During major global events, threat actors take advantage of charged political environments and a prevailing overload of information to help lend credence to the delivery mechanisms they use to carry out malicious activity. This tactic has proven especially effective during the COVID-19 pandemic as scams purporting to contain information, news, and remedies related to the virus—many with a political lean—have saturated the internet. 

In "ScamNation," RiskIQ's latest research report, RiskIQ researchers leveraged our internet-wide visibility and unique data sets to identify and explicitly define scam ecosystems exploiting the pandemic for monetary gain through the spread of false information and the sale of fraudulent products online. The report identifies a network of "content farm" websites publishing misleading, highly partisan articles that have lately focused on COVID-19. Scammers use these sites to promote ads that lure users into "subscription traps," which, through misleading messaging and hidden language in the fine print, trap buyers into making monthly payments that are difficult, if not impossible, to escape.

Through RiskIQ data made available in PassiveTotal, researchers connected the dots across the web to draw distinct connections between the fake news sites, affiliate advertising networks, and subscription trap companies. They ultimately found that sales of many questionable goods were carried out through several LLCs that were actively obscuring the connections between the products and the companies that produce them. 

This investigation would not have been possible without RiskIQ's massive data collection, accumulated over ten years of crawling the internet, and intelligently correlated to link infrastructure across the web in our Internet Intelligence Graph. By pivoting across these them, researchers and analysts can link seemingly disparate elements together to create broad context and a larger, tighter narrative. 

RiskIQ collection keeps the full HTML of a web page, saving any dependent file used in its loading process—document object model (DOM), links, console messages, cookies, headers, independent requests, JavaScript, and other files. Because web pages are made up of many of these remote resources that get assembled to form a cohesive user experience, RiskIQ can link infrastructure showing the interconnectivity of various entities across the web, identifying dependencies and pathways of each web asset.

Following the traffic and linking seemingly disparate data points along the way, the researchers could pull back the curtain to show how this particular traffic funnel—from fake news sites to subscription traps—works, and expose the organizations that trade in misinformation and false COVID-19 cures.

Read the report to find out how these scam ecosystems make their operatives a lucrative living at the expense of unwitting internet users, and how RiskIQ's internet-wide visibility can expose these shadowy operations. 

To pivot across the indicators mentioned in this report, be sure to visit the ScamNation Threat Intelligence Card in RiskIQ Community Edition today. You can sign up for free with a corporate email address. 

Also, be sure to sign up for RiskIQ's Threat Hunting Summer Camp to attend our August 19th session, where co-authors Jordan Herman and Ryan Foote will discuss the ScamNation research and investigation firsthand.