Bogus HIV test results are the latest lures used by cybercrooks

That stream of health-related phishing means at least some of it is working.
(Flickr/Wheeler Cowperthwaite)

It’s open season for hackers who prey on public health fears to try to dupe people into installing malware.

As phishing attempts related to the novel coronavirus surged in late January, another health-related scam was kicking off. Crooks were sending people fake HIV test results that were laced with malicious code. To make the ruse more believable, the emails purported to come from Vanderbilt University’s prestigious medical center.

“The psychology behind that is: Whether or not you recently did an HIV test, it is very possible that you would still be interested to see HIV test results,” said Sherrod DeGrippo, who heads the threat research and detection team at Proofpoint, the cybersecurity company that discovered the phishing campaign.

“And so it goes from a fear-based emotion to a secondary emotional reaction, which is curiosity,” DeGrippo told CyberScoop.


Health-related phishing lures are nothing new, but DeGrippo says they appear to have grown more popular with criminals since the emergence in December of the novel coronavirus, which has infected over 100,000 people globally.

Different sets of hackers are behind the coronavirus and HIV-themed campaigns, but they are drawing from the same playbook.

“We often see these actors tracking each other and watching what other lures are out there,” DeGrippo said.

High-profile targets

A group of Russian-speaking, financially motivated hackers appears to behind the HIV-related phishing, DeGrippo said. They sent out roughly 200 emails to employees of big pharmaceutical, health care, and insurance companies in North America and elsewhere in an effort to install malware known as a remote access trojan (RAT) on the target computers. The Koadic RAT, which is publicly available, lets hackers track keystrokes and upload their own code on a victim’s computer.


As she pored over the attack data, DeGrippo posited that the hackers had bought a list of corporate emails from the black market and whittled it down to corporate employees, like someone in a management role, who are worth targeting.

Proofpoint says it blocked all of the attempted attacks on its own clients. However, a company only sees the networks it is protecting, meaning there could be victims of the campaign who aren’t clients.

The broader flood of health-related phishing activity shows no signs of stopping. The Department of Homeland Security’s cybersecurity wing and the Federal Trade Commission have warned of coronavirus-related scams, and cybersecurity companies are telling clients to be on their guard.

The Health Information Sharing and Analysis Center (H-ISAC), a cyberthreat sharing hub for health care organizations, recently alerted members to the risk of hackers exploiting coronavirus and told them to patch their systems.

Because of its global reach, the coronavirus disease, COVID-19, is a bigger opportunity for cybercriminals to exploit than other health issues, said Errol Weiss, H-ISAC’s chief security officer.


“Cybercriminals are using phishing lures with the coronavirus theme for everything from credential stealing to business email compromise to ransomware attacks across all sectors, and they have billions of people across the globe to target,” Weiss told CyberScoop in an email.

That stream of health-related phishing tells DeGrippo that at least some of it is working.

“These are not groups of people that waste their time,”DeGrippo said of organized cybercriminals. “They do things that work. If it doesn’t work, they stop and change.”

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts