Coronavirus 'cure' emails are spreading malware, stealing passwords

Female doctor writing on a clipboard.
(Image credit: ReaLiia/Shutterstock)

Hey, there's a secret cure for the Wuhan coronavirus, but the government won't let you use it! Click here for more!

If you fell for that, then you might fall for similar phishing emails that promise details of this supposed plot against humanity and/or offer to provide tips on how to prevent becoming infected by the disease. 

The catch is that in order to read any of that crucial information, you'll have to provide credentials to your personal or workplace email accounts, or open a document that will infect your PC with some particularly nasty malware that can steal your passwords or fully take over your computer.

So say the researchers at Proofpoint, who posted examples of these criminal scams in a blog post yesterday (Feb. 13). 

"These latest examples serve as a reminder that users should be watchful and exercise caution where Coronavirus-themed emails and websites are concerned," wrote Proofpoint's Sherrod DeGrippo.

The best antivirus software should stop the malware, but it won't always stop the phishing attacks, which rely on human, not digital, weakness. To stop those, ask yourself why a random site wants account credentials, and check the URL of each page to make sure you're actually where you should be.

What's in the coronavirus scam email

"The world has been struggling to contain this deadly virus developed and sprayed by wicked scientists to reduce the population of the world so the government will have control over you," reads one email that Proofpoint cited. "Our secret medical scientist team has developed the cure ... For those interested to secure their lives kindly reply and get more information about shipping and delivery to you."

The email presents a link to a "free health guideline" that leads to a website asking for the victim's DocuSign username and password. DocuSign is used by corporations, PayPal and the U.S. Internal Revenue Service to authenticate documents, so those credentials would be immensely valuable to thieves.

A few other emails dial down the conspiracy theories, but nonetheless pretend to come from some authority — the World Health Organization (WHO), a (fake) Australian government agency, a company president — and offer to give you safety tips in an attached documents or included web link. 

Phishing, keylogging and total control of your PC

The company president's email contains a Microsoft Word file that links to a phishing site asking for your corporate network credentials. The WHO email has a "CoronaVirus Safety" attachment that is actually a keylogger, capturing everything you type and sending it to the attacker. The Australian email takes you to another phishing site that asks for your Adobe Creative Cloud account credentials.

Proofpoint's last example is worst of all. It also pretends to come from corporate leadership and offer coronavirus safety tips, but it doesn't just try to steal your account credentials. Instead, an attached file opens up to install the NanoCore RAT, a remote-access Trojan that gives a far-off attacker total control over your PC.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.