Fake COVID notification apps and websites aim to steal money and personal data
Thousands of fake Canadian government websites, emails and apps that take advantage of the pandemic to try to mine personal data or steal money have been taken down in the last few months, according to the Canadian Centre for Cyber Security.
The centre leads the federal government’s response to cyber-security events, defends Ottawa’s cyber assets and provides advice to Canadian industries, businesses and citizens about how to protect themselves online.
Evan Koronewski, a spokesperson for the centre, said in email the fraudulent websites are impersonating the government of Canada to “deliver fake COVID-19 exposure notification applications, designed to install malware on users devices.”
Koronewski said those programs were created to steal personal information or money.
Since March 15, the centre has helped remove more than 4,000 such fraudulent sites or email addresses, he said. In some cases the sites were pretending to be the Public Health Agency of Canada or the Canada Revenue Agency.
“This work continues each and every day as we identify and remove more of these fraudulent domains,” said Koronewski.
He couldn’t say how many Canadians have been taken in by these particular scams.
But the Canadian Anti-Fraud Centre, a separate federal organization, said between March 6, 2020, and Jan. 10, 2021, there were 8,583 Canadian victims of a wide range of COVID-19 fraud.
Those included everything from people buying fake vaccines and COVID test kits, to identity theft and ransomware attacks. In total, COVID-19 fraud has cost Canadians $7 million, according to the anti-fraud centre’s website.
The government of Canada’s actual COVID Alert app started to be rolled out in July in Ontario, and went online in Newfoundland and Labrador, Saskatchewan and New Brunswick later in the summer. Nova Scotia, P.E.I. and Quebec signed on in the fall. Alberta and British Columbia are the only provinces that haven’t adopted the app.
In Nova Scotia, for instance, the app allows users who test positive for COVID-19 to enter a code supplied by the Nova Scotia Health Authority. It then sends an alert to any phone with the app that has been in close contact with the person who tested positive.
But no matter how fast the government works, scammers continue to pump out fake, malicious websites and COVID-19 apps.
At the beginning of the pandemic many app stores contained these fake apps, said Florian Kerschbaum, an associate professor in the school of computer science and director of the University of Waterloo’s cybersecurity and privacy institute.
App store administrators like Apple and Google were quick to crack down and remove the offending apps.
“Still, there are a lot of COVID apps which make false promises and basically just try to abuse your information and do strange things,” said Kerschbaum.
The scammers who make the apps are looking to steal people’s personal information and then sell it on the dark web, according to Arash Habibi Lashkari, an assistant professor and research co-ordinator at the University of New Brunswick’s Canadian Institute for Cybersecurity.
Information like a person’s credit card number, full name and home address are valuable commodities, he said. That information could be used for a range of purposes including being sold to adware producers. It could also be used to steal someone’s identity or put ransomware on their phone, encrypting it until the scammer is paid off.
Lashkari said people need to carefully review the terms and conditions of an app before they install any app. People should avoid the app if the terms seem odd.
And people should consider what systems an app wants permission access on their phone or computer, and determine if that matches up with what the app is supposed to do. If you download photo editing software, for instance, and it wants access to your telephone contact list, that should raise some red flags, he said.
Even if people are vigilant, installing an app from a questionable publisher comes with risks.
“There are, I don’t know, thousands [of] methods that they can hide their abnormal activity from the user,” said Lashkari.
Anyone looking to download the government of Canada’s COVID Alert app should only do it from trusted app stores, said Kerschbaum and Koronewski. Kerschbaum also said if people don’t recognize the publisher of a COVID app then they shouldn’t download it.
Any Canadians who believe they may have received a fraudulent message via email or text is encouraged to report the activity to the Canadian Anti-Fraud Centre, said Koronewski
“Rely again on the recommendations by the app store and by the government and you will be safe. But don’t install … every COVID app that’s out there,” said Kerschbaum.