Premium Enterprise

Cybercriminals are taking advantage of the coronavirus crisis to sell everything from masks and ventilators to a way to take over a political website for the purposes of 'raising panic'

Jeff Elder

2020-04-14T18:19:00Z

hackers — People pose in front of a display showing the word 'cyber' in binary code, in this picture illustration taken in Zenica December 27, 2014. REUTERS/Dado Ruvic

Three cybersecurity firms recently released reports showing what virus-related goods are being advertised on the dark web.
"Medical equipment is in incredibly high demand," says one researcher, who has documented masks listed for sale by the hundreds or thousands, and at a high premium.
Other listings hawk serums, supposedly virus-infected blood, and anti-malarial drugs.
In one of the most unusual finds, researchers found a post claiming to auction off access to a politically themed US website "great for raising panic about the coronavirus."
Visit Business Insider's homepage for more stories.

The global pandemic has sparked a thriving COVID-19 black market on the dark web, the shadowy counterpart to the internet where illegal goods are advertised and sold, researchers say.

Medical masks and other personal protective equipment, ventilators that hospitals badly need, and a bizarre assortment of supposed vaccines and blood-related items line the virtual shelves of underground forums, researchers' show in three recent reports.

"This is the digital equivalent of walking down the very dark alley in your city where drugs and guns are sold and other illegal activities occur," says Mark Turnage, CEO of the cybersecurity firm DarkOwl, which searches and analyzes dark web content to help companies and law enforcement. "We are seeing a broad spectrum of criminals, from naïve dark net users to sophisticated attackers who are leveraging the virus in heinous ways." In its report, DarkOwl found listings of supposedly infected blood for sale, with sellers suggesting it could be used to infect the buyer's enemies.

Sixgill, an Israel-based cybersecurity firm, found nearly 2,000 listings of medical masks for sale in one popular dark web marketplace. "Medical equipment is in incredibly high demand," says Dov Lerner, Sixgill's research lead for their report. The masks are often listed in lots of hundreds or thousands, he said, and at a high premium.

A panoply of fake vaccines and bizarre products supposedly for sale are often just scams to take the buyer's money, says IntSights, a New York firm that helps companies look for threats on the dark web to stop attacks before they happen. "The limited availability of coronavirus testing – especially in countries like the United States – leads to demand for" test kits and vaccines, IntSights says in its report. IntSights also found templates for ransomware and other crimes on the dark web that invoke the virus to frighten victims.

Researchers say monitoring the dark web provides important insight into crime with a dangerous impact. DarkOwl, for instance, found that after President Trump suggested anti-malarial drugs may have potential use in fighting COVID-19, scammers have also started offering these drugs for sale on the dark web. An Arizona man died after taking the wrong kind of chloroquine.

"There are a lot of things that are sold on the darknet," says DarkOwl CEO Turnage. "If you don't monitor it, you can't protect people."

Here are nine examples of dark web items for sale and discussions among criminals related to COVID-19.

Infected blood advertised

Infected blood for sale — COVID-19 blood for sale from a dark web report by DarkOwl. DarkOwl

While the rest of the world seeks to avoid the virus, there is a demand for it on the dark web.

DarkOwl cites numerous scammers offering samples of the COVID-19 virus via blood samples and saliva. A listing from March 31 "attempted to imbue legitimacy into their listing, stating that they were a 'laboratory doctor in Spanish public health' who successfully obtained "24 blood samples and infected sputum of the new COVID-19'," DarkOwl writes in its new report.

Another ad found by DarkOwl stated the seller's father was infected with COVID-19 and while at the hospital the seller managed to collect blood. DarkOwl says it found a separate listing that pitched the live virus as "great for the coworker you don't like. Or spread it in the ghetto if you're like that or maybe let it loose at the country club."

There is no vaccine yet – except on the black market

Fake coronavirus vaccine is for sale on the dark web in ads found by the company IntSights. DarkOwl

News of Israel making progress on a COVID-19 vaccine prompted a slew of postings offering supposed cures early, IntSights reports. The most believable vaccine ads range from detailed listings citing specific Israeli research labs, the origin of the vaccine, and a price of $115. The most questionable, shown here, offers 10 vials for $10.

In another marketplace, an ad promotes saliva from an infected person that could supposedly help build immunity against the virus.

Meanwhile, IntSights reports ransomware groups targeted HMR, a company helping to develop tests and vaccines for COVID-19.

Hospital ventilators posted for sale

Hospital ventilators for sale — This screenshot from a recent Sixgill report on the dark web shows a posting of a hospital ventilator for sale. Sixgill

Researchers have found a booming black market of listings of items related to COVID-19 for sale. "Profiteering and scams include hoarding and selling items in high-demand. Some, presumably, claim to be selling such items and take the money without providing any goods," Sixgill cybersecurity writes in its recent report. "While we could not locate anyone selling truckloads of toilet paper (we searched), we did find, more insidiously, actors seeking to hoard or sell medical items such as ventilators, masks, and testing kits."

Ventilators have been precious items in the life-and-death fight against the virus in hospitals, especially in New York City. The desperation to find more of the machines has driven dark web scams, researchers say.

Zoom hackers thank each other for access

Scammers hand out Zoom accounts — Zoom hackers thank each other for access in this screenshot from a darkweb forum discovered by the cybersecurity company Sixgill. Sixgill

The cybersecurity company Sixgill found this exchange in a dark web forum in which a hacker was handing out access to real Zoom videoconferencing accounts. Zoom has seen use of its platform skyrocket during the boom of remote work during the virus – but has also seen a spike in security issues.

In a recent report, Sixgill said there has been a boom in scammers posing as other people during the virus, and found dark web mentions of social engineering within the context of coronavirus rose eightfold in March.

Sixgill says monitoring the criminal underground is important: "We must caution that the dark web is a testing ground of malign ideas; if an actor shares a 'success story' of how he made money, many copycat attacks should be expected in the immediate future."

Desperately needed N95 masks for sale on the dark web

Researchers found all types of masks are for sale on the dark web, including the N95 respirator type in high demand. DarkOwl's report found this listing for N95 masks in packs of 10 for €80 ($87).

DarkOwl also found groups selling N95 masks and listing their certified expiration dates, and selling designs for 3D printing protective face shields.

In its report on dark web virus postings, Sixgill found a profiteer who wrote: "I'm looking to order huge quantities: 10 million pieces. It's very hard to find direct supplier cause of large demand."

Medical professionals have been desperate for masks to protect them while they work throughout the virus outbreak.

Extortion and fear tactics through ransomware

I could infect your whole family — Intsights found this ruthless ransom note invoking COVID-19 as part of a ransomware scam that locked up computers demanding payment. Intsights

"Threat actors all over the world are exploiting people's fears around COVID-19 in order to make money," the cybersecurity firm Intsights wrote in its report. This ransomware letter tells the victim "I could even infect your whole family with the Coronavirus" if payment wasn't made.

"These types of fear tactics work on a vulnerable population of people during a frightening pandemic," Intsights wrote. "Threat actors use these fear tactics because they work."

Intsights also cited a ransomware attack of HMR, a UK company that has recently taken an active role in developing tests and vaccines for COVID-19. The company was attacked on March 14th, with medical records of over 2,300 patients and employees leaked.

'How do we cut a few slices off' COVID-19 aid?

Darkweb listing on COVID-19 Loans: Enough for everyone — Sixgill has observed darkweb discussions regarding how to acquire federal business loan money. Sixgill

The economic stimulus package to help businesses and citizens rebound from the virus crisis spells opportunity for fraudsters in the criminal underground, Sixgill found. "In times of crisis, government funding and aid money is readily available, sometimes without the regular procedures and precautions that normally exist to prevent fraud. Malicious actors seek to take advantage of this."

On the dark web, Sixgill has observed several discussions between users regarding how to acquire federal business loan money. The users don't appear to be in the US, due to their conversion of dollars to euros.

"The Federal Government provides around half a trillion (that's $500 billion) euros for companies and entrepreneurs financially damaged and at risk. Fast and unbureaucratic. It can be assumed that there will be a real flood of applications. So the question is, how do we cut a few slices off it?"

Political website for sale – and nation-state propaganda

In one of the most unusual finds of recent dark web analysis, researchers from Sixgill found a post in which an actor claims to be auctioning access to the cloud platform of a top-200, politically themed US website. The actor notes that the site would be "great for raising panic about the coronavirus." The auction began at $20,000.

Another company, Intsight, found other forms of political chaos for sale including the "spread of disinformation by state-sponsored operations to create dissent and disrupt world markets, elections, and authorities. Politicians and militaries alike are employing psychological operations on adversary populations to cause conflict, division, and dissent around this pandemic." Russia, North Korea, China, and Pakistan are the most frequent offenders, Intsight says in its report.

And DarkOwl found one bad actor who spread misinformation, much of it about COVID-19, to 76,000 different web pages.

An illegal gun dealer laments the inconvenience of the virus

Gun dealer: Coronavirus is affecting everything — An underground arms dealer asks customers to be patient in this screengrab from the dark web from the cybersecurity company Sixgill. Sixgill

Many users on the dark web "discuss stockpiling weapons and ammunition," Sixgill says in its report. This listing from a virtual store purported to be selling "guns, military items, and explosives," implied that there is a backlog on orders because of the
coronavirus:

"Please be patient, as the coronavirus is affecting everything," the proprietor says.

Sixgill noted in its report that many discussions on the dark web "focus on how individuals are preparing for the virus. This includes individuals relating amassing food and other necessities."

COVID-19 Cybersecurity