Researchers at Akamai have identified a new phishing campaign targeting users in Brazil who are worried about their finances during the COVID-19 epidemic. Over two weeks, we identified that the three-question quiz campaign successfully targeted more than 850,000 victims, scamming them out of personal information, and in some cases, convincing them to install Adware on their computer.
The scam runs on Portuguese-language websites that offer fake government benefits. In this case, the offer was R$500 Brazilian Real ($96 USD) to low-income families impacted by COVID-19.
The landing page for the scam, seen in Figure 1, tells victims that "the government is distributing R$ 500,000 free of charge to help the population to protect themselves from the virus (sic)"
The page opens with a pop-up asking the victim if they'd like to win "a government prevention kit" free of charge, and goes on to prompt them to answer a questionnaire in order to receive their benefits.
Figure 1: Criminals leverage COVID-19 as part of a three-question quiz scam
As soon as the victim opens the invite, they're prompted to answer a series of questions within five minutes. The questions are simple, and include:
Are you of legal age?
Are you +30 or -30 years old?
Would you share this government campaign with others?
Regardless of the answers provided, the victims are later informed they're eligible for the promised government benefit, but only if they share the campaign with ten friends, or five groups, via WhatsApp, a popular social media platform. An example of this requirement is shown in Figure 2. This arrangement has enabled the scam to propagate with alarming speed, and spread to hundreds of thousands of people within days.
Figure 2: A screenshot shows the COVID-19 scam requiring victims to share the 3-question-quiz in order to receive their alleged government payments
Gaining Victim Trust
Criminals behind the three-question-quiz scams leverage COVID-19 in one of two ways. First, they leverage it directly via domains using some variant of the name coronavirus or covid19 in their URL. Second, they'll reference the pandemic on the landing page. No matter how the pandemic is leveraged, the criminals are banking on the victim's anxiety, insecurity, and fears surrounding the epidemic in order to thrive.
People are worried about finances, their health, and their loved ones, so a promise regarding financial support - or actual testing supplies - will have an impact on the victim's natural gut reaction concerning scams and gain immediate attention. It's basic social engineering and human psychology.
Layering the social engineering element further, the scammers have started including fake Facebook posts commenting about the three-question quizzes in their pages. The posts are generated by a plug-in that creates the comments, names, and profile images displayed. These false posts are used in order to make the scam seem legitimate and ease any lingering concerns or doubts. The comments, seen in Figure 3, even include spelling and grammar errors to boost their legitimacy profile.
However, the same plug-in was used across several of the three-question quiz domains, which made them stand out as fake. In many instances, the same username would appear, but with a different profile image, which is where the generation aspect of the plug-in came to light.
Figure 3: Criminals leverage fake posts on Facebook in order to help spread the three-question quiz scam
Victims who share the scam with friends and contacts were either asked to answer more questions and share personal information, or redirected to a different webpage that prompts them to download a Flash plug-in (figure 4), which is detected as Adware by 15 different anti-virus platforms.
This Adware is where the criminals achieve their financial goals for the campaign, and versions of it were delivered to victims in order to match the operating system they were using at the time. Adware can be leveraged to collect personal information, conduct click fraud, or install third-party software on systems under its control.
Figure 4: Victims are prompted to install a fake Flash update after sharing the three-question quiz
Campaign in the Wild
Examining the statistics, Akamai observed that 99 percent of the victims were located in Brazil, proving the country was the primary focus of the campaign. However, as seen in Figure 5, the total pool of more than 850,000 victims included people from 37 different countries.
Figure 5: Global distribution for the COVID-19 three-question quiz
Figure 7: The overwhelming majority of victims were on mobile and running Android
Based on data collected by Akamai, the COVID-19 three-question quiz scam has been operating for a while, but quickly peaked due to rapid propagation on March 21 and March 22. However, as shown in Figure 8, the campaign started to slow on March 23, and the downward trend continued until the end of the month due to some of the domains involved with the scam going offline.
Figure 8: The COVID-19 three-question quiz scam hit its peak on March 21 and March 22, 2020
Over time, after examining the websites running the COVID-19 scam, there were a few slight changes to images and questions asked, but the essence of the scam itself remained the same - harnessing the fear surrounding COVID-19 in order to propagate and infect people at scale. Based on the numbers observed by Akamai, the criminal's goal was unfortunately met.
Criminals have no scruples when it comes to targeting the vulnerable and engaging them. They design their scam pages and phishing kits to target people and their fears, and in recent years have adapted their tricks to focus on platforms and popularity, such as developing kits that only target mobile users, since nearly everyone is on a mobile device these days. But the added element of social propagation is where many of these scams gain traction, which is a hard process to combat, as people are social creatures.
While this one campaign was clearly geo-targeted to Brazil, the bigger picture shows that the three-question quiz toolkit was used extensively over the last year, across the globe. Some of the scams were seasonal, others targeted specific brands, and others combined the two; but the goal is the same, exploit the victim and compromise their sensitive information and other assets.
Given everything that's going on, vigilance towards these types of operations is needed, and the realization that criminals will leverage events like COVID-19 to target the most vulnerable without a second thought is paramount.
Therefore, when it comes to protecting our friends and loved ones who are practicing social distancing, but remaining engaged on social media, the best defense is a reminder of a golden rule: If it sounds too good to be true, then it is.