Skip to main content

Coronavirus scam is stealing passwords: What to do

Computer rendering of coronavirus organism, tinted orange.
(Image credit: CI Photos/Shutterstock)

The long-running Folding@home project, which has used the CPU and GPU cycles of millions of volunteers' home and work computers to solve biomedical problems since 2000, recently took on another worthy cause: finding a cure for the coronavirus.

Sadly, the publicity surrounding this noble endeavor has attracted the worst kind of attention. Online criminals are using the Folding@home coronavirus campaign to dupe victims into installing information-stealing malware, according to researchers at security firm Proofpoint.

The malware, which has the filename "foldingathomeapp.exe", is actually a Trojan called RedLine Stealer. It will strip-mine your browsers for any saved passwords, credit-card numbers and login-session cookies. 

RedLine Stealer also rifles through your computer to figure out your username, hardware setup, location and what kind of antivirus software you have. A new feature steals any cryptocurrency you might have stored on your machine.

How to avoid infection by the fake Folding@home software

To avoid falling victim to this scam, resist any suggestions to download the Folding@Home software via a link in an email or social-media posting. Instead, go straight to the official Folding@Home download page. (There, you'll see that the real Windows installation software is named "fah-installer_7.5.1_x86.exe".)

You'll want to make sure you're running one of the best antivirus products to block this kind of malware. And don't let your browser save credit-card numbers and passwords for important accounts, such as email, social media or anything having to do with banking, shopping or financial transactions of any kind. 

Instead, install and use one of the best password managers to handle those passwords and credit card numbers for you. They're much safer than your browser at saving important information.

Anatomy of a scam

The scam begins with an innocent-seeming email asking you to help combat the coronavirus contagion by downloading and installing the Folding@home client software.

In the version Proofpoint saw, the email's subject line was "Please help us with Fighting corona-virus" and the email seemed to come from someone at LiteGait, an Arizona company that makes physical-therapy and medical rehabilitation equipment. The text of the email even referenced the company's other name, Mobility Research Inc.

There's no reason to believe that this company is knowingly involved in this scam. Rather, it seems like their domain name has been spoofed or hijacked. 

We clicked on the LiteGait site and got scareware alerts and pop-ups to install Adobe Flash Player, which indicated the site had been hacked. But a few minutes later it all looked fine, so criminals may have only briefly hijacked the site's DNS listing.

By the time you read this, the scammers will probably be spoofing a different email domain and possibly be using a new subject line. But they'll still be trying to get you to install a Folding@home client to help fight the coronavirus. Don't do it.