COVID-19 Talk in the Dark Web
Unsurprisingly, as the COVID-19 pandemic occupies the world’s attention, hostile actors are preying on the fears and uncertainties of the global population. LookingGlass researchers have observed a noticeable increase in cyber criminals seeking to capitalize on the pandemic, exploiting COVID-19 themes to perpetuate various cyber-enabled crimes. This is not a novel approach. Criminals are attuned to geopolitical events and global crises and frequently launch fraudulent campaigns aimed at profiting from people’s fears and misplaced trust. Some noticeable activity in the cyber crime forums we track include:
- Zoom Accounts. Social distancing and working from home have led organizations to rely online video conferencing platforms to maintain business operations. According to statistics, as of late March 2020, Zoom’s daily active user count increased 378 percent from the previous year, with monthly active users increasing 186 percent. More users represent a larger target area, and cyber criminals have been quick to identify vulnerabilities in video conferencing platforms, including Zoom. On March 30, 2020, the Federal Bureau of Investigation issued an alert warning the public of teleconferencing hijacking (“Zoom-bombing”). During the period of April 12-19, 2020, LookingGlass researchers observed multiple actors selling and sharing compromised Zoom accounts in a variety of underground forums, as well as on Pastebin. Actors are also selling cracking tools used to brute force email and password combo-lists against a specific website or target, advertising these as tools that can be used to exploit Zoom (see Figure 1 for a forum post regarding illegal Zoom content).
- Fraudulent/Counterfeit COVID-19 Healthcare Remedies. The threat of counterfeit pharmaceuticals is a global concern, a theme underscored by a 2011 report issued by the U.S. government. Whether it be via fraudulent websites, email, or other digital mediums, cyber criminals are taking advantage of the current COVID-19 health crisis, using people’s fears as a business opportunity. LookingGlass researchers have observed multiple websites and social media channels advertising vaccines against COVID-19. In addition to pharmaceuticals, other products being sold include test kits (see Figure 2) and face masks. Most sellers require potential customers to pay via cryptocurrency prior to receiving shipping information.
- Patient Data. Personal health information (PHI) has long been purchased, sold, and traded in the cyber crime underground. According to a 2018 Ponemon Institute study, the average cost for PHI was $408/per record, making this information a valuable commodity. Such information can perpetuate a variety of criminal activities, including extortion, identity theft, and medical fraud, among others. LookingGlass researchers have observed actors looking for the PHI of COVID-19 patients. One actor was specifically looking for COVID-19 treatment data from China and Iran. Although the actor did not elaborate on why he was seeking this information, it does reinforce the fact that all information has potential value for criminals, depending on how they want to use and exploit it.
While the Dark Web has been an enabling environment for illegal activity, some criminals have shown compassion during this time of crisis. Although the Maze Ransomware team originally stated that it would not target healthcare organizations only to quickly renege on that promise, one Dark Web market actually prohibited vendors from selling fake vaccines/treatments for COVID-19. It appears that the one thing that can be counted on when it comes to criminals is their unpredictability.
However, such altruism is rarely exhibited; as long as money can be made, cyber criminals will use material that best positions their operations for success. COVID-19-themed content is the topic on the forefront of global media coverage, so it logically follows that cyber criminals, as well as other hostile actors, will make the most of its exposure. Recent reporting reveals that nearly a dozen advanced persistent threat groups were also leveraging COVID-19 themes as lures in their operations, indicating that exploitation of current events is not the purview of any particular threat actor or group. LookingGlass researchers observed one threat actor in a forum selling a coronavirus phishing method that included an interactive map. It is easy to see why such an offering could be valuable to a variety of different actors.
LookingGlass analysts expect COVID-19 content in the Dark Web to continue for the foreseeable future and will continue to monitor and report on notable activities and changes in the underground.