Coronavirus scams exploit fears with phishing and malware attacks

Edward G. | March 19, 2020

With a global crisis, comes a number of cybercriminals attempting to take advantage of emergencies to propagate scams. The pandemic over the Covid-19 coronavirus is no different. Bad actors didn’t take long to catch onto the pandemic panic and hit the internet with the wave of 2,500 coronavirus-associated infections in one single day. Also, over 4,000 coronavirus-related domains have been registered since the beginning of 2020, with 50% of them considered as malicious.

Email scams to cash in on your fear

On a single Monday (March 16th), between 10 am and 5 pm (CET), hackers spread a total of 2,500 malware infections, according to ESET’s security researcher Jiri Kropac. In the coronavirus-themed emails, criminals inserted a malicious file, which, if opened, spreads the malware all over the device. Before that, the number of attacks was counted only in tens.

According to Jiri Kropac, cybercriminals are split up into two different groups. The first one spreads the virus to get access to the victim’s computer so they could install more malicious software. The other half instantly steals personal data from the infected device. Both groups, for now, target Windows machines solely. Spain, Portugal, Malaysia, Germany, and the Czech Republic remain the most hit as of yet. Another security firm Proofpoint noticed that criminals not only target individuals, but whole industries at once, as well. The U.S. healthcare, manufacturing, and pharmaceutical firms.

Some scammers impersonate representatives of the World Health Organization, while others masquerade as health-related organizations. The emails attempt to trick a victim into opening an attachment by promising Covid-19 safety measures or information on vaccines. If a person clicks on one of the files promising the safety guidance towards the coronavirus, it downloads either “Trickbot” or “Fareit” malware package. The “Trickbot” typically tries to steal the user's banking information while the “Fareit” logs keystrokes, which hijacks all login credentials.

Coronavirus phishing email

Fake Covid-19 websites

In addition to the widespread targeted coronavirus-related phishing campaigns, a cybersecurity company Check Point announced another dangerous scam. Snoops are rapidly registering vast numbers of potentially malicious coronavirus-themed websites. Since January 2020, there are over 4,000 new sites containing words like “corona” or “covid.” As a comparison, only 3 percent globally registered non-corona-related websites found to be malicious, with an additional 5 percent considered suspicious. Coronavirus-themed domains are 50 percent likely to be dangerous compared with other websites registered in the same period.

Coronavirus malware rise

The following domains show signs of malicious behavior and are most likely dangerous:

  • coronavirusstatus[.]space
  • coronavirus-map[.]com
  • canalcero[.]digital
  • coronavirus[.]zone
  • coronavirus-realtime[.]com
  • coronavirus[.]app
  • coronavirusaware[.]xyz
  • coronavirusaware[.]xyz
  • corona-virus[.]healthcare
  • survivecoronavirus[.]org
  • vaccine-coronavirus[.]com
  • coronavirus[.]cc
  • bestcoronavirusprotect[.]tk
  • coronavirusupdate[.]tk

The National Cyber Security Center (NCSC) assures it already took measures to uncover and remove malicious websites run by criminals. As of now, the domains are not linked to criminal activity, as there are no confirmed cases yet. But the agency warns that as the coronavirus outbreak intensifies, they expect the volume of scamming incidents to rise in the upcoming weeks.

How to avoid falling victim

Remember - scams target your fears. At the most vulnerable times, you should pay close attention to avoid any criminal to take advantage of you and the coronavirus situation. Don’t let them!

First, if you received an email from someone claiming to be an associate of the World Health Organization, but it does not come up from an address ending with “,” it’s most certainly a scam. For instance, you can receive fake phishing emails from CDC (Centers for Disease Control and Prevention) with the address ending “” instead of the correct “”

Even a legitimate email address is not a guarantee of safety. Scammers can spoof authorized addresses or even hack the email accounts. In such a scenario, you should note what the letter is asking you to do. An email asking you to provide an account password, banking information, or Social Security number, is a massive red flag. No one should ever ask you to provide such details over an email. WHO released a separate report encouraging people to beware of cybercriminals and provided points on how to authenticate a legitimate WHO representative.

Don’t open any links and odd-looking attachments put on the email. Make sure where that link intends to take you before you click on it. An easy way to check the destination is to hover your mouse cursor over a link for a few seconds until the URL pops up. Before you click on it, make sure that it’s leading you to a website you recognize. If not, close the email and delete it to avoid any further risk. Hence, beware of spelling errors in emails or websites, lookalike domains, and unfamiliar email senders. Only by taking extra precautions and paying close attention to details will help you avoid becoming a victim.

Edward G.

Edward G.

Cybersecurity Researcher and Publisher at Atlas VPN. My mission is to scan the ever-evolving cybercrime landscape to inform the public about the latest threats.



© 2023 Atlas VPN. All rights reserved.