Image: Pinyo

Cybercriminals have been busy this year capitalizing on every facet of the coronavirus pandemic. And now that vaccines for the virus are on the horizon, bad actors have yet another area to exploit. A report released Friday by cyber threat intelligence provider Check Point examines how the desire for the vaccine is fueling a new round of malicious campaigns and sales.

Phishing campaigns

Previously, phishing attacks had been using vaccine developments as bait to trick people. Now, they’re using news about the upcoming vaccines as an even more enticing hook.

In one campaign, the emails contain executable files with the name “Download Covid 19 New approved vaccines.23.07.2020.exe.” Clicking on the attached file installs an InfoStealer malware capable of gathering usernames, passwords, and other account details.

In another campaign, the email touts the subject line of “pfizer’s Covid vaccine: 11 things you need to know” (in English and Spanish) and includes an executable file named “Covid-19 vaccine brief summary.” Clicking on this file triggers the nasty malware called Agent Tesla, a Remote Access Trojan that acts as a keylogger and infostealer. Once employed, Agent Tesla can monitor and steal input from the keyboard and clipboard, take screenshots, and capture credentials from such programs as Google Chrome, Firefox, and Microsoft Outlook.

SEE: Identity theft protection policy (TechRepublic Premium)

These attacks have been attributed to state-backed hackers as well as criminal groups. Hackers backed by Russia and North Korea have been trying to steal data from pharmaceutical companies and vaccine researchers, Microsoft said recently. China-backed attackers have also been targeting vaccine makers, with two such individuals charged by the U.S. government in July.

Targeting both individuals and organizations, these vaccine-related campaigns will likely ramp up as the approval and distribution plans for different vaccines reach their final stages, according to Check Point.

Vaccine-related domains

News about the vaccine trials and upcoming availability prompted a jump in new domains related to COVID-19 and vaccines. Since the start of November, 1,062 new domains containing the word “vaccine” were registered, with 400 also containing the word “covid” or “corona.” Of these, six were found to be suspicious.

Vaccines from the Dark Web

As people anxiously await for the new vaccines to become available, cybercriminals are taking advantage of the intense interest and expectations. Some people may be so eager to get the vaccine that they aren’t willing to wait for official channels, which means they could be susceptible to fake promises and phony sales.

Ads from the Dark Web about COVID-19 “remedies” and vaccines.
Image: Check Point

Check Point discovered an array of posts on Dark Web forums from people claiming to have “Coronavirus vaccines” and “Coronavirus remedies” for sale. The advertisements range from “available corona virus vaccine $250” to “Say bye bye to COVID19=CHLOROQUINE PHOSPHATE” to “Buy fast.CORONA-VIRUS VACCINE IS OUT NOW.”

The vendors all insist on being paid in bitcoin (which minimizes their chances of being traced). In one post, the seller was offering an unspecified COVID-19 vaccine for 0.01 BTC (around $300) and claimed that 14 doses were required. This contradicts official information stating that some COVID vaccines require two shots given three weeks apart.

In another post, the seller claims to have supply of a newly approved vaccine from a leading vaccine maker for sale and delivery from the UK, US, and Spain.

In yet another advertisement, the vendor is promoting Chloroquine as a regular coronavirus “treatment,” for only $10 with the line: “Hydroxychloroquine, a medicine for malaria that has been touted as a treatment for coronavirus.” This preys on gullible people who believed outgoing president Donald Trump when he pushed hydroxychloroquine as a COVID-19 cure, contradicting his own public health officials.


To help protect your organization against phishing attacks and other malicious activities, Check Point offers the following tips:

  • Check the full email address on any message you receive and be alert to hyperlinks that may contain misspellings of the actual domain name.
  • Verify that you’re using a URL from an authentic website. Don’t click on links in emails. Instead click on the link from the Google results page after searching for it.
  • Beware of lookalike domains, spelling errors in emails or websites, and unfamiliar email senders.
  • Protect mobile and endpoint browsing with advanced cybersecurity solutions that prevent browsing to malicious phishing web sites, whether known or unknown.
  • Use two-factor authentication to verify any changes to account information or wire instructions.
  • Never supply login credentials or personal information in response to a text or email.
  • Regularly monitor financial accounts.
  • Keep all software and apps up to date.
  • Always note the language in an email. Social engineering techniques are designed to take advantage of human nature. Criminals know that people are more likely to make mistakes when they’re in a hurry and are inclined to follow the orders of those in positions of authority. Phishing attacks commonly use these techniques to convince their targets to ignore their potential suspicions about an email and click on a link or open an attachment.