Beware COVID-19 Scams (part 2)

I know I just touched on COVID-19 scams last week, but given some of the articles I’ve read since then, I felt compelled to discuss this particular topic in more depth.

Never let a good crisis go to waste. While normally applied to politics (and that still applies here), it’s also the motto of opportunistic cyber criminals. With the world transfixed by and anxious about COVID-19, bad guys are seizing on our fears to make a quick buck.

Phishing Emails

Tricking people into giving up passwords, credit card numbers and other exploitable information is not new. But the bad guys have learned how to capitalize on fear and anxiety to make these phishing campaigns more effective. Phishing scams have taken the form of fake university emails relating to class closings, or very realistic World Health Organization (WHO) and US Centers for Disease Control and Prevention (CDC) emails claiming to offer virus protection advice.

The key to recognizing a phishing email is when they try to get you to log in to some other site or enter personal information. In the above cases, the emails invite you to log in to a fake Microsoft or Google site to access documents, at which point they will steal these credentials. Others might ask you to enter personal information like social security or credit card numbers.

Ransomware Variants

The other popular attack is to direct extort you for money – usually in the form of Bitcoin, which is difficult for law enforcement to track. In one case, an Android app that purports to give you real-time virus tracking information will end up locking your phone until you pay a $100 ransom. (Note that Domain Tools have cracked this malware and plans to provide decryption keys to those who were infected.) As always, if you’re ever infected by ransomware, be sure to check the No More Ransom site for possible fixes.

But this next one is truly abhorrent. The email starts by addressing you by name (or at least by email ID) and contains a password that you may have used in the past to “prove” that they have completely compromised your security. It goes on to threaten to reveal your “dirty little secrets” and even to infect you and your family with COVID-19. You have to read it to understand just how evil this is. (They used Greek letters that look like English characters, presumably to throw off spam blockers.)

Don’t Be Scared (and Don’t Pay)

In the past, this technique has been used by claiming to have compromising pictures from your computer or mobile phone, or having intimate knowledge of your online porn habits. In all cases, they find a previously hacked password from an old data breach and show it to you as proof that they know everything. But this information is widely available on the dark web. (You can find out if your passwords are among them by using the wonderful haveibeenpwnd web tool). It’s the equivalent of a parlor trick.

What do you do? Sophos has great advice, which I’ll copy here:

• Don’t send any money. It’s all a pack of lies.
• Don’t be scared. In scams like these, the crooks don’t have any data on you, let alone details about all your family members and where they live.
• Don’t think of replying. It’s tempting to contact the crooks, just in case, but they have nothing to sell; you have nothing to buy; and by contacting them you are just giving them another chance to scare you into making a mistake.
• Let people know about this scam. Make sure others don’t fall for this horrible scam either. Let’s face it, we already have enough to worry about at the moment.

That last one is very important. Forewarned is forearmed. Share this information with your friends and family so that they can recognize these scams. Fear is a very powerful motivator – reasonable people will do unreasonable things when fearing for their lives.

And again, please don’t forward information without verifying it first. Snopes.com is great place to debunk hoaxes and misinformation. But for COVID-19 information, stick to reliable sources like the CDC and WHO.