COVID-19 Vaccine Spear-Phishing Attacks Jump 26 Percent

As Moderna, Pfizer and Johnson & Johnson roll out COVID-19 vaccines cybercriminals are preying on the those hungry to get in line for immunization.

Between October and January the average number of COVID-19 vaccine-related spear-phishing attacks grew 26 percent, said Barracuda Networks researchers. At the same time, researchers with Check Point say they have found at least 294 potentially dangerous vaccine-related domains over the last four months.

The types of cybercriminal activity varies, from sending malicious emails that purport to be from the Centers for Disease Control and Prevention (CDC), to posting advertisements on underground forums touting vaccine doses for sale. But with the vaccines being rolled out on a widespread basis, these new reports show attackers ramping up their activity on all fronts.

The intense emotions spurred by the pandemic – including mass hysteria and anxiety – create a perfect environment for cybercriminals to thrive, said researchers with Barracuda Networks on Thursday: “Capitalizing on fear and uncertainty, the attacks using urgency, social engineering, and other common tactics to lure victims,” they said.

Email-Based Attacks: CDC Scam Hunting Microsoft Credentials

Researchers pointed to brand impersonation tactics – including many attackers pretending to be the CDC in an attempt to convince email recipients to either click on a malicious attachment or hand over their credentials.

Credit: Barracuda Networks

“Vaccine-related phishing emails impersonated a well-known brand or organization and included a link to a phishing website advertising early access to vaccines, offering vaccinations in exchange for a payment, or even impersonating health care professionals requesting personal information to check eligibility for a vaccine,” said Barracuda Networks researchers.

Barracuda Networks researchers, for instance, found malicious emails being distributed as part of an ongoing campaign with the subject “Phase 2 Vaccinations Approved,” using the CDC’s logo. The email tells recipients: “We are happy to announce that phase 2 vaccinations have been approved. Your local health and human services department has determined how and when phase 2 vaccinations are distributed. Click here to learn more about plans for your state/territory.”

The ensuing link then takes victims to an attacker-controlled domain, where they are either asked to enter their credentials, or where malware is downloaded onto their systems, researchers told Threatpost.

Example of a vaccine phishing email. Credit: Barracuda Networks

Separately, Check Point researchers discovered a malicious website impersonating the CDC that asks for victims’ Microsoft credentials. The website pretends to be a Microsoft Office 365 login page, using Microsoft’s logo and asking for the victim’s email, phone or Skype name connected with their account and their password.

The main domain (infection-alerts[.]com) was created in April 2020 – but Check Point researchers said they believe the website’s sub-domains were only created recently.

“Browsing to this malicious website was first spotted in late January 2021, and a few weeks before, there was another similar subdomain used by hackers – covid19\.vaccine\.infection-alerts\.com, which is now inactive,” they said.

Credit: Check Point Research

Another email-based attack spotted by Barracuda researchers has a different objective: Business email compromise, with the aim of convincing victims to send over funds to attacker-controlled accounts.

Researchers said they saw attacks from employee accounts who say they need an “urgent favor” while they step out to get a vaccine, or emails from the accounts of human resources specialists who advise that the organizations has secured vaccinations for the company. These lures, typically from compromised email accounts within a victim’s organization, start an initial dialogue between the email recipient and the attacker – which eventually leads to the victim being convinced to transfer money over.

COVID-19 Vaccines For Sale on Underground Forums

Cybercriminals are also trying to make a quick buck by selling COVID-19 vaccines, purporting to be from Pfizer/BioNTech, AstraZeneca, and Moderna (as well as unverified vaccines), on underground forums.

Kaspersky researchers who found advertisements for the vaccines across 15 underground marketplaces on Thursday warned that there’s no indication that these vaccine doses are legitimate. Regardless, the sales appear to be working, with many sellers conducting between 100 to 500 transactions.

Advertisement for a Moderna vaccine dose at $500. Credit: Kaspersky

“Of course, when you go digging for products being sold illegally, you always run the risk of wasting your money on a product that will never materialize, and vaccine doses on the dark web are no exception to the rule,” according to Kaspersky researchers. “However, just how many vaccine sellers are distributing real medicine is unclear.”

The prices per dose range from $250 to $1,200 – and average around $500, said researchers. Typically payments are requested in Bitcoin, allowing the sellers to protect their identity and making payments more difficult to track.

“Further analysis showed that pricing had increased significantly following publication of Moderna’s and Pfizer’s effectiveness, as did the number of advertisements,” said Kaspersky researchers. “Sellers primarily come from France, Germany, the UK, and the USA, and communications use encrypted messaging apps such as Wickr and Telegram.”

In December, European Union law-enforcement agency Europol issued an alert about such Dark Web activity, warning consumers against looking for vaccine alternatives online.

Protecting Against COVID-19 Vaccines

While activity has ramped up since mass-rollout of the vaccines, cybercriminals have been leveraging the vaccinations as a lure – for sophisticated Zebrocy malware campaigns, for instance – since last year.

Phishing attacks and other malicious activity relating to the pandemic in general has been ongoing since COVID-19 took hold across many countries last year – including attacks that take advantages of lifting coronavirus lockdowns as well as financial relief scams.

Researchers offered up various best practice tips to avoid becoming victim to such scams, including:

• Staying suspicious of vaccine-related emails: Watch for classic phishing red flags in these emails, such as misspellings in the email body, or sketchy domains.
• Keeping away from ‘buy vaccines online’ offers: Avoid purchasing vaccines from online marketplaces.
• Deploying account-takeover protection: Ensure business email compromise type attacks don’t occur by adding protections to recognize when internal emails have been compromised.
• Educating employees: Keep company employees up to date on the latest types of scams, and how train them to protect against these types of attacks.