Cybercriminals Set up a Fake NHS Website to Spread Malware That Can Steal Passwords

The fact that the coronavirus has sparked a global crisis and has killed thousands of people won't stop the crooks from putting it in the middle of their social engineering tricks. COVID-19 is, actually, something of a blessing for online scammers. It's a new disease that we know next to nothing about, and it's causing widespread panic. People are looking for information related to the virus, and they are more likely to be too distracted to see what they're clicking on. It's the perfect setup for spreading malware.

The World Health Organization declared the coronavirus a global pandemic on March 11, but it was helping cybercriminals distribute their malware long before that. Since then, the crooks have organized countless cybercrime campaigns centered around it, and yesterday, the UK's Daily Mail wrote about the latest one.

A fake NHS website spreads malware

The discovery was made by researchers from Kaspersky, who shared their findings with the British newspaper. For reasons that are not entirely clear, the security researchers decided not to publish a report of their own, which unfortunately means that technical details are practically non-existent. Still, the Mail's coverage can give us an idea of what users can do to protect themselves from the crooks' latest scam.

There is a malicious page that is designed to look like the COVID-19 section on the website of the UK's National Health Service (NHS). Unfortunately, the Daily Mail's report doesn't say how people are led to that page, but the screenshot that was included does show that the crooks have done a relatively convincing job of copying the design. The malicious web page has far fewer links, and, as you might have guessed already, some of them deliver malware to unsuspecting victims.

The name of the malware family that is distributed remains unclear. What we do know is that when users click on any of the links on the page, they are asked to download and launch a file called "COVID19.exe," which triggers the infection. Apparently, once installed, the trojan can demonstrate a variety of information-stealing capabilities. Scraping passwords and credit card data stored in the users' browsers is apparently at the center of the malicious operation, though the Mail's report also says that the malware can exfiltrate text documents from the desktop and receive additional commands from the crooks. Because we don't know whether we're talking about a new strain of malware or an established name, it's difficult to estimate just how big the threat is. The way the whole infection chain is set up does suggest, however, that the crooks are trying to maximize the number of victims.

Why the NHS?

The National Health Service is the UK's publicly-funded healthcare system, and it's fair to say that it's been really popular with the British population. Every Thursday, people all over the country stand in front of their homes and applaud the NHS employees who are on the front line in the battle against the terrible disease. Thanks in no small part to the politicians, the NHS is widely regarded as the only institution that can get the people through this nightmare, and its logo is perceived as a sign of trustworthiness. You should now be able to see how clever the hackers were when they decided to impersonate this particular organization.

This attack once again highlights the dangers associated with seemingly simple tasks like trying to find information about a global event like the coronavirus pandemic. Even if the website you landed on looks legitimate, always make sure to double-check the URL and ensure that everything is right before you click any links. A bit of vigilance can go a long way when it comes to cybersecurity.