Mask-ed Intentions: Protect yourself from Online scams related to COVID-19

By: Donovan Tan, Cybersecurity Researcher

Established in January 2018, Uppsala Security, based in Singapore and South Korea, built the first crowdsourced Threat Intelligence platform known as the Sentinel Protocol, which is powered by blockchain technology. Our mission is to prevent criminal activities from happening, and mitigate the damages when they do happen, through the provision of affordable and effective security solutions.

With the recent outbreak of COVID-19, demand for surgical masks has skyrocketed, which led to a global shortage of surgical masks as the masses scramble to get their hands on them. The situation in Singapore is no different, with masks being hard to come by at most physical shops. Consumers here have headed online in a bid to find masks from any source possible.

The scarcity of masks, along with the uncertainty surrounding this new strain of coronavirus still being researched, has inevitably led to fear-induced panic buying among some. Fear often leads to irrationality, causing people to act based on emotions rather than logic. Cybercriminals are adept in identifying and capitalizing on such situations to carry out cyber-attacks and scams. These attacks that exploit human psychology and emotions are known as social engineering attacks and are commonplace today, encompassing various forms such as phishing and extortion.

An example of such an attack in this scenario would be the setting up of fraudulent online shops touting surgical masks. Cybercriminals accept payment for but do not send out any masks to customers. They subsequently abscond with the collected money. Due to desperation and fear, individuals are more likely to have their judgment clouded, increasing their chances of falling victim to scam shops. As reported by the South China Morning Post[1], such incidents are already taking place. As of 13th February, police in Hong Kong received over 300 reports regarding fraudulent online shops offering masks and had proceeded to make 12 related arrests. The money involved amounted to a whopping HKD$1.1M (approx. SGD197k). In a particular case, the cybercriminal had scammed more than a thousand people in a short period of 1 week.

Closer to home, potentially similar cases have surfaced too. Over the past few days, various local content sites such as Mothership [2]and Goodyfeed [3] had investigated into and released articles discussing the legitimacy of an online mask shop called MedicalLex. Our team at Uppsala Security is aware of MedicalLex, which we first chanced upon through a Facebook advertisement on the 9th of February (Sunday) and have too carried out our investigations. Although we are unable to classify with certainty MedicalLex as a scam site, we have found;

1) Discrepancies in their statements,

2) Suspicious domain and company address information, and

3) Evidence of falsified, misleading information on their website.

These are sufficient red flags to classify MedicalLex as suspicious, and we strongly advise any person against dealing with them to get their surgical masks. At the time of posting, MedicalLex has taken down their Facebook page. Their website (www.medicallex[dot]com) is still in operation but they seem to have suspended orders through their e-shop. However, they prompted interested users to contact them directly to make alternate arrangements.

Red Flag 1: Discrepancies in Statements

Firstly, we have noticed discrepancies in the information provided by the now defunct MedicalLex Facebook page.

Screenshots were taken on the 9th of Feb (Sunday) at 6.58 PM.

As seen in the 2 screenshots taken above at the same time on the 9th of February, we uncovered discrepancies in the claims made by the MedicalLex Facebook page. Both claims were made 15 hours before the screenshot; however one claims that they own warehouses in 5 different countries, while the other claims they only have warehouses in 2 countries (the US and HK).

Red Flag 2: Suspicious domain and company address information

Secondly, the domain of and address provided by MedicalLex are suspicious. Their domain, medicallex[dot]com, was registered only a few days ago on the 4th of February 2020 and for a short period of one year. A Google search on the company address they provided, ‘1155 S Power Rd #114, Mesa, AZ 85206, United States’, returns another company, ‘Box-N-Mail.’ New, short-lived domains coupled with false company addresses are common characteristics of scam sites.

Whois Lookup information for MedicalLex’s domain.

Company address provided by MedicalLex returns another company.

Red Flag 3: Evidence of falsified, misleading information on their website

Lastly, although their website looks professional and legitimate, further investigation revealed falsified and misleading information. As detailed in Mothership’s article, the first sign of falsified information would be MedicalLex’s use of stock images and plagiarised text for customer reviews. These images have since been removed after being called out. However, the plagiarised reviews, which are copied from real reviews of face mask listings on Amazon is still present on the site.

Original review for a Face Mask listing on Amazon.

Same review on MedicalLex’s website.

Another piece of potentially falsified and misleading information would be MedicalLex’s claim that they have 70,000 satisfied customers. This is hard to believe due to MedicalLex’s domain being registered just approximately 2 weeks ago (4th February), as seen earlier. Moreover, MedicalLex also displayed the Trusted Store mark from Google’s Trusted Store program, which had long been discontinued in 2017.

MedicalLex claims to have 70,000 happy customers.

MedicalLex displaying the Google Trusted Store mark, which had been discontinued in 2017.

On MedicalLex’s site, we have noticed their frequent display and choice of words such as ‘very limited’, ‘high demand’ and ‘order quota is running out’ to describe their surgical masks, and that their sales are on ‘first-come, first-serve basis’. Though possibly a marketing or sales tactic, these could also be seen as a deliberate attempt to further exploit consumer’s fears and psychological state by inducing even more panic in bid to drive purchases.

Choice of words to exploit victim’s psychological state and induce fear.

With cyber criminals getting more adept in running realistic scams and taking advantage of human emotions in times like this, it becomes increasingly difficult for individuals to discern between real and fake. To protect yourself from potentially suspicious sites such as MedicalLex and future scams, third party tools provided by trusted Security Vendors can be utilized. One such tool would be UPPward, a browser extension developed by Uppsala Security. UPPward is powered by crowdsourced threat intelligence verified by our team of Security analysts and helps flag any suspicious or blacklisted site visited by users as seen in the screenshot below.

UPPward blocking a user from visiting medicallex[dot]com.

Just like how it is important for communities to work as one in the fight against COVID-19, we at Uppsala Security believe that cyber threats can be tackled more effectively through collective, crowdsourced threat intelligence. If you come across any site you suspect to be malicious, inclusive of potentially fraudulent mask shops, please report it to us through https://portal.sentinelprotocol.io/create/case.

UPPward is free to use and available on Chrome, Brave and Firefox Browsers.

Chrome & Brave Extension: https://chrome.google.com/webstore/detail/uppward/okchiedmnincflodifnojcnhnncldcbk

Firefox Extension:https://addons.mozilla.org/en-US/firefox/addon/uppward-by-sentinel-protocol/

Uppsala Security: https://uppsalasecurity.com/

UPPward: https://uppward.sentinelprotocol.io/

Forum: https://forum.sentinelprotocol.io/

[1] https://www.scmp.com/news/hong-kong/law-and-crime/article/3050449/coronavirus-spreads-scammers-cash-hongkongers

[2] https://www.mothership.sg/2020/02/medicallex-scam/

[3] https://goodyfeed.com/medicallex/