Beware of scams in connection with COVID-19

April 3, 2020

UPDATED APRIL 8TH

Scammers have devised numerous ways of defrauding people in connection with COVID-19. Some examples of scams linked to COVID-19 include treatment, testing, medical supplies, insurance, charity, work from home, investment, student loan, and disinformation.

SonicWall Capture Labs Threat Research team has come across the below scams this week in connection with COVID-19.

IRS economic impact payment scam:

The Internal Revenue Service (IRS) will begin to distribute COVID-19 Economic Impact Payments in a matter of weeks. For most Americans, this will be a direct deposit into your bank account. For the unbanked, elderly or other groups that have traditionally received tax refunds via paper check, they will receive their economic impact payments in this manner as well.

The below malicious campaign involves government relief payments. It claims to have come from the IRS and requests the user to verify the account number in the attachment. But the attachment “Attached doc.iso” is actually a malicious iso file that drops a remote access trojan onto the user machine.

IOC:

149d4bcdfd591de6eebbe9726ffbdaf6c02cc08b97dc7cd3bed4cf8a64d54cff
60a2f5ca4a5447436756e3496408b8256c37712d4af6186b1f7be1cbc5fb4f47

Bank payment relief notice scam:

The below phishing campaign is targeted towards customers of Absa, an African based financial services group. It claims to be the notice of payment relief plan for COVID-19 but the attached document is an html file, which when launched takes the user to the phishing webpage of Absa internet bank.

Medical supply scam:

The below campaign is targeted towards the medical supply businesses. It requests the medical supplier to supply the products specified in the attachment but the attached document is not a pdf file, it is a malicious executable that belongs to the malware family Agensla, that steals credentials from the victim’s browser, FTP and email clients.

Phishing Scam:

The below phishing campaign claims to have come from CDC, stating that it is closely monitoring the Intellectual property landscape while responding to the Covid-19 outbreak across the Asia-Pacific region. The link to COVID-19 updates in the stated mail is a phishing page pretending to be Spruson & Ferguson’s COVID-19 website. This is a phishing scam not affiliated with Spruson & Ferguson and in no way are they responsible for cyber criminals purporting to be them. 

Find the legitimate page of Spruson & Ferguson for COVID-19 updates here

Phishing emails look like legitimate company emails and are designed to steal your information. They usually contain a link to a website that will ask for your login credentials, personal information or financial details. These websites are cleverly designed to take your information and pass it back to the cybercrooks behind the scam.

  • Be wary of unsolicited emails offering information, supplies, or treatment for COVID-19 or requesting your personal information for medical purposes.
  • Do not click on links or open email attachments from unknown or unverified sources. Doing so could download a virus onto your computer or device.
  • Check the websites and email addresses offering information, products, or services related to COVID-19.
  • Be aware that scammers often employ addresses that differ only slightly from those belonging to the entities they are impersonating.
  • For the most up-to-date information on COVID-19, visit the Centers for Disease Control and Prevention (CDC) and World Health Organization (WHO) websites.

SonicWall Capture Labs Threat Research team provides protection against this threat with the following signatures:

GAV: Casur.A_9 ( Trojan )
GAV: Adload.A_220 ( Trojan )
GAV: MalAgent.H_16053 ( Trojan )