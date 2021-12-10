While the discussion about the application or not of the so-called “vaccine passport” is in the focus of Brazilian news, criminals are once again taking advantage of the topic to spread malware. This time, the bait comes in the form of a supposed Single Vaccination Certificate, which would be issued by the SUS and, of course, does not exist.

The message with spelling and punctuation errors arrives on behalf of the Ministry of Health, with official government logos and bold letters. The recommendation is direct, indicating to citizens that they perform the download to avoid inconveniences when traveling or attending events and public places that require proof of immunization. On the indicated link, however, is a file in ZIP format that carries the malicious solution.

The bad guys also use redirects, from legitimate but supposedly compromised sites, to increase the appearance of legitimacy of the scam and, who knows, to evade security systems. Fortunately, this hasn’t worked at all, with the samples received by the Canaltech being blocked by NortonLifeLock and Kaspersky platforms, which indicated to the user the access to a dangerous website. On the other hand, Outlook spam filters were not able to stop the email from arriving in the conventional inbox.

Email sent in bulk has a link to download files in ZIP, using proof of vaccination as bait to install malware (Images: Screenshot/Felipe Demartini/Canaltech)

This is another classic case of the use of national discussion topics for the application of coups. While proof of vaccination from specific apps or issued by city halls are, yes, being required for access to events, a single national proof is not sent directly to the citizen, mainly by email, but it is available in the Connect SUS app and can be accessed online.

In addition to the Portuguese mistakes, a quick observation of the domains used to spread the attempted coup reveals the farce. While the email arrives from the URL “novaccinationsnaodabr.org”, redirects from addresses from different countries are also used in the spam campaign, without the criminals even trying to make it appear that the user is browsing official pages of the Ministry of Health.

As such, the recommendation is for users to avoid clicking requests of this type, particularly if they involve downloading documents or applications. Keeping security software active and up-to-date, as well as the operating system as a whole, also helps to identify such scams.