By: Check Point Research (CPR)
Although the COVID-19 pandemic continues to spread and disrupt our lives, societies and economies, there is now light appearing at the end of the tunnel. Several vaccines are being fast-tracked towards mass production in a race to overcome the coronavirus crisis and, in the longer term, to improve our response to future pandemics.
The past year has seen an unprecedented global effort to develop shots that will bring the pandemic to an end, with the eyes of the world watching. Moreover, we are seeing progress. Pfizer Inc. and BioNTech SE’s vaccine has already been approved for use in the UK, with other countries expected to follow suit in the coming weeks after a study showed it was 95% effective while vaccines from Moderna Inc. and the Russian Sputnik vaccine have achieved similar results, according to trial analyses. AstraZeneca Plc and its partner, the University of Oxford, has also had favourable results for its vaccine.
Unfortunately, while most of us are watching with hope, there are some watching with greed and malice in their minds, with the intent of capitalising people´s concerns about COVID-19 and desire to be protected against the risk of catching it.
The news that coronavirus vaccines are now available and in the process of being administered at scale via the world countries healthcare systems has driven global interest and expectation. Yet for those who have the means and do not want to wait, there are of course vendors on the dark net claiming to have a range of vaccines for sale. Check Point Research (CPR) found a stream of posts on the dark net from sources claiming to have a range of “Coronavirus vaccines ” or “Coronavirus remedies” for sale. In fact, Europol, the European Union Agency for Law Enforcement Cooperation, has already issued an early warning notification on vaccine-related crime during the pandemic.
The range of medicines advertised by these vendors is extensive, from “available corona virus vaccine $250” to “Say bye bye to COVID19=CHLOROQUINE PHOSPHATE”” to “Buy fast.CORONA-VIRUS VACCINE IS OUT NOW.”, and we have no way of knowing whether these are genuine.
Screenshots of ads from the Darknet about covid-19 “remedies” and vaccines
All of the vendors found only accept payments in bitcoin, minimising the chance of being traced; casting further doubt on the authenticity of the medicines, they are selling. When researchers communicated with one vendor, they offered to sell an unspecified COVID-19 vaccine for 0.01 BTC (around US$250), and claimed that 14 doses were required. This advice contradicts official announcements, which state that some coronavirus vaccines require two shots per person, each administered three weeks apart.
Coronavirus vaccine – just for US$250 for 14 doses! (We cannot guarantee the vendor is a medical expert)
In this example, the seller claims to have stock from a leading pharmaceutical, a newly approved vaccine available for sale and delivery to the UK, U.S. and Spain that is just one WhatsApp or Telegram chat away!
Supposed coronavirus vaccines for sale in the dark net
In the following advert, we see a vendor offering Chloroquine as a regular coronavirus “treatment”, for only US$10 with the claim that “Hydroxychloroquine, a medicine for malaria that has been touted as a treatment for coronavirus.” This follows statements from outgoing U.S. President Donald Trump who touted the use of hydroxychloroquine to ward off coronavirus, in contradiction on to the advice from his own public health officials.
Advert for cheap hydroxychloroquinine as a treatment for coronavirus
November’s positive news about vaccine trials and imminent availability has also driven a surge in new web domains that relate to COVID-19 or vaccines being registered. Our data shows that since the beginning of November, there were 1062 new domains, which contain the word “vaccine” that were registered, out of which 400 also contain “covid” or “corona”. 6 of these sites were found to be “suspicious”. These figures are equivalent to the previous 3 months (August, September and October) combined.
Besides trying to sell fake COVID-19 medications and vaccines, threat actors are also using vaccine-related news as bait for their phishing campaigns. We have previously reported that cyber criminals are taking advantage of vaccine developments, resulting in malspam campaigns seen in the wild.
These emails delivered malicious .EXE files with the name “Download_Covid 19 New approved vaccines.23.07.2020.exe” that when clicked on, installs an InfoStealer capable of gathering information, such as login information, usernames and passwords from the user’s computer to enable threat actors to take over accounts.
Another recent email campaign detected by Check Point Research, contained the subject “pfizer’s Covid vaccine: 11 things you need to know” (in English and Spanish) and a malicious executable file named “Covid-19 vaccine brief summary” which has been detected as Agent Tesla.
Agent Tesla is an advanced RAT functioning as a keylogger and information stealer capable of monitoring and collecting a victim’s keyboard input, system clipboard, taking screenshots, and exfiltrating credentials belonging to of a variety of software installed on the victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client).
We expect that this vaccine-related campaign is the first of many more that will target both organisations and individuals over the coming months, as the race to deliver vaccines globally approaches the final stages.
Attacks have been attributed to state-backed hackers as well as criminal groups. Microsoft said in a recent report that it has detected attempts by Russian- and North Korean-backed hackers to steal valuable data from leading pharmaceutical companies and vaccine researchers. The company said that most of the attacks in recent months were unsuccessful, but provided no information on how many succeeded or how serious those breaches were. Chinese state-backed hackers have also been targeting vaccine-makers, the U.S. government said in July while announcing criminal charges.
The COVID-19 pandemic has been a true ‘black swan’ – an ultra-rare yet high impact event that has derailed business as usual. Hackers have also sought to take advantage of the pandemic’s disruption: 58% of security professionals have reported an increase in cyber threats since lockdowns started.
In a recent report, we detailed what we expect to see in the cyber landscape over the next 12 months, and COVID-19 related issues were prominent. As Covid-19 will continue to dominate headlines, news of vaccine developments or new national restrictions will continue to be used in phishing campaigns, just as they have been through 2020. The pharma companies developing vaccines will also continue to be targeted by malicious attacks from criminals or nation-states looking to exploit the situation.
To protect yourself and your organisation against stealthy phishing attacks, here are our tips:
Data used in this report present data detected by Check Point’s Threat Prevention technologies, stored and analysed in ThreatCloud. ThreatCloud provides real-time threat intelligence derived from hundreds of millions of sensors worldwide, over networks, endpoints and mobiles. The intelligence is enriched with AI-based engines and exclusive research data from the Check Point Research (CPR) – The intelligence & Research Arm of Check Point.