Skip to main content
banner image
venafi logo

COVID-19 Related Scams Are on the Rise [Stay Safe]

COVID-19 Related Scams Are on the Rise [Stay Safe]

an elderly woman sitting at the kitchen, talking on the phone with a worried look on her face
March 26, 2020 | Anastasios Arampatzis

These days, when the world is focused on getting a handle on the COVID-19 crisis, cybercriminals are weaponizing our fears and our desire for information to leverage their malicious goals; to cause as more harm and disruption as possible. As a result, we witness all kinds of attacks leveraging the Coronavirus or COVID-19 name.



INTERPOL and FBI Warnings

The situation is so inhumane and disturbing that it forced both FBI and Interpol to issue security warnings. INTERPOL warned “the public to exercise caution when buying medical supplies online” because criminals are taking advantage of the public health emergency to “run a range of financial scams.” Instead of receiving the promised masks and supplies, unsuspecting victims have seen their money disappear into the hands of the criminals involved. According to INTERPOL, the scams include telephone frauds and phishing emails “claiming to be from national or global health authorities, with the aim of tricking victims to provide personal credentials or payment details, or to open an attachment containing malware.”

At the same time, the FBI has issued another warning of increased COVID-19-related frauds. The announcement urges people to be alert to phony messages claiming to be from the Centers for Disease Control (CDC) “claiming to offer information on the virus”, phishing emails asking people “to verify [their] personal information in order to receive an economic stimulus check from the government,” and offers of phony COVID-19 treatment “that claim to prevent, treat, diagnose, or cure COVID-19.”

“Coronavirus” Malware

Some of these malicious actors really have a twisted sense of humor. Researchers from CyberArk discovered a new type of ransomware named “CoronaVirus”. This malware spreads through a phishing website, WiseCleaner[.]best. The website is supposed to resemble, which provides free system utilities for Windows to improve the computer’s performance. The ransomware is distributed alongside an infostealer named KPot, also known as Khalesi, which is an infostealer popular in the underground community.

The ransomware is delivered through a user visiting the fake website and downloading the malicious file “WSHSetup.exe.” WSHSetup.exe is a downloader, which is the first stage of infection. The malicious file from the fake website downloads the KPot stealer—an information stealer that focuses on exfiltrating account information from web browsers, instant messengers, email, VPN, RDP, FTP, cryptocurrency and gaming software—and the CoronaVirus ransomware.

A screenshot of a cell phone

Description automatically generated

Figure 1: CoronaVirus ransomware. Image courtesy of CyberArk

Fake WHO Advice Delivers HawkEye Infostealer

On March 19, 2020, IBM X-Force detected a campaign that emitted several waves of phishing emails purporting to originate from the World Health Organization (WHO) as a whole or from Dr. Tedros Adhanom Ghebreyesus, Director-General of WHO.

A screenshot of a social media post

Description automatically generated

Figure 2: Spoofed WHO email. Source:IBM X-Force

The emails instructed recipients to open an attachment for the purpose of receiving updated instructions on how to fight the coronavirus. This attachment was an archive that, when opened, revealed “Coronavirus Disease (Covid-19) CURE.exe.” When run, this executable loaded HawkEye, a keylogger which is capable of intercepting keystrokes, stealing credentials, taking screenshots, and exfiltrating its stolen data.

Targeting Remote Workers

Meanwhile, the security firm AppRiver found cybercriminals targeting at-home employees with messages that notify workers of a positive COVID-19 test within their organization. The messages contain malicious attachments disguised as protocols that the company is undertaking as well as a "flyer" that recipients are asked to open, read and print out, according to AppRiver.

In another instance, the same security firm discovered a phishing campaign that poses as an alert from the CDC and appears to have wider distribution. The email, which is made to appear from the Centers for Disease Control and Prevention, claims to provide a list of Novel Corona cases “around your city” and advise that the recipient go through the cases to avoid exposure to the virus. However, the links in the message lead to a phony OWA login page designed to harvest email credentials.

A screenshot of a social media post

Description automatically generated

Figure 3: CDC scam message. Source: AppRiver

Fake Coronavirus ‘Vaccine’ Website Busted

The website, “,” was purporting to give away free vaccine kits that it claimed were manufactured by the World Health Organization (WHO), according to Department of Justice court documents. In reality, website operators were engaging in a wire fraud scheme. They first asked buyers to input their payment card information on the website in order to pay a shipping charge of $4.95. Then, they would steal that credit card and personal information in order to carry out fraudulent purchases and identity theft.


Stay Safe, Stay Cyber Safe

It is very important these days to follow the experts’ advice to remain safe. While following basic hygiene rules and staying at home are the cornerstones for containing the virus and flattening the curve, it is of equal importance to remain vigilant and follow the basic cyber hygiene rules. As INTERPOL and the FBI have reminded us:

  • Do not open attachments or click links within emails from senders you don't recognize.
  • Do not provide your username, password, date of birth, social security number, financial data, or other personal information in response to an email or robocall.
  • Always verify the web address of legitimate websites and manually type them into your browser.
  • Check for misspellings or wrong domains within a link (for example, an address that should end in a ".gov" ends in .com" instead).

In addition, it is crucial to safeguard the certificates and the encryption keys protecting our machines and assets. Should these valuable assets fall in the hands of criminals, they will turn into weapons against us. These actors can use the compromised machine identities to create phony websites or encrypt their movements within our organization escaping detection.

If you spot a coronavirus scam, you can let us know by reaching out in Twitter.


Related posts

Like this blog? We think you will love this.
Featured Blog

Researchers Find 3,200 Apps Exposing Twitter API Keys, Cite ‘BOT Army’ Threat

Key Findings:

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Anastasios Arampatzis
Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more