Scams Related to the Coronavirus Pandemic

[UPDATED April 11] The Daily Scam first began to see malicious clickbait disguised as email news stories on March 6.  The CDC reported the first confirmed case of Coronavirus in Washington state on January 14 by illness onset. Official news organizations, such as ABC News, give January 21 as the first confirmed/reported case of the virus.  Regardless of which date you choose, we estimate that cybercriminals began a concerted effort to use the COVID-19 pandemic as a topic for malicious/fradulent intent about 5 weeks later.  We confirmed our first malicious clickbait, disguised as a news story about Coronavirus, on March 6, 2020. Since March 6, we’ve documented more than a dozen emails and fake websites claiming to be information about the Coronavirus.  We believe that most are likely clickbait leading to computer infections from malware.  We say this based on patterns and similarities to other malicious websites cybercriminals have produced.  It is also possible that a smaller number of these fraudulent sites are meant to collect people’s credit card information for products that don’t exist or are useless to protect agains this virus.  (Click the images below to enlarge them.)

During the month of March, about 35,000 domain names were registered that related to the pandemic, COVID-19 or Coronavirus.  Security services believe that the great majority of these domains will be used for fraudulent activity or malicious clickbait.  Click these links to see just one week of related domain names registered around the world in March-week-domain-registrations or this link of Suspicious-Covid-Domain-Names-4 hours on April 2 registered during a 4 hour window of time on April 2.

We have flagged the following websites as HIGHLY SUSPICIOUS and LIKELY FRAUDULENT.  They are registered with the clear intention to suggest they provide information, services or products related to the COVID-19 pandemic:

SurviveCoronaVirus[.]org (Registered anonymously in Canada on January 27, 2020; Google cannot find this website as of March 29)

FamilyViralProtection[.]com (Registered anonymously on March 11, 2020; blacklisted by McAfee Security Service) — See March 20 scam email below

Immunity911[.]com (Registered anonymously on March 17, 2020; blacklisted by McAfee Security Service) — See April 1-4 scam email below

Below are the many suspicious and malicious emails that have appeared in our honeypot email accounts and presume to be about Coronavirus-related information, services or products, along with the reasons we feel they are fraudulent.    

APRIL 5 – 10:
Breathe Easy with a Portable Oxygen Concentrator – 30 Days Risk Free Trial

This email contains the content about a real product but has nothing to do with any real service selling it.  The email came from the domain mnenvc[.]rest and all links point back to this odd domain.  It is important to note that the design of this email contains two important “poker tells” that are identical to thousands of malicious click-bait created by one of the most active cybercriminal gangs in the world…

1. At the top of the email is the sentence “This offer is only for United States, if you can’t see the images please Click Here.” (This sentence, or a slight variation of it, can be found at the start of most of their malicious clickbait.)

2. Look in the link revealed at the bottom of this email when we moused over one of them.  You’ll find two random words hyphenated together to create a directory name.  In this case, the 2 hyphenated words appear at the end of the link: yourself-articulating.  We believe this gang uses automated software to create their directory structure from randomly combined words.  

The domain mnenvc[.]rest was registered just 3 days before this email was sent and it is being hosted on a server in Hamburg, Germany.  Also, a visit to this website will trigger a redirect to another odd domain, atlaswonder[.]com.  We believe that both of these domains are very likely going to drop malware onto your device.

                                         

Drowning in your own bodily fluids

What an awful thought, right?  This malicious clickbait goes right for the jugular when it begins by saying “Hey, Everyone says people die from this virus.”  And it doesn’t get any better.  Fortunately, our security services actually stripped away all links from this clickbait so we don’t even know where it intended to take you.  However, we do know that we found a large paragraph of white text against a white background underneath the visible content of this malicious clickbait.  The text was taken, once again, from a Wikipedia story about the Roman Empire!  It is made invisible and inserted in a tiny size, hoping to trick antispam servers from seeing this email as malicious and letting it pass into email inboxes. The domain that this clickbait, no doubt, tried to trick people into visiting was proveris[.]us.  This “United States” domain name was registered on February 16 by someone identified as “Sumant Reddy” from Mumbai, India.  Don’t ever think that a “.us” top level domain means that the domain was registered in the U.S. by an American citizen.

    

Once again, criminals are using a real product called “Safe Mask” as the content for their clickbait.  They’ve used this product many times before!  The email came from, and has links pointing to the domain piacekj[.]rest.  This domain was registered on the very day that the email as sent and is being hosted on a server in Hamburg, Germany again!  If you look carefully at this malicious clickbait, you’ll find the SAME TWO POKER TELLS we described above…. 

1. At the top of the email is the sentence “This offer is only for United States, if you can’t see the images please Visit Here.”

2. Look in the link revealed at the bottom of this email when we moused it.  You’ll find two random hyphenated words at the end of the link: created-chanticleer.

This domain, piacekj[.]rest, also contains a redirect that will send you to atlaswonder[.]com.  We have no doubt that malware is waiting for you at Atlas Wonder!

                                              

Revolutionary Termometer Used By Medical Staff Worldwide…

This email begins with a “WARNING: Due to the recent Coronavirus outbreak…. supplies are limited.”  This is meant to increase your anxiety and click the link quickly without seriously evaluating this malicious clickbait!  Though the product described in this email is legitimate, the domain it came from and links point to is malicious!  The email came from NewSupplementSource[.]com and all links point back there.  NewSupplementSource[.]com was registered anonymously on March 30, less than a week before this email was sent.  Quite oddly, once you land on this website you’ll be immediately redirected to a website that has nothing to do with any products related to your health…. tinyhousehugeideas[.]com.  None of this feels legitimate or safe! 

                                         

APRIL 1 – 4:
Are you at risk of the Coronavirus?

This email is made to look like a Newsletter that begins with the question “Are you at risk of the Coronavirus?”  It was sent from the domain “airbatics[.]us” and all links pont back to the domain that is made to sound like it is a United States domain.  This malicious clickbait has a link in which you are led to believe that you can do something to “boost your immune system so you can protect yourself from the Coronavirus.”  That link leads to a malicious website!  To help cybercriminals get this email through the protective eyes of anti-spam servers, they’ve hidden text in a large space at the bottom of the email.  This BS newsletter was a graphic but the WHITE text set against a WHITE background was taken from a Wikipedia article about the stone age!

.                                       

“Airbatics[.]us” was registered on the day this email was sent by someone in India; the site has already been blacklisted by the security service McAfee.  Clicking any of the links in the email above will result in a visitor being redirected to a website called immunity911[.]com which was registered on March 17 and is hosted on a server in Holland.

    

Coronavirus: Is Vitamin C the Solution?

Here are more malicious clickbait found in early April and meant to prey upon the fears and concerns people have to stay healthy and avoid infection.  This next one asks “Coronavirus: Is Vitamin C the Solution?”  The email came from, and links point back to the domain “Bluestecle[.]world.”  That domain was registered on the very same day the email was sent by someone in India.  Again, the website is already blacklisted by McAfee.

“SafeMask” is a real product but that doesn’t mean this email represents a real company!  This is another example of malicious clickbait.  The links in this email all point to the oddly named website “vascularization[.]me.”  But that’s not where visitors will land!  That bloody website will redirect visitors to another website called “achievementbonus[.]com” that has a well-known and NASTY reputation!  Do not go looking for facemasks via this email!

.                                            

MARCH 6:

“Coronavirus has reached the US” sent from huristaix[.]us.  All links point to huristaix[.]us.  This domain was registered in Bhopal, India on January 14, 2020 by someone identified as “Shreena Arora” and using a generic gmail address. According to the N.Y. Times timeline, the first death reported in China from COVID-19 wasn’t until January 11 and the spread was not documented and made public until January 20.  How very forward thinking of Shreena Arora to think she needed to register and set up a website about all of this on January 14! (Said dripping with sarcasm.) The bottom of the email contained a large grey box filled with grey text so it was invisible.  This is a typical tactic spammer use to get malicious email past anti-spam servers. When we copied that text and pasted it into a simple ASCI text program and turned the text black, we were surprised to learn that these criminals had taken text from two Wikipedia passages about the Roman Empire and History of the Roman Empire! It must parallel their desire to conquer the world through cybercrimes.

MOST IMPORTANTLY, huristaix[.]us was found by Sucuri.net to contain a redirect to the website mentioned above SurviveCoronaVirus[.]org.

     

.    

MARCH 7:

We received this email that had the “FROM” address completely missing.  Subject line was “Keep Yourself Protected with SafeMask.” While Safemask is a legitimate product made by Medicom.com, this email had no connection to Medicom.  The links pointed to a frequently misused Outlook domain called “safelinks[.]protection[.]outlook[.]com.”  This link, however, contains a built-in redirect to frequently misused Googleapis server address.  The email most likely uses stolen graphics from the Medicom website.  The links and redirects STRONGLY SUGGEST this email is HIGHLY SUSPICIOUS!

 

MARCH 19:

Subject line of this fraudulent email is “Corona Virus Reusable Protective Mask for Adult and Kids.”  (Notice the incorrect spelling of coronavirus.) This email contains a few grammatical errors. It was sent from the name “florenza Health Organization” via the domain tahseel[.]com.   The links in this clickbait point to a website called royalpanda[.]com but contain redirect to the website baggb[.]com. The address for “Baggb” is listed at the bottom of this email as 4170 Hammond Street, Mcdermitt PA 18503.  According to Google, no such address exists. In fact, there is no “Mcdermitt, PA!” Norton Safe Web has blacklisted baggb[.]com.

Tahseel[.]com, the source of this email, is a hacked debt collection website hosted in Mumbai, India.

MARCH 20:

This email, received on March 20, carries ALL the hallmarks of fraud!  It claims to be from “FoxNews” but uses a general email address “walter8000smit” from Gmail.  The subject line is gibberish and the contents quote an article that is presumed to be on Fox News but the link points to the misused service at Googleapis.com….

“One Mom has Found a Solution to Fight back against the Corona-virus outbreak” (Notice the capitalization errors and misspelling of coronavirus.)

Here is the very long article (saved as a screenshot) that was linked to this email.  The article title is “While the world is waiting for a vaccine, one mom has found a solution to fight back against the coronavirus outbreak.”

When we Googled most of the headline in this article, we discovered that this “news article” was posted on the website called familyviralprotection[.]com.  In addition, Google showed us two links to the legitimate and valuable website TruthInAdvertizing.org that claimed the remedy on the familyviralprotection[.]com was a fake Fox News article and had no merit whatsoever!  This can also help explain why McAfee, the security service, has blacklisted the site.  FamilyViralProtection[.]com was registered anonymously on March 11, 2020.

MARCH 21:

The subject line reads “Exclusive: The truth about the coronavirus” and the email came from a bizarre address “@” smugsolid.net. (This domain was registered in August, 2019 and is hosted on a server in Dusseldorf, Germany) It goes on to say “Help fight the virus the natural way. Find out more.”  The email offers an “Unsubscribe” link to a business (Ladies Trend Gallery) at an address that does not exist, according to Google. All links in the email point to the misused address for Outlook.com but contain a redirect to the odd domain verybastion[.[]com. But you won’t stop there!  Verybastion[.]com will redirect you again to fiendbrood[.]comDoes any of this sound legitimate to you?  WE DON’T THINK SO!