Abnormal Attack Stories #8: COVID-19 Vaccine Donation Scam

March 25, 2020

Abnormal Security

Abnormal Security

In this attack, attackers are claiming they have access to a COVID-19 vaccine and are asking for donations to produce and distribute it.

Quick Summary:

  • Platform: Office 365
  • # Mailboxes: Between 20,000 and 50,000
  • Email Gateway: IronPort
  • Email Security: Office 365
  • Victims: Employees
  • Payload: Malicious Link
  • Technique: Impersonation

What was the attack?

  • Setup: As the number of COVID-19 cases increases worldwide, many are hoping for a vaccine to contain the pandemic. Scammers are leveraging this in order to trick victims into donating money to “doctors” developing vaccines.
  • Email Attack: These scammers have sent an email with an elaborate story about how a vaccine already exists, and the supposed doctor needs financial assistance to ramp up production and distribute the vaccine.
  • Payload: This email attack relies on engagement from the recipient. The email contains a link to join a Telegram group, where attackers will likely send instructions for making donations.
  • Result: It goes without saying that most of the information in this email is untrue. There is no vaccine for COVID-19 (yet), and any money sent to these attackers will not go towards aiding the development or distribution of a vaccine.

Why is this attack effective?

  • Urgency: Most recipients of this email will be nervous about COVID-19, and likely happy to mitigate its effects or help in some way to bring the pandemic to an end. The topic of this email – that of the distribution of a vaccine – will therefore be likely to be treated with some urgency in the current time, so victims may not be as likely to scrutinize the contents of the email as they would in a time outside of this crisis.
  • Playing into existing biases: This email also plays into some of the more conspiratorial thinking that exists around COVID-19. Namely, that this particular strain of coronavirus was a biological weapon, that there is a vaccine which already exists, and that nation-states are hiding the existence of this vaccine so that the virus will cause the most damage possible. Anyone who is already predisposed to thinking in these ways may be more likely to engage with this email because it is confirming these beliefs.
  • Promise: Even for those who do not buy into the conspiratorial tone of the email might be more likely to engage simply because the email promises a solution, now, for the current crisis.

About

Abnormal Attack Stories are real world examples of attacks that we’ve seen in the wild.

Targeted Email Attack

(click to enlarge)

Payload

(click to enlarge)

Techniques to Detect

(click to enlarge)

Like our article? Share our content

COVID-19-related attack deep dives