A surge in phishing campaigns exploiting the advent of vaccines for Covid-19 is being observed across the security community, with researchers at Check Point and KnowBe4 both issuing new warnings and details of some of the observed campaigns.
Check Point’s threat intelligence teams found multiple examples of emails incorporating vaccine lures into their subject lines spreading malicious .exe files that installed malware, and others spreading the Agent Tesla keylogger remote access trojan (Rat), in both instances seeking to exfiltrate their victim’s data and credentials, and take over accounts.
KnowBe4, which recently added eight new simulated phishing templates to its security awareness training platform, found examples exploiting recent reports in the Washington Post that the Pfizer/BioNTech vaccine may not reach the US in large volumes until the spring of 2021. Links in the emails directed users instead to a credential phishing website.
Eric Howes, principal lab researcher at KnowBe4, said: “The social engineering scheme exploits some of the basic questions and concerns users and employees will have about the several vaccines currently on the cusp of widespread distribution: How soon will a vaccine be available? Will it be safe? How can I get it? When can I get it? How much will it cost? Should I get it? Put very simply, this is pretty much what we expected.”
Oded Vanunu, head of products vulnerabilities research at Check Point, shared a number of tips for users to protect themselves from vaccine-themed phishing campaigns.
These include to check email addresses on incoming messages and be alert to hyperlinks that contain misspelled domain names; be aware of highly emotive language designed to manipulate you; verify URLs are authentic by not clicking on them, but instead searching for them on Google and visiting from there; be alert to lookalike domains containing spelling errors; use two-factor authentication to verify changes to account information or wire instructions; do not supply login credentials or personal information in response to an email; monitor key financial accounts regularly; keep software and apps updated; and if possible install mobile and endpoint browsing protection services.
Howes at KnowBe4 said: “Malicious actors had a field day back in March and April, as the coronavirus washed over countries around the world. It was and still is the perfect tool for social engineering scared, confused, and even downright paranoid users into opening the door to your organisation’s network. Nine months later, as an entirely predictable round of vaccine-themed phishing emails begins to land in your employees’ inboxes, it is high time to get your users up to speed.”
Vaccine “vendors”
Check Point’s team also found evidence of a number of vaccine “vendors” plying their wares on dark web marketplaces, in one example advertising the opportunity to buy the approved Pfizer/BioNTech vaccine for $250 in Bitcoin, shipping from Spain, the UK or the US.
Its researchers entered into a dialogue with some of these suppliers, one of whom offered an unspecified Covid-19 vaccine for 0.01 Bitcoin (about $300 or €243/£223), and claimed 14 doses were required for remediation. A second supplier offered chloroquine – trialled earlier in the pandemic as a potential treatment for Covid-19 – for $10.
The Check Point research also documented a sharp rise in potentially malicious domains related to vaccines in November, with over 1,062 registered last month, exceeding the number of vaccine-related domain name registrations in the previous three months put together. Out of these, 400 also contained the term “Covid” or “corona”.
“As the vaccine gets rolled out, I think it’s logical to assume that people will seek a variety of different ways to get hold of the vaccine first,” said Check Point’s Vanunu. “One of those ways is via the dark net. We are already seeing a number of vendors advertising the opportunity to buy the coronavirus vaccine on the dark net.”
“It’s too soon to tell if these vendors are legitimate or if they are traps, but it’s unlikely they are legitimate. What is clear to us is that hackers are going all-in on exploiting the coronavirus topic, as seen by the surges in Covid-themed email phishing campaigns and the overall domain registration numbers we have just published.”
Covid-19 vaccine scams are not limited to the online sphere: other criminal groups have taken to telephone phishing, with warnings issued that elderly people in the UK are being targeted by automated voice messages (vishing) offering people access to the vaccine.
Ray Walsh, digital privacy expert at ProPrivacy, said: “Reports of scam phone calls targeting elderly citizens waiting for a Covid-19 vaccine are extremely concerning. Out of all the scams we see targeting the elderly and vulnerable, this is by far one of the cruellest.
“Those at risk and urgently waiting for a coronavirus vaccine are urged to remember they will not receive calls from the NHS asking them to press a number on their keypad to make an appointment,” said Walsh.
“Unfortunately, anyone who receives a call that asks them to press a key to be forwarded to make an appointment for a vaccine will likely instead receive a large charge on their phone bill.”
Consumers can report such scams to Action Fraud on 0300 123 2040 or at actionfraud.police.uk.