered. Our data shows that since the beginning of November there were 1062 new domains which contain the word “vaccine” that were registered, out of which 400 also contain “covid” or “corona”. 6 of these sites were found to be “suspicious”. These figures are equivalent to the previous 3 months (August, September and October) combined.
New vaccine-related phishing email campaigns
Besides trying to sell fake Covid-19 medications and vaccines, threat actors are also using vaccine-related news as bait for their phishing campaigns. We’ve previously reported that cyber criminals are taking advantage of vaccine developments, resulting in malspam campaigns seen in the wild.
These emails delivered malicious .EXE files with the name “Download_Covid 19 New approved vaccines.23.07.2020.exe” that when clicked on, installs an InfoStealer capable of gathering information, such as login information, usernames and passwords from the user’s computer to enable threat actors to take over accounts.
Another recent email campaign detected by Check Point Research, contained the subject “pfizer’s Covid vaccine: 11 things you need to know” (in English and Spanish) and a malicious executable file named “Covid-19 vaccine brief summary” which has been detected as Agent Tesla.
Agent Tesla is an advanced RAT functioning as a keylogger and information stealer capable of monitoring and collecting a victim’s keyboard input, system clipboard, taking screenshots, and exfiltrating credentials belonging to of a variety of software installed on the victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client).
We expect that this vaccine-related campaign is the first of many more that will target both organizations and individuals over the coming months, as the race to deliver vaccines globally approaches the final stages.
Attacks have been attributed to state-backed hackers as well as criminal groups. Microsoft said in a recent report that it has detected attempts by Russian- and North Korean-backed hackers to steal valuable data from leading pharmaceutical companies and vaccine researchers. The company said that most of the attacks in recent months were unsuccessful, but provided no information on how many succeeded or how serious those breaches were. Chinese state-backed hackers have also been targeting vaccine-makers, the U.S. government said in July while announcing criminal charges.
Pandemic-related developments will feature in 2021’s cyber threats
The Covid pandemic has been a true ‘black swan’ – an ultra-rare yet high impact event that has derailed business as usual. Hackers have also sought to take advantage of the pandemic’s disruption: 58% of security professionals have reported an increase in cyber threats since lockdowns started.
In a recent report, we detailed what we expect to see in the cyber landscape over the next 12 months, and Covid-19 related issues were prominent. As Covid-19 will continue to dominate headlines, news of vaccine developments or new national restrictions will continue to be used in phishing campaigns, just as they have been through 2020. The pharma companies developing vaccines will also continue to be targeted by malicious attacks from criminals or nation-states looking to exploit the situation.
To protect your organization against stealthy phishing attacks, here are our tips:
- Check the full email address on any message you receive and be alert to hyperlinks that may contain misspellings of the actual domain name.
- Verify you are using a URL from an authentic website: One way to do this is not to click on links in emails, and instead click on the link from the Google results page after searching for it.
- Beware of lookalike domains: spelling errors in emails or websites, and unfamiliar email senders.
- Protect mobile and endpoint browsing with advanced cyber security solutions, which prevent browsing to malicious phishing web sites, whether known or unknown
- Use two-factor authentication to verify any change to account information or wire instructions
- Never supply login credentials or personal information in response to a text or email.
- Regularly monitor financial accounts
- Keep all software and apps up to date.
- Always note the language in the email: Social engineering techniques are designed to take advantage of human nature. This includes the fact that people are more likely to make mistakes when they are in a hurry and are inclined to follow the orders of people in positions of authority. Phishing attacks commonly use these techniques to convince their targets to ignore their potential suspicions about an email and click on a link or open an attachment.
Data used in this report present data detected by Check Point’s Threat Prevention technologies, stored and analyzed in ThreatCloud. ThreatCloud provides real-time threat intelligence derived from hundreds of millions of sensors worldwide, over networks, endpoints and mobiles. The intelligence is enriched with AI-based engines and exclusive research data from the Check Point Research – The intelligence & Research Arm of Check Point.