Brazilians Are Tricked by Coronavirus-Themed Phishing Scam

• A pretty large scamming campaign is targeting Brazilian internet users and has claimed 850k victims already.
• The victim starts with a quiz, then is redirected to a phishing page, and is finally convinced to install malware.
• The campaign is ongoing, albeit at lesser rates, and is dynamically evolving by changing its constituting elements.

Akamai researchers have identified a new phishing campaign that is targeting Brazilians, using the COVID-19 pandemic as a theme. Until now, more than 850,000 internet users have been successfully tricked, sharing their sensitive personal information with the actors and even installing malware on their systems. The campaign is in Portuguese, and the actors are spoofing the Brazilian government, presenting a fake promise of providing financial aid to low-income families. In addition to this, they are also promoting a free “prevention kit,” which includes gloves, masks, and disinfectants.

Source: Akamai

The victims receive an email, which leads to a landing page where the visitor is urged to take a quiz. The three questions concern the age of the visitor, their willingness to share the “government” campaign with others, and their righteousness to benefit from the program. No matter what answers are given, everyone is deemed eligible for the prevention kit and also an aid of 500 Brazilian Real, which is approximately $95. The URLs of the landing page generally contain the “covid19” part, and the campaigners are promoting them on Facebook too. There, fake social media profiles post praising comments about the quizzes, trying to increase the legitimacy and also the reach of the scamming campaign.

As to what happens to those who answer the first questions and click the bait, they are getting more questions to answer, but this time, the questions revolve around their personal information. Upon another redirection, they are even prompted to download a Flash plug-in that is nothing else that a malware. The particular strain that is used is capable of conducting adware click-fraud, collect personal information from the infected system, and install additional payloads.

Source: Akamai

The peak of the campaign was between March 21 and 22, but it is still active to this day. While 99% of the victims are in Brazil, the emails and social media posts have reached 8,500 victims from 37 other countries as well. As for the platform, the actors have implemented a Javascript code that ensures only Android users are accepted. The reason for this discrimination is unknown, but it may have to do with a generic approach to increase the campaign’s success rate. The Android platform is the most accessible out there, so they increase their chances to reach people who are in financial trouble.

Finally, Akamai researchers point out that the phishing actors are changing the questions, images, and also the landing page URLs of their campaign, trying to maintain a detection-avoiding diversity. It means that you should remain vigilant as the signs of danger are continually changing. No matter what you receive, think with composure before you act, and look for things that don’t make sense. In this case, why would the government ask you to share their campaign with more people?