A free coronavirus vaccine from the World Health Organization (WHO), for only $4.95 to cover shipping costs?!?

Nah, we didn’t think so, either. On Sunday, the US Department of Justice (DOJ) announced that it shut down what it called a wire fraud scheme being carried out by the operators of a site in order to squeeze profit from the confusion and widespread fear surrounding COVID-19 – by promising to ship coronavirus vaccine kits that don’t actually exist.

Let us state the obvious, or, rather, quote the DOJ’s statement as it states the obvious:

There are currently no legitimate COVID-19 vaccines and the WHO is not distributing any such vaccine.

The site – now offline but available as an exhibit attached to the DOJ’s civil complaint – was offering consumers access to WHO vaccine kits in exchange for a shipping charge of $4.95, which consumers would pay by entering their credit card information on the website.

Per DOJ request, US District Judge Robert Pitman issued a temporary restraining order requiring that the registrar of the scam site – listed as NameCheap in its Whois Record – immediately take action to block public access to it.

The DOJ says that this is its first enforcement action taken against COVID-19 fraud. Dollars to donuts says it won’t be the last, given that we’ve seen plenty of cyberscum trying to make money off of people’s misery and uncertainty.

Coronavirus-themed cybercrime

We’ve seen:

  • Android malware that uses COVID-19 for a combination of sextortion and ransomware.
  • A phishing scam hiding behind the mask of the WHO to offer coronavirus “safety measures” and to steal your credentials.
  • A disinformation campaign carried out via SMS, email and social media that lied about a national quarantine of the US being imminent. The campaign coincided with a distributed denial of service (DDoS) attack on the place where people in the US go to get their health news: the US Department of Health and Human Services (HHS).

The DOJ says it’s still investigating the site, coronavirusmedicalkit.com. As of Sunday, investigators didn’t know who its operators are. The tech contact for the site is listed on the WhoIs registry as WhoIsGuard Protected, with an address in Panama and an IP address coming out of Lansing, Michigan, though who knows where its server is really hosted. It’s easy to obscure an IP address location through techniques such as using a virtual private network or Tor, for example.

What to do

The DOJ has the following slew of precautionary measures to take in order to keep from getting snared in any of the emerging COVID-19 scams. If they sound exactly like the general tips for staying safe online that we pass out all the time, that’s for a good reason: the crooks are always out there trying to scam us, and the pandemic is the most recent attention grabber that they’re hoping to use to exploit us, catching us when we’re feeling panicky and unsure of what to do.

Do what you normally do to stay safe online, in other words. Just beware that there’s a new angle the crooks are trying to leverage to get your attention, your financial details, your personally identifiable information (PII) and whatever else they can swipe. To say safe, make sure to take these steps:

  • Independently verify the identity of any company, charity, or individual that contacts you regarding COVID-19.
  • Check the websites and email addresses offering information, products, or services related to COVID-19. Be aware that scammers often employ addresses that differ only slightly from those belonging to the entities they are impersonating. For example, they might use “cdc.com” or “cdc.org” instead of “cdc.gov.”
  • Be wary of unsolicited emails offering information, supplies, or treatment for COVID-19 or requesting your personal information for medical purposes. Legitimate health authorities will not contact the general public this way.
  • Do not click on links or open email attachments from unknown or unverified sources. Doing so could download a virus onto your computer or device.
  • Make sure the anti-malware and anti-virus software on your computer is operating and up to date.
  • Ignore offers for a COVID-19 vaccine, cure or treatment. Remember, if a vaccine becomes available, you won’t hear about it for the first time through an email, online ad, or unsolicited sales pitch.
  • Check online reviews of any company offering COVID-19 products or supplies. Avoid companies whose customers have complained about not receiving items.
  • Research any charities or crowdfunding sites soliciting donations in connection with COVID-19 before giving any donation. Remember, an organization may not be legitimate even if it uses words like “CDC” or “government” in its name or has reputable looking seals or logos on its materials. For online resources on donating wisely, visit the Federal Trade Commission (FTC) website.
  • Be wary of any business, charity, or individual requesting payments or donations in cash, by wire transfer, gift card, or through the mail. Don’t send money through any of these channels.
  • Be cautious of “investment opportunities” tied to COVID-19, especially those based on claims that a small company’s products or services can help stop the virus. If you decide to invest, carefully research the investment beforehand. For information on how to avoid investment fraud, visit the U.S. Securities and Exchange Commission (SEC) website.

For the most up-to-date information on COVID-19, visit the Australian Department of Health and WHO websites.

The DOJ is urging people in the US to report suspected fraud schemes related to COVID-19 by calling the National Center for Disaster Fraud (NCDF) hotline (1-866-720-5721) or by emailing the NCDF at vog.oelnull@retsasid.

Stay safe, wash your hands for 20 seconds a pop, and good luck avoiding the crooks!


Beratung Consulting

Beratung Consulting are dedicated to Security solutions and are a trusted Sophos Partner.

Sophos Authorised Partner