CoronaScam.org

Coronascam Financial scams with a COVID-19 twist

Financial scams with a COVID-19 twist

Scammers are using new tactics for manipulation, taking advantage of people trying to make the best out of a bad situation. 

Scammers are using new tactics for manipulation, taking advantage of people trying to make the best out of a bad situation. 

Amidst the COVID-19 crisis, where many people are struggling to find work and scrambling to find new ways to make money, scammers are taking advantage of the situation and seeking to make a profit. Like a fleet of Trojan horses, seemingly non-threatening emails are sent to recipients offering the chance to make some quick income, only to lure them straight into a trap. This has been a particular problem in Europe, especially in Poland, Germany, and Italy.  

image4-1Content of attached PDF

Quick summary


  • Number of victims: more than 17k (10th -17th of May)
  • Platform: email with attachment
  • The trap: tricking people into sharing their personal information via registration

What’s the attack?

  • Setup: The rise of COVID-19 has severely impacted not only stock markets, but most businesses around the world, thereby bringing about hard times for a great many people. This increases people’s susceptibility to offers they would not normally consider, but that seem to present some kind of chance of financial relief.
  • Email attack: Scammers have prepared convincing emails that outline a simple and alluring guide with steps leading to an easy way to supposedly make a monthly income. It’s as easy as 1, 2, 3. Create a registration, make an initial deposit of $250, and make a profit trading cryptocurrency or stocks. So far, the emails that have surfaced are in English and German. But we have reason to believe that there are more translated variants based on the country it’s spread in. The emails have simply a subject line and attachment, containing no additional text other than the text within the attachment itself.

image5-2Scam email with attachment

  • Redirection and misdirection: Inside the attachment resides a bit.ly link that will direct the user to a domain with a blank page. Then, they are redirected through a series of URL redirectors, until finally landing on the scammers landing page on a newly registered domain. Depending on the user’s IP address, the content is automatically generated to produce text of success stories that are filled with links that direct them to the registration page.  

image2-3Scammer’s landing page for GB, CZ, PL

  • Result: Should the recipient fall victim to this scam, the user is motivated to register giving their name, surname, email, and phone number, thereby compromising their personal information. 

image6-1Registration form on detector-million[.]t500track12[.]com

image1-9Pop-up after filling in the registration form

Why is this attack effective?

  • A convincing email and landing page: The attachment linked to a convincing landing page, bolstered with fake Facebook comments with positive feedback and success stories, along with its attractive, and seemingly reliable design, could be enough to persuade many users.

image7-1Fabricated stories used to corroborate the scam 

  • The timing: Given the current situation, people may become more willing, even eager, to try new ways of making an income — making it easy for them to fall victim to this kind of trap set on a shady site offering easy money.

image3-1Number of links detected by country

Scammers are trying to turn as many heads as possible at a time where people’s heads are already spinning with the crisis. Even a simple website without any sophisticated source code could do the trick if they create an offer convincing enough, and if the trap is set at just the right time.