Dark web: Underground forums remain a hotbed of COVID-19 scams

From fake coronavirus 'cures' to counterfeit travel documents and scam calling services, COVID-19 continues to offer plenty of monetization opportunities for cyber criminals, say researchers from Trustwave.

istock-701249404-2.jpg

Your valuable data could be at risk.

Image: Getty Images/iStockphoto

Fake COVID-19 cures, counterfeit travel documents and scam call services are amongst the services being traded on the dark web, as cyber criminals continue to look for ways of exploiting the 2020 health crisis.

Cybercrime has been a persistent issue throughout 2020 as uncertainties around the coronavirus pandemic and the subsequent shift to remote working have opened up new ways for crooks to cash in on the situation.

SEE: Identity theft protection policy (TechRepublic Premium)    

In closed forums on the dark web, criminals are trading vast databases of consumer information gathered via data breaches and phishing attacks, but also through readily-available government databases.

Cybersecurity firm Trustwave has been monitoring activity related to COVID-19 on the dark web since February, shortly before the crisis unfolded into a global pandemic.

Already a marketplace for drugs, weapons, stolen bank details and leaked website databases, the dark web has now become a thriving underground community where individuals discuss and trade techniques for capitalizing on COVID-19.

"When the COVID-19 situation started we were amazed how quickly they started looking for ways to monetize the situation," Ziv Mador, vice president of security research at Trustwave SpiderLabs, told TechRepublic.

"We even captured some communication on the dark web forums early on where they were discussing new opportunities in the COVID-19 situation. 'Let's monetize them' – they actually used that language."

The methods used by criminals have been persistent and numerous, from taking advantage of relief systems put in place to protect furloughed workers and those who have been made redundant, to capitalizing on weaknesses in corporate IT setups as a result of home working.

Cyber criminals have registered thousands of fake domains in 2020 designed to lure people though heavy use of coronavirus-related keywords.

As previously reported by ZDNet, the majority of these are being used to launch malware or other forms of cyberattacks, or otherwise trick users into paying for fraudulent products or services.

"At one point we saw more than 70,000 domains being registered," says Mador. 

Government sites have also been spoofed to fool people into giving up sensitive credentials and even bank information with the promise of relief funds or new sources of income, Mador says. Meanwhile, off-guard home workers can be easily fooled by emails claiming to be from the HR department carrying the subject line: 'New remote-working policy – click to accept'.

"It looks very logical and professional, so people give up their corporate credentials," Mador explains.

SEE: Phishing groups are collecting user data, email and banking passwords via fake voter registration forms (ZDNet)  

The methods typically used are hardly sophisticated, but at a time where everybody is looking for straightforward solutions to new, complex problems, it's hardly surprising that we've become more susceptible to scams.

In the course of its research, Trustwave has found bogus COVID-19 'cures' available on the dark web for as little as $20. Very often, these are purchased by individuals who then go out and sell them to other people seeking treatment for themselves or someone they know. "Who knows what these 'vaccines' include," says Mador.

Counterfeit documents are also being openly sold, targeting countries where quarantine restrictions require individuals to carry certificates stating they are allowed to travel. In some cases, criminals are offering to turn these around in as little as 24 hours. Trustwave also found advertisements for native English speakers for scam call services for committing identity fraud. 

Offers for the sale of  leaked medical records from a clinic in San Jose in the United States were also uncovered by Trustwave. Cyber criminals claim to hold 30 million medical records, some of which are records of children. "It's not rare, unfortunately," says Mador.

"That's another thing that's quite amazing – the trading of stolen data and hacked databases on the dark web."

One of the databases uncovered by Trustwave claimed to hold 400 data points on 245 million US consumers – representing just under three-quarters of the US population.

Not all of these data points were populated, Mador explains, though samples obtained by Truswave's researchers painted a worrying picture of how vulnerable people's personal information is to crooks.

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)  

"We got sample files with one million records," says Mador.

"The data there looks very reliable. Every time we checked data using Facebook, LinkedIn, the White Pages, Zillow…the data was consistently accurate."

This contained everything from individuals' interest areas – like gardening, DIY, and political discussions – to personal information disclosing people's full names, age, address, email address, names of family members and even people's mortgage lenders.

"A lot of other personal information was very troublesome," Mador adds.

One of the key takeaways from Trustwave's research is just how much data cyber criminals are able to glean from public records alone, which can be easily correlated with other stolen data to identify and target individuals via social-engineering attacks. Oftentimes, this information is readily available and doesn't even need to be stolen.

"The databases we've found are a concern because the amount of data they collected about citizens is just scary. It's shocking," says Mador.

"That's probably a call for action for authorities, governments, and so on to really think what data they include in public records. Corporations have to follow very strict rules around privacy – such as GDPR – but when governments publish public records that include people's names, and political affiliations – that information can be used to target people."

Also see