Our attempts to investigate the underground and document some of what’s going on in the Dark Web often feels like an adventure from which you return with a lot of notes about various entities and how they see a certain topic and react to real-world events. With the entire world, underground included, looking at the ongoing pandemic we can definitely see diversity in approaches from cybercriminals, reminding us once again that behind these aliases are real people, with their own perspectives, values, fears, and interests. Their reactions range from sympathetic pleas not to capitalize on the pandemic, all the way to ads such as this one:
This blog post will cover some of the more interesting reactions to COVID-19 we’ve encountered on the underground, both good and bad. Read on to learn more (spoiler alert: The coronavirus vaccine is a scam!)
Covid-19 in Underground Communities
It’s important to remember that the members of underground communities are representatives of different nations and countries spending time on the same boards and forums, and so many forums try to keep up with coverage of real news sources from around the world:
Figure 1: Regular updates on an underground board in a thread dedicated to COVID-19
In these forums you will see that members that are just as human as we are, expressing and sharing their thoughts and fears.
Figure 2: Members of the underground expressing familiar fears
Figure 3: The underground is also concerned with fake news
And some individuals start thinking about Darknet and preventing global disaster.
Figure 4: Member expressing concern for the survival of an underground forum
But as we’ve also been seeing in the market above ground, some are taking a very pragmatic approach and looking for opportunities to profit in a situation that has affected the demand of particular items in the world:
Figure 5: Conversations on selling COVID-19 related supplies at a high markup.
Nothing personal, just business.
Underground Supplies: From Self Protection to Newest Cures
The underground community has reacted to the worldwide demand for medical supplies. Accordingy medical goods like N95, other “corona protection masks” and disinfection solutions have suddenly appeared on the same virtual shelves where drugs and other illegal goods are often up for sale.
Figure 6: Underground markets selling medical goods
The vendors ensure customers that these are not fake or stolen items in an attempt to gain the trust of potential buyers, and the prices vary from a couple of dollars to $10 US for one mask. Needless to say, despite these assurances we are not convinced that these masks will ever reach the buyer. To further remind us that this is not a place where anyone’s word can be trusted, some underground sellers propose unlikely stories about a “COVID-19 vaccine” of which they have very limited supply:
Figure 7: Advertisement selling "coronavirus vaccine" at a limited supply
Others invest more in their stories, pretending to be “in the know” that the public is being lied to about a vaccine becoming available shortly. They claim that the vaccine already exists and you can have access to it now, for a price. These conspiracy theories help play into the fears of desperate buyers and give them just enough to believe that maybe this really is a conspiracy, and just maybe the vaccine offered here would work. To sound even more reliable, the seller is asking “only” for $5,000 US, claiming that they could sell it for more, but they wanted to keep the price “fair”. The same seller also offers a cure for $25,000 US, because “life is not cheap”:
Figure 8: Ad offering “COVID-19 vaccines” and “cure”
Impact of the Pandemic on Underground Businesses
COVID-19 already had a lot of influence on supply and delivery systems worldwide. The underground markets and its variety of shops are no exception. They use COVID-19 as an opportunity to advertise the advantages, reliability and customer care in product promotion, but like many legitimate businesses they also warn of some service disruption or slow-down in order to protect their own employees:
Figure 9: Underground service updates regarding COVID-19
Some underground shops have been forced to temporarily suspend their services, and members of the underground seem to express care and concern for the customers, some of whom belong to vulnerable groups due to dependency on various substances:
Figure 10: Cannabis store service suspended along with a link to harm reduction guidance for substance users.
These sort of changes have been happening in a variety of underground businesses. Same as businesses above ground, underground businesses are having to adapt to this new reality:
Figure 11: Money laundering service adjusting to rapidly changing work conditions on a daily basis
Figure 12: Money laundering service significantly worsening their percentage terms due to the epidemic
Various money laundering services suffer from changes on trading platforms and reduction in the circulation of goods worldwide, while others boast that nothing changed in the business. Other than the more obvious change in price increases we also see changes to money payback/withdraw conditions, as some of the standard conditions have become risky. Often this means that the risk goes back to those looking to launder money, and though this implies a positive change and reduction in money laundering overall, those in need will likely accept the worsened conditions and continue to use these services.
Some businesses which offer services directly relevant to the situation are actually offering significant discounts on their services:
Figure 13: Visa document service offering a discount on Korean G-1 visas for the duration of the pandemic
In another segment of the market, stolen credit card shops seem to be starved for fresh data, with sellers cross-posting the same cards to multiple shops, one user complains about this while pointing out that “this week” is generally chaotic in the underground markets:
Figure 14: Stolen credit card buyer complaining about being sold duplicates
At the same time, due to a reduction in buyer activity, actors who bought fresh dumps got to use them exclusively rather than find themselves competing with other buyers.
The underground communities pay close attention to the global situation and people’s reactions in order to profit as much as possible from it. Members are inventing schemas closely related to ongoing Coronavirus spreading. This actor used a Coronavirus map, which tracks the spread of the virus, in order to mask their malicious payload.
Figure 15: Underground advertising for a malicious coronavirus map
The actor is proud of their method and boasts about the schema getting what they consider a positive review in Forbes.
Malicious actors ride the COVID-19 wave and widely used it in phishing, scamming, and malware campaigns (covered more in-depth in our blogs here and here). But sometimes it feels like right now you can put “corona” or “COVID” in the title and your solution will immediately attract attention in underground market, even a very average one that has a detection rate of 6/14 AV engines:
Figure 16: Someone offering a crypter named "COVID-19" for no particular reason
Actors are using the many ongoing issues, turning them into profit. One example is phishing related to the mass cancellation of vacations, flights, and rentals. The actors exploit customer wishing to get their money back, using the excuse of a “Coronavirus Update” to convince users to log in and give away their credentials:
Figure 17: Airbnb phishing page tailored for covid-19
Some actors are using their talents not only in online scamming but also for inventing offline, real-life schemes involving people on the street, using and abusing the bad situation various quarantines around the world have put individuals in:
Figure 18: Underground forum user offering a scheme that exploits people in need of income during the quarantine
The character shares a scheme that will scam Ukrainian citizens with ground coffee, abusing the population’s needs for alternative income due to being on quarantine. The general idea is telling them they can work remotely sorting coffee beans (so no qualification required) that will be sent to them by post, and they will send the beans back once sorted and get paid. The caveat, of course, is that the person has to temporarily pay for the beans being sent to them to ensure that they don’t simply steal them. Needless to say, once you have paid - no beans, no sorting, no money.
Another Look at Operations During Pandemic
To balance some schemes such as the above it’s important to note that many members of the underground community explicitly avoid and implore others to avoid trying to profit from the situation and not making life harder than it is already.
Figure 19: Underground forum members contemplating the ethics of COVID-19 profiteering
Others, like social networks above ground, are helping keep members in a good mood and spend quarantine time to their advantage. Members are sharing multiple sources to free exhibitions, courses, and libraries.
Figure 20: Underground member sharing links to free resources and entertainment
Members of the underground, like most other people, understand the quarantine conditions worldwide. Some use it for good and take some break from everyday operations, while others will adapt and create new schemes, rules, and prices to continue working within these new conditions.
Summary
The number of people spending more time at home opens up possibilities for credit card scamming, spreading malware, and attacking online communication channels often used by corporations as a substitute for in-office communication. Since the beginning of February 2020 researchers noticed more than 80,000 newly registered domains that contain words such as CORONA, COVID, Wuhan and quarantine, and while some of them are surely legitimate sites looking to provide information, many, without a doubt, were created for malicious purposes.
Given that we’re already seeing a rise in a variety of malicious campaigns worldwide it’s important for us all to follow not only WHO’s recommendations for our health, but also online hygiene. Beyond the usual advice of paying attention to suspicious emails, attachments, and URLs, it’s important that we remember to look at information posted online with a critical eye: Look for updates provided through official sources, visit websites directly to find what their services are doing in regards to COVID-19, and, as we often repeat: If something seems too good to be true, it probably is.
