Not-so-novel coronavirus scams targeting victims worldwide

It was never going to take long for malicious actors to start spreading fake information concerning the novel coronavirus. The World Health Organisation (WHO) recently declared that the outbreak was a global health emergency, mainstream media outlets in countries around the world carry stories finely tuned to convey the severity of the situation, and social media is alight with warnings of this virulent disease spreading throughout the globe: all this despite what many claim is a significantly lower infection rate than the SARS virus (with which coronavirus shares 80% of its genetic code), a comparable global health crisis which originated in China in 2003. But is this the case?

Figures have been debated since the beginning of the outbreak, with conspiracy theory difficult to distinguish from reality. Many people on social media and beyond believe that the Chinese regime has intentionally suppressed the real numbers of both infections and deaths from coronavirus. While the Chinese state may wish to give the impression that it has the outbreak under control, minimising both the economic impact and the potential for public unrest, it remains the case that the whole world is aware of the outbreak, travel bans were swiftly put in place for several countries – with flights unable to leave Wuhan and many other Chinese cities – and quarantine procedures were rigorously enforced at airports and ports receiving travellers from China.

Nonetheless, the idea that the Chinese state has something to hide persists and appeared to have been proven right recently when reports circulated about ‘real’ infection and mortality figures being published accidentally on Tencent, China’s biggest online news site. The world’s media were quick to pick up on the alleged leak: the UK’s Daily Mail, Times of India, and Taiwan News, among others, all ran a figure that suggested “coronavirus is more fatal than SARS.”

The origin of the story was Tencent’s ‘Epidemic Situation Tracker’ briefly listing total coronavirus infections at 154,023 and the number of deaths as 24,589 – 80 times higher than the official figures. In under 24 hours, however, the numbers presented by Tencent had been dramatically reduced – to 14,446 infections and 304 deaths – more closely mirroring the official totals reported by the Chinese Communist Party.

As is often the case in online discourse, there are two, vehemently opposed, and equally strongly argued sides – despite the evidence being remarkably thin. Many claimed the Tencent ‘leak’ – believed to have come from journalists looking to defy Beijing’s position – showed that the Chinese government is engaged in a cover-up in an attempt to save face internationally; others argued that the images could have been doctored, shared, and gone viral. Crucially, however, the authenticity of the screengrabs of the elevated figures on Tencent’s site has not been independently verified.

While social media users should be familiar by now with panic-inducing, fearmongering posts threat actors looking to take advantage of situations such as these generally leverage more subtle techniques. One instance of this was the distribution of emails purporting to deliver notices regarding coronavirus infection-prevention measures in Japan. These were being circulated by the controllers of the Emotet botnet, a malware described by some in the cybersecurity community as the “most dangerous malware in the world”, because of its adaptability and global reach.

The malicious actors behind this campaign specifically targeted those areas of the globe – predominantly East Asia – that have been most heavily impacted by the coronavirus. As well as being written in convincing Japanese, in an extra display of cunning, the subject of the emails contained the current date and the Japanese word for “notification,” in order to make it even more likely that an already scared recipient would open the attachment and infect their device with malware.

Elsewhere, multiple phishing campaigns have been observed using the coronavirus outbreak as a lure to target victims in the US and UK. In these email distributions, messages impersonating the US Centers for Disease Control and Prevention (CDC) and virologists, warn users about ‘infections’ in the area and claim to provide safety information. If victims are tricked into visiting the sites linked in these phishing emails, they are requested to enter information about themselves ranging from name and address, to date of birth, credit card number, and passwords.

Over the Chinese New Year, researchers detected a clever campaign leveraging the fact that one Chinese business had asked its employees to work from home while the virus was still spreading. The company has not been named, and it is highly unlikely that it is the only one to have enforced this policy. The attackers distributed an infected spreadsheet to over 200 departments in the company. Because all employees were operating on their personal computers – unprotected by corporate detection systems or, in some cases, by any antivirus solutions whatsoever – the likelihood of infection increased exponentially. In this case, victims were infected with XRed, an information-stealing malware designed to capture and export login credentials and other sensitive data from an infected device.

Most recently, both Mimecast and Kaspersky have warned of coronavirus-themed malicious campaigns spreading malware to unsuspecting victims. Mimecast reported malspam being distributed with documents entitled “Singapore Specialist: Corona Virus Safety measures”: clicking the link in the email leads to a covert malware download, where the victim is unaware that a malicious program has been installed on their device. On the same day, Kaspersky also warned that it had detected malicious PDF, mp4, and .docx files claiming to contain information on the coronavirus. As with the malspam distribution reported by Mimecast, the final payload in these campaigns is thought to be malware.

Threat actors and cybercriminals will always use these times of heightened public concern to target attacks and prey on people looking for help. As demonstrated above, much of the preparatory work is often done by conspiracy theorists online, spreading misinformation about the issue and making it harder to discern fact from fiction. Many malicious campaigns targeting victims’ data or looking to take control of a device, are run by skilled threat actors and are likely to trick numerous unsuspecting people into downloading malware or revealing their data. More campaigns like the ones described above are bound to emerge in the coming days and weeks.

Scroll to Top