Cyber Criminals Target Indian Users with a Fake COVID Subsidy of INR 50,000

Have you by any chance received a message claiming that people are eligible for a COVID-19 put you at subsidy? Beware, it might put you at risk. The Research Wing of CyberPeace Foundation and Autobot Infosec Pvt. Ltd. initiated a study to check whether these websites are legitimate or an online fraud. 

Warning Signs:

• The campaign is not hosted on the official website of the respective foundation.

• Multiple redirections have been noticed between the links.

• No reputed site would ask its users to share the campaign on WhatsApp.

• The prizes are kept really attractive to lure the laymen.

• Grammatical mistakes have been noticed.

The Research Wing of CyberPeace Foundation had received WhatsApp messages containing a link claiming people can earn INR 50000 as COVID-19 subsidy. The message read:

“Get your new Coronavirus subsidy 50,000 INR. Click to receive amtb8.77esport.com.”

On the landing page a congratulations message appears with the offer details which promises to give a subsidiary of 50000 INR to 100000 INR in the name of the Coronavirus foundation.

Upon scrolling further down, it asks the user to answer a few questions like gender, age or if the recipient or their family members were affected by COVID. Once the user finishes the survey, a congratulatory message is displayed with a ‘Click to Claim’ tab. Following the message it prompts the user to send the message to five other contacts over WhatsApp.

After an in-depth study of the messages, the URLs it used, the research team found that:

1. The campaign is pretended to be an offer from “Coronavirus Foundation”, if the foundation really exists, the campaign should have been hosted on the official website of the respective foundation instead of any third party domain which makes it more suspicious.

2. The research team found multiple redirections between the links.

3. The prizes are kept really attractive to lure the laymen.

4. All the domain names associated with the campaign have the registrant country as China.

5. During the phase of analysis especially focused on the background behaviour of the site, the Research Team noticed a simultaneous connection was being established to a domain listentome.oss-ap-southeast-1[.]aliyuncs.com. Which again belongs to China.

Based on the study, CyberPeace Foundation suggests the following:

• CyberPeace Foundation recommends that people avoid opening such messages sent via social platforms.

• Falling for this trap could lead to whole system compromisation (access to microphone, Camera, Text Messages, Contacts, Pictures, Videos, Banking Applications etc.) as well as financial loss for the users. One must always think before clicking on such links, or downloading any attachments from unauthorized sources.

• Do not share confidential details like login credentials, banking information with such a type of scam.

• Never share or forward fake messages containing links with any social platform without proper verification.