Trustwave's 2024 Financial Services Threat Reports Highlight Alarming Trends in Insider Threats & Phishing-as-a-Service. Learn More

Trustwave's 2024 Financial Services Threat Reports Highlight Alarming Trends in Insider Threats & Phishing-as-a-Service. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Vaccine for COVID-19 and Other Scams on the Dark Web

Our attempts to investigate the underground and document some of what’s going on in the Dark Web often feels like an adventure from which you return with a lot of notes about various entities and how they see a certain topic and react to real-world events. With the entire world, underground included, looking at the ongoing pandemic we can definitely see diversity in approaches from cybercriminals, reminding us once again that behind these aliases are real people, with their own perspectives, values, fears, and interests. Their reactions range from sympathetic pleas not to capitalize on the pandemic, all the way to ads such as this one:

COVID-19

This blog post will cover some of the more interesting reactions to COVID-19 we’ve encountered on the underground, both good and bad. Read on to learn more (spoiler alert: The coronavirus vaccine is a scam!)

 

Covid-19 in Underground Communities

It’s important to remember that the members of underground communities are representatives of different nations and countries spending time on the same boards and forums, and so many forums try to keep up with coverage of real news sources from around the world:

Regular updates on an underground board in a thread dedicated to COVID-19

Figure 1: Regular updates on an underground board in a thread dedicated to COVID-19

 

In these forums you will see that members that are just as human as we are, expressing and sharing their thoughts and fears.

Members of the underground expressing familiar fearsFigure 2: Members of the underground expressing familiar fears

 

The underground is also concerned with fake news

Figure 3: The underground is also concerned with fake news

 

And some individuals start thinking about Darknet and preventing global disaster.

Member expressing concern for the survival of an underground forumFigure 4: Member expressing concern for the survival of an underground forum

 

But as we’ve also been seeing in the market above ground, some are taking a very pragmatic approach and looking for opportunities to profit in a situation that has affected the demand of particular items in the world:

Conversations on selling covid-19 related supplies at a high markup.Figure 5: Conversations on selling COVID-19 related supplies at a high markup.

 

Nothing personal, just business.

 

Underground Supplies: From Self Protection to Newest Cures

The underground community has reacted to the worldwide demand for medical supplies. Accordingy medical goods like N95, other “corona protection masks” and disinfection solutions have suddenly appeared on the same virtual shelves where drugs and other illegal goods are often up for sale.

Underground markets selling medical goodsFigure 6: Underground markets selling medical goods

 

The vendors ensure customers that these are not fake or stolen items in an attempt to gain the trust of potential buyers, and the prices vary from a couple of dollars to $10 US for one mask. Needless to say, despite these assurances we are not convinced that these masks will ever reach the buyer. To further remind us that this is not a place where anyone’s word can be trusted, some underground sellers propose unlikely stories about a “COVID-19 vaccine” of which they have very limited supply:

Advertisement selling "coronavirus vaccine" at a limited suFigure 7: Advertisement selling "coronavirus vaccine" at a limited supply

 

Others invest more in their stories, pretending to be “in the know” that the public is being lied to about a vaccine becoming available shortly. They claim that the vaccine already exists and you can have access to it now, for a price. These conspiracy theories help play into the fears of desperate buyers and give them just enough to believe that maybe this really is a conspiracy, and just maybe the vaccine offered here would work. To sound even more reliable, the seller is asking “only” for $5,000 US, claiming that they could sell it for more, but they wanted to keep the price “fair”. The same seller also offers a cure for $25,000 US, because “life is not cheap”:

Ad offering “covid-19 vaccines” and “cure”Figure 8: Ad offering “COVID-19 vaccines” and “cure”

 

Impact of the Pandemic on Underground Businesses

COVID-19 already had a lot of influence on supply and delivery systems worldwide. The underground markets and its variety of shops are no exception. They use COVID-19 as an opportunity to advertise the advantages, reliability and customer care in product promotion, but like many legitimate businesses they also warn of some service disruption or slow-down in order to protect their own employees:

Underground service updates regarding covid-19Figure 9: Underground service updates regarding COVID-19

 

Some underground shops have been forced to temporarily suspend their services, and members of the underground seem to express care and concern for the customers, some of whom belong to vulnerable groups due to dependency on various substances:

 

Cannabis store service suspended along with link to harm reduction guidance for substance users.Figure 10: Cannabis store service suspended along with a link to harm reduction guidance for substance users.

 

These sort of changes have been happening in a variety of underground businesses. Same as businesses above ground, underground businesses are having to adapt to this new reality:

Money laundering service adjusting to rapidly changing work conditions on a daily basisFigure 11: Money laundering service adjusting to rapidly changing work conditions on a daily basis

 

Money laundering service significantly worsening their percentage terms due to the epidemicFigure 12: Money laundering service significantly worsening their percentage terms due to the epidemic

 

Various money laundering services suffer from changes on trading platforms and reduction in the circulation of goods worldwide, while others boast that nothing changed in the business. Other than the more obvious change in price increases we also see changes to money payback/withdraw conditions, as some of the standard conditions have become risky. Often this means that the risk goes back to those looking to launder money, and though this implies a positive change and reduction in money laundering overall, those in need will likely accept the worsened conditions and continue to use these services.

Some businesses which offer services directly relevant to the situation are actually offering significant discounts on their services:

Visa document service offering discount on Korean G-1 visas for the duration of the pandemicFigure 13: Visa document service offering a discount on Korean G-1 visas for the duration of the pandemic

 

In another segment of the market, stolen credit card shops seem to be starved for fresh data, with sellers cross-posting the same cards to multiple shops, one user complains about this while pointing out that “this week” is generally chaotic in the underground markets:

Stolen credit card buyer complaining about being sold duplicatesFigure 14: Stolen credit card buyer complaining about being sold duplicates

 

At the same time, due to a reduction in buyer activity, actors who bought fresh dumps got to use them exclusively rather than find themselves competing with other buyers.

The underground communities pay close attention to the global situation and people’s reactions in order to profit as much as possible from it. Members are inventing schemas closely related to ongoing Coronavirus spreading. This actor used a Coronavirus map, which tracks the spread of the virus, in order to mask their malicious payload.

Underground advertising for a malicious coronavirus mapFigure 15: Underground advertising for a malicious coronavirus map

 

The actor is proud of their method and boasts about the schema getting what they consider a positive review in Forbes.

Malicious actors ride the COVID-19 wave and widely used it in phishing, scamming, and malware campaigns (covered more in-depth in our blogs here and here). But sometimes it feels like right now you can put “corona” or “COVID” in the title and your solution will immediately attract attention in underground market, even a very average one that has a detection rate of 6/14 AV engines:

Someone offering a crypter named "covid-19" for no particular reasonFigure 16: Someone offering a crypter named "COVID-19" for no particular reason

 

Actors are using the many ongoing issues, turning them into profit. One example is phishing related to the mass cancellation of vacations, flights, and rentals. The actors exploit customer wishing to get their money back, using the excuse of a “Coronavirus Update” to convince users to log in and give away their credentials:

Airbnb phishing page tailored for covid-19Figure 17: Airbnb phishing page tailored for covid-19

 

Some actors are using their talents not only in online scamming but also for inventing offline, real-life schemes involving people on the street, using and abusing the bad situation various quarantines around the world have put individuals in:

Underground forum user offering a scheme that exploits people in need of income during the quarantineFigure 18: Underground forum user offering a scheme that exploits people in need of income during the quarantine

 

The character shares a scheme that will scam Ukrainian citizens with ground coffee, abusing the population’s needs for alternative income due to being on quarantine. The general idea is telling them they can work remotely sorting coffee beans (so no qualification required) that will be sent to them by post, and they will send the beans back once sorted and get paid. The caveat, of course, is that the person has to temporarily pay for the beans being sent to them to ensure that they don’t simply steal them. Needless to say, once you have paid - no beans, no sorting, no money.

 

Another Look at Operations During Pandemic

To balance some schemes such as the above it’s important to note that many members of the underground community explicitly avoid and implore others to avoid trying to profit from the situation and not making life harder than it is already.

Underground forum members contemplating the ethics of covid-19 profiteeringFigure 19: Underground forum members contemplating the ethics of COVID-19 profiteering

 

Others, like social networks above ground, are helping keep members in a good mood and spend quarantine time to their advantage. Members are sharing multiple sources to free exhibitions, courses, and libraries.

Underground member sharing links to free resources and entertainmentFigure 20: Underground member sharing links to free resources and entertainment


Members of the underground, like most other people, understand the quarantine conditions worldwide. Some use it for good and take some break from everyday operations, while others will adapt and create new schemes, rules, and prices to continue working within these new conditions.

 

Summary

The number of people spending more time at home opens up possibilities for credit card scamming, spreading malware, and attacking online communication channels often used by corporations as a substitute for in-office communication. Since the beginning of February 2020 researchers noticed more than 80,000 newly registered domains that contain words such as CORONA, COVID, Wuhan and quarantine, and while some of them are surely legitimate sites looking to provide information, many, without a doubt, were created for malicious purposes.

Given that we’re already seeing a rise in a variety of malicious campaigns worldwide it’s important for us all to follow not only WHO’s recommendations for our health, but also online hygiene. Beyond the usual advice of paying attention to suspicious emails, attachments, and URLs, it’s important that we remember to look at information posted online with a critical eye: Look for updates provided through official sources, visit websites directly to find what their services are doing in regards to COVID-19, and, as we often repeat: If something seems too good to be true, it probably is.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo