PPE, COVID-19 Medical Supplies Targeted by BEC Scams

FBI said that government agencies aiming to buy critical items like ventilators have unknowingly transferred funds to threat actors.

Much has been publicized about the shortage of personal protective equipment (PPE) and other supplies for healthcare facilities in the United States during the COVID-19 pandemic. Now, the FBI is warning that threat actors are taking advantage of efforts to procure PPE and critical equipment such as ventilators with new business email compromise (BEC) and other scams aimed at defrauding those seeking the supplies.

In a warning posted to the FBI website, the law-enforcement agency said it was aware of “multiple incidents” in which state government agencies were duped into sending advance funds to both domestic and foreign fraudulent brokers and sellers of things like N95 masks and gowns.

These so-called “advance-fee schemes” are among several new fraud campaigns the feds have observed, alongside more typical BEC scams. The common theme is that they all use socially engineered emails try to fool people into sending funds to what they think are legitimate entities — instead directing payments to accounts that bad actors can access.

“In advance-fee schemes related to procurement, a victim pre-pays (partially or in full) a purported seller or a broker for a good or service, and then receives little or nothing in return,” FBI officials explained in the post.

In one case, a purchasing agency believed it was working with someone with whom it already had an existing business relationship, showing the sophistication of the attack, according to the FBI.

“By the time the purchasing agencies became suspicious of the transactions, much of the funds had been transferred outside the reach of U.S. law enforcement and were unrecoverable,” according to the agency.

Indeed, the COVID-19 pandemic has brought threat actors out of the woodwork with a raft of new scams and attacks aimed at the multiple and complex aspects of the crisis.

Many attacks have focused on individuals’ interest in receiving accurate information about the pandemic, and have used email-based attacks to spread malware. One campaign, for example, used socially engineered emails promising access to important information about cases of COVID-19 in the receiver’s local area. Instead of providing this, the fake messages evaded top email-detection software and spread malware that steals the user’s Microsoft log-in credentials.

In another example, a spearphishing campaign used emails claiming to be from the World Health Organization to send an attachment that unleashes the infostealer LokiBot, if downloaded and opened.

The agency also provided some warning signs to look for, for those in charge of procuring supplies. These signals include: Someone initiating the contact with the buyer, especially from a difficult-to-verify channel such as telephone or personal email; the seller or broker being an entity with which the buyer has not previously done business; or a seller that can’t be verified with the manufacturer of the products the entity aims to distribute.

Another red flag is an unexplained urgency on the part of the seller to transfer funds, or a last-minute change in the wiring instructions that parties previously agreed to, authorities said.

To mitigate these types of attacks, the FBI recommended several steps that procurement agencies can take. These include avoiding prepayment scenarios altogether by routing payments to a domestic escrow account, with funds to be released to the seller upon receipt of the promised items.

Other efforts to shield organizations include having a trusted, independent party ensure that the items for sale are physically present – and verifying that contact information such as email addresses match the actual sender of the messages, according to the FBI.

Scams aimed at healthcare facilities continue to ramp up. Recent research shed light on two recently uncovered malware campaigns: One targeting a Canadian government healthcare organization and a Canadian medical research university, and the other hitting medical organizations and medical research facilities worldwide. The emails sent to these unnamed organizations purported to send COVID-19 medical supply data, critical corporate communications regarding the virus or coronavirus details from the World Health Organization (WHO) – but actually aimed to distribute ransomware, infostealer malware and more.

Anyone who thinks they’ve been the victim of a COVID-19-related fraud scheme can report the incident to the FBI’s Internet Crime Complaint Center at ic3.gov.

Worried about your cloud security in the work-from-home era? On April 23 at 2 p.m. ET, join DivvyCloud and Threatpost for a FREE webinar, A Practical Guide to Securing the Cloud in the Face of Crisis. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 – and during all times of crisis. Please register here for this sponsored webinar.

Suggested articles