{"id":16185,"date":"2020-03-24T07:54:23","date_gmt":"2020-03-24T11:54:23","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/ginp-trojan-coronavirus-finder\/16185\/"},"modified":"2021-10-04T20:25:36","modified_gmt":"2021-10-04T16:25:36","slug":"ginp-trojan-coronavirus-finder","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/ginp-trojan-coronavirus-finder\/16185\/","title":{"rendered":"People infected with coronavirus are all around you, says Ginp Trojan"},"content":{"rendered":"

As people all around the world started working from home<\/a> and practicing social distancing, the latter in some cases may evolve into paranoia. Should I avoid contacting everyone, because, who knows, maybe this person has contracted the coronavirus. Or maybe that one? People became somewhat afraid of all other people. And cybercriminals decided to make use of that.<\/p>\n

The Coronavirus Finder (that doesn\u2019t work)<\/h2>\n

Cybercriminals behind Ginp, a banking Trojan that we have covered recently (here\u2019s a post about Ginp on Kaspersky Daily<\/a>), are up to a new campaign related to COVID-19. After Ginp receives a special command, it opens a web-page called Coronavirus Finder. It has a simple interface that shows the number of people infected with the coronavirus near you and urges you to pay a small sum to see the location of those people.<\/p>\n

\"The<\/a><\/p>\n

Oh, what a relief for some people would it be to know whom to avoid! For some people, the message looks more than convincing, so they proceed to pay the fee. The amount seems to be quite small, so it\u2019s easy to spare. The web-page then offers you to input your card data to make the transaction.<\/p>\n

As you may remember, Ginp is a very capable banking Trojan that relies on a lot of different lures to make users input their credit card data into forms, so that it can steal it. If you guessed this web-page is just another form aimed at stealing data \u2014 you\u2019ve guessed it right!<\/p>\n

Once you fill in your credit card data, it goes directly to the criminals\u2026 and nothing else happens. They don\u2019t even charge you this small sum (and why would they, now that they have all the funds from the card at their command?). And of course, they don\u2019t show you any information about people infected with coronavirus near you, because they don\u2019t have any.<\/p>\n

\"Once<\/a><\/p>\n

Given the speed at which the virus spreads, no one has such information, even the governments. So don\u2019t fall for this lure. What\u2019s more, to see such a web-page pop up on your device, you need to have Ginp on it first. As long as you\u2019re protected and don\u2019t have a Trojan Horse on your phone, you won\u2019t be seeing such notifications.<\/p>\n

According to data from Kaspersky Security Network, most users who have faced Ginp, are located in Spain, just as before. However, this is a new version of Ginp that is tagged \u201cflash-2\u201d, while previous versions were tagged \u201cflash-es12\u201d. Maybe the lack of \u201ces\u201d in the tag of the newer version means that cybercriminals plan to expand the campaign beyond Spain.<\/p>\n

That\u2019s not the first time we\u2019ve seen cybercriminals exploit the coronavirus topic. They\u2019ve already used it as bait in phishing messages<\/a> and created coronavirus-themed malware.<\/p>\n\n

Staying safe from Ginp banking Trojan<\/h2>\n

Our advice on how to stay safe from Ginp Banking Trojan remains the same:<\/p>\n