In times of crisis there are always opportunists who try to take advantage of the situation. This is no different with the current Coronavirus COVID19 pandemic, as the experts from Hornetsecurity can observe more and more campaigns developing quite often. Currently, the percentage of malicious emails containing links to Corona is skyrocketing.

In the following, we will therefore describe how the current crisis situation is increasingly serving hackers as a hook for fraudulent attempts, as well as for the spread of spam and malware.



Compared to the total amount of emails classified as malicious by Hornetsecurity, the amount of emails with the topic Coronavirus is still small, but increasing.

To give readers an insight into how cyber-criminals are exploiting the Coronavirus COVID19 crisis with various activities, the Security Lab would like to present some of their daily observations.



We will take a look at three activities:

– Scams
– Spam
– Malware


Sextortion Blackmailers Pivot to COVID19 Scams

First, we look at scams. A long running evergreen is the sextortion scam. In these sextortion scams, a victim receives an email claiming their computer has been compromised and a video was recorded while they were browsing a pornographic website. In order to prevent this video from being shared with the victim’s friends and family the victim should transfer the cryptocurrency (usually Bitcoin) to a specific Bitcoin Address.
Obviously, the victim’s computer has not been compromised and no video was taken.

One activity group that the Security Lab has previously observed being involved in such sextortion scams,
has pivoted to impersonating the WHO and asking the victims for donations because of the coronavirus.

These scam emails can be seen below:



Another such activity has recent straight up started asking for Bitcoins simply for being infected and staying at home and thus protecting the victim’s home by not spreading the virus:



In the following timeline the increase in activity can be seen – the WHO scam uses the Bitcoin Addresses 16gmYrbqMr4SZeA7SqNVmirhnhDG3maYPK and 13Rfk6FXkqswaYnqMys5BkiDvJbwVdL8TD (colors blue and red) while the scam straight up asking for BTC uses 18P3S6DuNUpW2WLozsrrW6rRd6xh24Rc7N (colored in green):



Other activity groups, however, have not yet jumped onto the coronavirus bandwagon. Hence why the classic sextortion scams are also still in use.


Spam for N95/FFP3 Masks

Next, we take a look at the spammers. These groups usually try to sell the recipient products or services, or try to generate traffic for websites (illicit SEO) or spike interest in stock (market manipulation).

Here it is clear which products related to the corona crisis spammers are likely to spam – masks. Lots of them:

The timeline of these activities shows that not only the diversity in different masks being advertised, but also the overall volume of these spam emails, is increasing:



Malware mass distribution

Last but not least, activities distributing malware have also been observed pivoting to corona related lure emails. To this end, we present insights into one threat activity group that has been observed distributing Formbook [1], Loki Bot [2], Agent Tesla [3] and AZORult [4] malware inside of various archives (ZIP, RAR, ACE, ISO, GZ, …) attached to emails.

While the Security Lab has continuously tracked this activity, on 17 March 2020 some emails belonging to this activity group started using either “corona” or “Covid-19” in either the subject or attachment names. This trend keeps on increasing, as can be seen from the following timeline, which displays emails by this activity group without a corona theme in green and emails with a corona theme in red:



Conclusion and Remediation

In general, the risk to the economy from these threat activities is the same as before the crisis. Cyber-criminals continue to use the same schemes and mechanisms.

However, it is highly probable that potential victims are more likely to fall for the fraudulent practices in view of the current events. Another aspect that should not be neglected is that emails that address sensitive topics in times of crisis also address the psyche of the recipients and may even put a strain on them.

A good email filtering system should prevent these emails from reaching end users’ mailboxes – regardless of whether they contain a reference to Corona or not.

Hornetsecurity’s Spam and Malware Protection offers the highest detection rates on the market with a guaranteed 99.9% spam detection and 99.99% virus detection. This means that even opportunists who want to exploit the Corona crisis have no chance of sneaking into end users’ mailboxes and causing damage.