The NYPD is on alert over a sick COVID-19 blackmail scheme where unsuspecting people are targeted online by scammers who threaten to infect their families with the coronavirus if they refuse to pay the fraudsters money or cryptocurrency.
According to a sensitive law enforcement document reviewed by The Daily Beast—headlined ‘Scams and Fraud Campaigns Exploiting COVID 19 Likely to Continue,’ and dated April 20—“the pandemic has created an environment ripe for fraudulent activity with threat actors leveraging fears of the virus to perpetrate a variety of malicious and criminal exploitation.”
The confidential NYPD briefing document goes on to state that “threat actors around the world have flooded the internet with COVID-19 themed phishing scams in attempts to capitalize on fears of the virus for financial gain.”
The NYPD’s deputy commissioner of Intelligence and Counterterrorism, John Miller, told The Daily Beast in a statement, “The commercial scams, trying to defraud institutions out of hundreds of thousands of dollars, are complex and layered. These are of great concern because of the amounts of money involved and the fact that the person who pays needs these supplies to protect patients or customers.”
Those commercial scams have involved people selling fake personal protective equipment (PPE) to hospitals, health-care unions and even government agencies. The demand for testing equipment and the need for new testing measures has also presented a vulnerability fraudsters have been keen to take advantage of, according to the intelligence document.
“The blackmail scam has been less successful because... it is a little more far-fetched but it’s playing on people’s fears,” Miller added. “The bad guys buy the names and passwords in bulk from the dark web, so if you send out 300,000 of these emails you only need a few people to fall for it to make a nice profit for very little investment.”
The COVID-19 scam that has concerned police is based on an earlier “porn-extortion” fraud that came to prominence a year ago, according to an NYPD Intelligence Bureau Official.
In that scam—which law enforcement sources say was very successful—potential victims were sent an email with their username and password. The sender would write, “now that I have your attention I need to tell you I have access to all your accounts and your passwords, as well as the kind of material you’ve been looking at.”
“The email goes on to imply that the target has been caught looking at all kinds of porn sites and other disgusting material and that the writer of the email has been able to access the users WebCam and record video from the camera as well as screen and now has split screen recordings of the material,” the NYPD official told The Daily Beast.
As it turns out, it’s all a bluff—fraudsters never have access to the victim’s WebCam or computer—but why the scam is such a success is the victim has no way of knowing for sure they have not been compromised, and the fact the conman has their email and password gives the scammer credibility in the mind of the victim.
The COVID-19 fraud the NYPD now has on its radar is a new twist on the “porn-extortion” scam and the intelligence document states, “based on the researched dataset, this type of fraud has had limited success.” It’s unclear how the criminals would be able to carry out their callous threats.
"The reason to talk about it is so that people will recognize it if they get one of these," Miller said referring to emails from scam artists. "They also need to know this person has not hacked their computer, hasn’t had access to all their information, and that the fraud depends on people believing that those claims are true”
Scammers typically gain a person’s email and password from websites that have been hacked—such as the Capital One data breach—and where user credentials from the site were posted on the Internet. Criminals, legitimate security researchers, and others can access those password dumps on hacking forums, illicit dark web markets, or file-sharing sites.
Jeremy Kennelly, manager of analysis at Mandiant Threat Intelligence, warned that “anyone can be a victim” but described this COVID scam as “low art.”
“It’s not completely unexpected. A lot of these financially-motivated cybercriminals will alter their campaigns to have themes consistent with whatever the issue of the day is. It’s effectively the same pattern and it may even be the same people,” Kennelly told The Daily Beast.
“There are people who might take serious the idea of paying but I would say the narrative of the porn scam is more immediate to people as it speaks to something more personal but the COVID themes you would suspect the concept that someone is going to infect you and your family with if you don’t pay X amount of bitcoin is a little ridiculous. But it doesn’t mean that with the latent anxiety around COVID there aren’t certain people that could fall prey to it.”
While the NYPD appears to be on the front foot in addressing the threat that cybercriminals pose while the world deals with the pandemic, U.S. authorities seem to be lagging behind other countries like Australia where officials have gone on the offense.
“We are hitting back through the Australian Signals Directorate, who have already successfully disrupted activities from foreign criminals by disabling their infrastructure and blocking their access to stolen information,” Australia’s Minister for Defense Linda Reynolds said.
Kennelly, who has worked at the frontlines of fighting cybercriminals for a decade, said both the private and public sector are redoubling efforts to go after people exploiting the virus.
“These campaigns only add to the environment of fear but unless things progress in a less different way that has been predicated, retaliatory actions can operate only on a slow timeline when it comes to cyber activities and the outcome of response is only likely to be seen as the world recovers from the virus.”
As far as this COVID-19 blackmail scam goes, Kennelly has some simple advice for anyone who is targeted.
“The only correct thing to do is delete it. There’s no value in interacting with the sender. You should delete it and reset your passwords.”