Feds Shut Down Fake COVID-19 Vaccine Phishing Website

‘Freevaccinecovax.org’ claimed to be that of a biotech company but instead was stealing info from visitors to use for nefarious purposes.

Federal law enforcement in Maryland has shut down a fraudulent website targeting immigrant communities that claimed to be for a company developing a COVID-19 vaccine. Instead, the site was stealing information from people with the purpose of using it for future cybercriminal activity.

The U.S. Attorney’s Office for the District of Maryland, working with Homeland Security Investigations (HSI) in Baltimore, seized “Freevaccinecovax.org,” “which purported to be the website of an actual biotechnology company developing a vaccine for the COVID-19 virus,” according to a release on the office’s website posted earlier this week.

Instead, the site was collecting personal information from people who visited it “in order to use the information for nefarious purposes, including fraud, phishing attacks, and/or deployment of malware.”

The site used trademarked logos for Pfizer, the World Health Organization (WHO) and the United Nations High Commissioner for Refugees (UNHCR) on its home page to dupe visitors into thinking it was a legitimate site, according to the release. It collected visitor information by using a drop-down menu asking people to select their city and then apply for information by downloading a PDF file to their computers.

The PDF that the site offered to users was written in Cyrillic, suggesting that fraudsters were targeting immigrant communities of people from former Soviet countries of Belarus, Khazakstan, Russia, Turkmenistan and Ukraine, who use Cyrillic script in their native languages. A domain analysis conducted by HSI indicated the domain name was created on April 27, using an IP address located in Strasbourg, France and a registrant country listed as Russia.

“It’s a scary thought but what HSI wants the public to understand is, all a bad guy needs to defraud thousands of Americans in search of COVD-19 information is the ability to create a website combined with malicious intent,” said James Mancuso, special agent in charge for the HSI Baltimore Field Office. “We must make an example of these perpetrators in order to deter others from committing these crimes against an unsuspecting and vulnerable internet user.”

Clicking on the site now greets users with a message that the site has been seized by the federal government and redirects them to another site for additional information. Seizing the site also means that third parties can’t use the name and use it to commit additional crimes, according to the feds.

“The domain itself and the operation associated with it illustrate just how useful the COVID-19 pandemic has been for malicious actors looking to cash in on other people’s misery,” Eric Howes, principal lab researcher at KnowBe4, said via email. “A bogus vaccine website offers bad actors a wide range of potential social-engineering schemes, from offers for free access to vaccine supplies to bogus investment schemes. COVID-19 has been the gift that keeps on giving for fraud artists over the past year.”

COVID-19 Vax Attracts Crooks

Indeed, since news of their development, the various vaccines for COVID-19 of been of great interest to cybercriminals. Before they were available extensively, threat actors focused on stealing research and development (R&D) plans for the vaccines in cyber-espionage campaigns.

More recently, attacks have been aiming to benefit financially from people’s interest in getting the vaccine, something acknowledged by Acting U.S. Attorney Jonathan F. Lenzner, who said the latest domain seizure was the ninth fraudulent website shut down for “seeking to illegally profit from the COVID-19 pandemic.”

Indeed, upon vaccine rollout last December, cybercriminals leveraged various tactics, from simple phishing scams all the way up to sophisticated Zebrocy malware campaigns, to take advantage of the widespread media attention around the distribution of the vaccines.

The latest seizure is but a drop in the bucket, Howes warned: “While authorities are to be lauded for shutting down this domain, one wonders how many more of them pushing similar fraudulent schemes are out there on the internet,” he said. “Dozens? Hundreds? Thousands? Moreover, how long will it be before the parties behind this operation simply set up another domain and continue their operations?”

Lenzner said the federal government will continue to “aggressively prosecute fraudsters” who aim to prey on people’s misunderstanding of how the vaccine is distributed. These misconceptions may especially be present in immigrant communities who don’t have the inherent understanding of the U.S. medical system’s rollout of the vaccine.

“Members of the public should not provide personal information or click on links in unsolicited emails and should remember that the COVID-19 vaccine is not for sale,” he warned in a press statement.

Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” – a LIVE roundtable event on Wed, May 12 at 2:00 PM EDT. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and Register HERE for free.  



Suggested articles