Dark web scammers exploit Covid-19 fear and doubt
“They’re exploiting the fear, uncertainty and doubt people are experiencing during the pandemic, and using the anxiety and desperation to get people to buy things or click on things they wouldn’t have otherwise,” says Morgan Wright, a former senior adviser to the US Department of State anti-terrorism assistance programme.
He’s talking about the scammers and criminals that inhabit the “dark web” who have found a new angle – anxiety over Covid-19.
Mr Wright, who is now chief security adviser at security software company SentinelOne, used to teach behavioural analysts at the US National Security Agency (NSA) about the exploitation of human behaviour.
He is now seeing some of those techniques being used on the dark web, an encrypted part of the internet that can be accessed using popular networks such as Tor.
The Tor browser is privacy-focused, meaning it can obscure who is using it and what data is being accessed. It offers bad actors a way to operate with a degree of impunity, as law enforcement find it much more difficult to track down criminals that use it.
What is Tor?
Tor is a way to access the internet that requires software, known as the Tor browser, to use it.
The name is an acronym for The Onion Router. Just as there are many layers to the vegetable, there are many layers of encryption on the network.
It was originally designed by the US Naval Research Laboratory, and continues to receive funding from the US State Department.
It attempts to hide a person’s location and identity by sending data across the internet via a very circuitous route involving several “nodes” – which, in this context, means using volunteers’ PCs and computer servers as connection points.
Encryption applied at each hop along this route makes it very hard to connect a person to any particular activity.
To the website that ultimately receives the request, it appears as if the data traffic comes from the last computer in the chain – known as an “exit node” – rather than the person responsible.
Since the beginning of the global pandemic, marketplaces on the dark web have seen a rise in Covid-19 related products and services. Sought-after N95 masks, gowns, gloves and the drug chloroquine have all been listed on these marketplaces. Last month, security software firm IntSights found blood allegedly belonging to recovered coronavirus patients was even being offered for sale.
Criminals hope a heightened sense of fear will make people rush to buy these products, and as a result these items are not cheap; an Australian Institute of Criminology report found the average fake vaccine was being sold for about $370 (£300), while one supposedly sourced from China was selling for between $10-15,000 (£8-12,000).
One of the reasons for the rise in such sales may be because many fraudsters are having to turn from their normal methods of making money on the dark web – such as selling fake flights booked using stolen airmiles – because these industries are currently dormant.
Many criminals also see an opportunity – as the majority of people are working from home, there is a greater chance of lax cyber security in place.
“There was suddenly a huge shift [on the dark web] of talking about vulnerabilities in collaboration software when they realised people were going to be working from home,” says IntSights chief security officer Etay Maor.
Phishing scams have also been on the rise. These are where fraudsters pretend to be a different organisation or person by email, hoping the person will provide some login details or personal data, which can then be used to steal money or someone’s identity.
“The phishing attacks started with those pretending to be from the NHS, and then extended to secondary organisations that are related to Covid-19 like banks or HMRC emailing about funding, grants or being furloughed,” says Javvad Malik, security advocate at training company KnowBe4.
“Now there are Covid-19 related phishing templates making their way into all of the phishing kits that are available on the dark web – meaning people can imitate Apple or LinkedIn with a set of standard templates,” he adds.
In addition, many services and products, including phishing kits are being offered at discount in “coronavirus sales”.
“There are people who have been specialising in phishing pages, shady VPNs or spamming services for a number of years, who are now offering discounts because they believe it’s the best time to make money and spread these kits,” says Liv Rowley, threat intelligence analyst at Blueliv, a computer and network security firm.
The dark web was designed by the US Naval Research Laboratory, with the idea of enabling human rights activists and people within the military to talk and collaborate in a secure, anonymous way.
While the introduction of bitcoin enabled criminals to make money on the dark web, there remains a huge number of users that opt to use it for its initial purpose – speaking to others anonymously on forums.
According to Mr Malik, these forums have often been used to fuel conspiracy theories around the virus.
“Conspiracies about 5G being the vehicle of this virus, or bioweaponry or that Bill Gates is the man behind it tend to crop up on the dark web,” he says.
As social media companies and other news outlets crack down on misinformation, many others may be pushed onto the dark web. These forums often act as a gateway to marketplaces, for people to plug their products or services to a targeted audience. This could be a way for fraudsters to make further money in the months to come.
The flipside to this is that many journalists, activists and citizens may be using the dark web to communicate in countries where there is a lot of censorship. Tor versions of many news outlets, including the BBC and New York Times, may be used if the original sites are blocked by governments or states, for instance.
Netblocks, a digital rights advocacy group says that many countries have cut access to the web in different ways, as they seek to control the flow of information about the coronavirus outbreak.
Two ransomware groups had said they would not attack any hospitals or healthcare organisations during the pandemic, but as Foreign Secretary Dominic Raab outlined in a recent press briefing, there is evidence that criminal gangs are actively targeting national and international organisations that are responding to the pandemic – including hospitals.
“These organisations are targeted because of how vulnerable they are at this time and because of the likelihood that a ransom would be paid,” says Charity Wright, cyber threat intelligence adviser at IntSights.
The co-ordination and orchestration of many of these attacks often begin on the dark web.
“We are seeing more offerings on the dark web specifically for healthcare-related information and for targeting healthcare facilities and doctors. There’s even a database someone has created on the dark web with all kinds of information about medical staff,” says Etay Maor from IntSights.
At its core, the dark web may still be being used for the same reasons it was intended to be used for – from a privacy and security perspective. But criminals are using this to try to exploit a global crisis for financial gain.
“That’s the double-edged sword that as a society we haven’t quite worked out: how do we safeguard freedom of speech and ensure privacy, but at the same time track down and stop people abusing those freedoms?” says Javvad Malik.