Abnormal Attack Stories #10: COVID-19 Medication Scam

March 25, 2020

Abnormal Security

Abnormal Security

In this scam, attackers claim that they have a medication that can treat COVID-19 (no treatment currently exists) that can be sent to recipients after payment to a Bitcoin wallet.

Quick Summary:

  • Platform: Office 365
  • # Mailboxes: Between 20,000 and 50,000
  • Email Gateway: Proofpoint
  • Email Security: Office 365
  • Victims: Employees
  • Payload: Payload-less
  • Technique: Cryptocurrency Fraud

What was the attack?

  • Setup: As the number of COVID-19 cases increases worldwide, many are hoping to protect themselves from the virus through some kind of medication or treatment. Although none have been developed yet, many scammers have filled that gap with offers of a treatment themselves.
  • Email Attack: These scammers claim to have a treatment for COVID-19 that was developed by an Israeli medical research institute, which they are happy to offer to recipients for the low price of $3,000 sent to a Bitcoin wallet, after which the bottles of “syrup of covidrug” will be delivered to the recipient (or not).
  • Payload: In the case of this email, the text itself is the payload. There are no links or attachments; the attackers are hoping that recipients won’t scrutinize the email as they might normally under less urgent circumstances.
  • Result: It goes without saying that most of the information in this email is untrue. There is no treatment for COVID-19 currently available, and any payments to this Bitcoin wallet will never be seen again.

Why is this attack effective?

  • Urgency: Most recipients of this email will be nervous about COVID-19 and the increasingly serious impact it is having on populations around the world. Most recipients will also be aware of the critical shortages of supplies to help patients who have developed serious symptoms from coronavirus. The attackers here are hoping that, in this environment, recipients will be less likely to scrutinize this email, or are more willing to take risks if a treatment does indeed exist than they might otherwise.
  • Text payload: Attacks like this one often get through traditional email security solutions because there are no malicious links or attachments. The payload is the message in the email that spurs some kind of action on the part of the recipient.

About

Abnormal Attack Stories are real world examples of attacks that we’ve seen in the wild.

Targeted Email Attack

(click to enlarge)

Techniques to Detect

(click to enlarge)

Subscribe to receive twice-monthly updates of the latest attacks we've detected in the wild:

Related content

COVID-19-related attack deep dives

Like our article? Share our content