Coronavirus: McAfee unearths dark web blood bank

Amid a glut of face masks, hand sanitiser and toilet paper being sold online through both legitimate and illegitimate sources during the Covid-19 coronavirus pandemic, threat researchers at McAfee have uncovered a posting on a dark web forum that appears to offer for sale the blood of an individual who has recovered from the disease.

The scam probably plays on news that has emerged in recent days that Chinese doctors claim to have found limited evidence that some people who are seriously ill with coronavirus have seen an improvement in their condition after receiving transfusions of blood plasma from others who have recovered.

As reported by the UK’s Guardian, patients in two different pilot studies, one in Wuhan and the other in Shenzhen, saw their viral load fall and symptoms improve within days of receiving plasma infusions.

However, no randomised trial has yet been conducted, and it would be foolhardy and potentially lethally dangerous to attempt to self-transfuse blood of unknown provenance, especially if it had been sourced from a dark web marketplace.

McAfee’s lead scientist Christiaan Beek and chief scientist Raj Samani said that while the use of global events to drive cyber crime was by no means a surprise, the coronavirus pandemic was revealing a multitude of unexpected threat vectors.

“We have seen many examples of major events being abused by people whose interest is only financial gain and current global events are no exception,” wrote Beek and Samani in a disclosure blog.

“The use of Covid-19 as a lure does not appear to show any sign of slowing down. Indeed, there are more campaigns being regularly identified using the global concern for selfish gain. Our focus will be to ensure detection remains up to date, and that data points relevant for investigation are shared with authorities.”

Beek and Samani looked into underground markets on Onion and other services using channels on encrypted cloud messaging service Telegram selling face masks, which are in short supply because of unprecedented demand.

One site was selling 3M Aura and Farstar N95 masks at a mark-up of over 10 times the retail price. The seller purported to be a legitimate wholesaler and supplier of medical-grade face masks, and was selling them because “everybody need [sic] a chance to get a mask for protection – not only medical employees”.

Strangely, the seller also claimed to want to protect their identity because they didn’t want their medical sector customers to know they still held stock.

Needless to say, the listing is almost certainly fraudulent, and any goods received will probably be either fake or unfit for purpose, not least because Germany-based Farstar does not actually make N95 masks.

Although there is nothing illegal or even particularly dangerous about the dark web as a concept, users who are accessing it for legitimate purposes should be aware that it also functions as a haven for criminal groups to go about their business in relative privacy. Dark web marketplaces are also used extensively to sell personally identifiable information (PII) stolen in data breaches.

The scams identified by McAfee would therefore be unlikely to be noticed by the average internet user. Nevertheless, said Beek and Samani, it served as an important reminder that the use of coronavirus as a lure shows no signs of slowing down.

“There are more campaigns being regularly identified using the global concern for selfish gain,” they said. “Our focus will be to ensure detection remains up to date, and data points relevant for investigation are shared with authorities.”