Skip to content
Naked Security Naked Security

Feds shut down bogus COVID-19 vaccine site

A vaccine for $4.95!? Nah, we didn't think so, either. Shuttering the alleged rip-off site is the DOJ's 1st takedown of COVID-19 flimflam.

A free coronavirus vaccine from the World Health Organization (WHO), for only $4.95 to cover shipping costs?!?
Nah, we didn’t think so, either. On Sunday, the US Department of Justice (DOJ) announced that it shut down what it called a wire fraud scheme being carried out by the operators of a site in order to squeeze profit from the confusion and widespread fear surrounding COVID-19 – by promising to ship coronavirus vaccine kits that don’t actually exist.
Let us state the obvious, or, rather, quote the DOJ’s statement as it states the obvious:

There are currently no legitimate COVID-19 vaccines and the WHO is not distributing any such vaccine.

The site – now offline but available as an exhibit attached to the DOJ’s civil complaint – was offering consumers access to WHO vaccine kits in exchange for a shipping charge of $4.95, which consumers would pay by entering their credit card information on the website.
Per DOJ request, US District Judge Robert Pitman issued a temporary restraining order requiring that the registrar of the scam site – listed as NameCheap in its Whois Record – immediately take action to block public access to it.
The DOJ says that this is its first enforcement action taken against COVID-19 fraud. Dollars to donuts says it won’t be the last, given that we’ve seen plenty of cyberscum trying to make money off of people’s misery and uncertainty.

Coronavirus-themed cybercrime

We’ve seen:

  • Android malware that uses COVID-19 for a combination of sextortion and ransomware.
  • A phishing scam hiding behind the mask of the WHO to offer coronavirus “safety measures” and to steal your credentials.
  • A disinformation campaign carried out via SMS, email and social media that lied about a national quarantine of the US being imminent. The campaign coincided with a distributed denial of service (DDoS) attack on the place where people in the US go to get their health news: the US Department of Health and Human Services (HHS).

The DOJ says it’s still investigating the site, As of Sunday, investigators didn’t know who its operators are. The tech contact for the site is listed on the WhoIs registry as WhoIsGuard Protected, with an address in Panama and an IP address coming out of Lansing, Michigan, though who knows where its server is really hosted. It’s easy to obscure an IP address location through techniques such as using a virtual private network or Tor, for example.

What to do

The DOJ has the following slew of precautionary measures to take in order to keep from getting snared in any of the emerging COVID-19 scams. If they sound exactly like the general tips for staying safe online that we pass out all the time, that’s for a good reason: the crooks are always out there trying to scam us, and the pandemic is the most recent attention grabber that they’re hoping to use to exploit us, catching us when we’re feeling panicky and unsure of what to do.
Do what you normally do to stay safe online, in other words. Just beware that there’s a new angle the crooks are trying to leverage to get your attention, your financial details, your personally identifiable information (PII) and whatever else they can swipe. To say safe, make sure to take these steps:

  • Independently verify the identity of any company, charity, or individual that contacts you regarding COVID-19.
  • Check the websites and email addresses offering information, products, or services related to COVID-19. Be aware that scammers often employ addresses that differ only slightly from those belonging to the entities they are impersonating. For example, they might use “” or “” instead of “”
  • Be wary of unsolicited emails offering information, supplies, or treatment for COVID-19 or requesting your personal information for medical purposes. Legitimate health authorities will not contact the general public this way.
  • Do not click on links or open email attachments from unknown or unverified sources. Doing so could download a virus onto your computer or device.
  • Make sure the anti-malware and anti-virus software on your computer is operating and up to date.
  • Ignore offers for a COVID-19 vaccine, cure or treatment. Remember, if a vaccine becomes available, you won’t hear about it for the first time through an email, online ad, or unsolicited sales pitch.
  • Check online reviews of any company offering COVID-19 products or supplies. Avoid companies whose customers have complained about not receiving items.
  • Research any charities or crowdfunding sites soliciting donations in connection with COVID-19 before giving any donation. Remember, an organization may not be legitimate even if it uses words like “CDC” or “government” in its name or has reputable looking seals or logos on its materials. For online resources on donating wisely, visit the Federal Trade Commission (FTC) website.
  • Be wary of any business, charity, or individual requesting payments or donations in cash, by wire transfer, gift card, or through the mail. Don’t send money through any of these channels.
  • Be cautious of “investment opportunities” tied to COVID-19, especially those based on claims that a small company’s products or services can help stop the virus. If you decide to invest, carefully research the investment beforehand. For information on how to avoid investment fraud, visit the U.S. Securities and Exchange Commission (SEC) website.

For the most up-to-date information on COVID-19, visit the Centers for Disease Control and Prevention (CDC) and WHO websites.
The DOJ is urging people in the US to report suspected fraud schemes related to COVID-19 by calling the National Center for Disaster Fraud (NCDF) hotline (1-866-720-5721) or by emailing the NCDF at
In the UK, contact Action Fraud. Also, bear in mind that the UK has seen a motley collection of pandemic-related scams, including sales of hand sanitizer containing an ingredient banned for human use years ago. They were being sold for £5 a bottle, according to trading standards officers in Birmingham.
Stay safe, wash your hands for 20 seconds a pop, and good luck avoiding the crooks!

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.


In less frenetic times it would be easier to notice: a test kit would likely cost (even in bulk) significantly more than $4.95, so the ostensibly free kit with the stipulation of shipping would be unlikely, even in a legitimate hey-we’re-giving-these-out-for-free situation. I’ll totally give someone benefit of doubt for falling for this in a moment of panic and desperation.


Rather than tracing IP addresses through various VPNs, hacked computers, etc., wouldn’t it be simpler for the Feds to just place an order (just before shutting the site down) with a throwaway credit card then find out who it was paid to? In addition, both NameCheap and WhoisGuard per their policies will (actually must) honor valid subpoenas for all the information they have on the individual or company.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!