When the COVID-19 pandemic hit, measures taken by several African countries to curb the spread of the virus mirrored those effected globally: border closures, nationwide curfews and lockdowns. This has resulted in an economic downturn that has substantially impacted many people’s livelihoods negatively the world over. To alleviate this, some governments announced stimulus packages in attempts to help manage the living conditions of low-income earners and unemployed citizens during the ongoing pandemic.
The Kenyan government, for instance, has been providing a weekly stipend of Kshs 1,000 to vulnerable households. Dr Karanja Kibicho, Interior Ministry Principal Secretary, reportedly said that the government had identified 108,000 households in Nairobi, Mombasa, Kwale and Kilifi counties. Each household received Kshs 2,000 in the first disbursement, an amount expected to feed them for a two-week period.
Scammers have taken advantage of the pandemic to conduct malicious activities targeting unsuspecting citizens of different countries across Africa. Their angle of attack has shifted from the traditional voucher-based scams to the use of COVID-19 relief package narratives to dupe citizens into sharing personal and banking information, which can be used in malicious ways to the detriment of the victims.
Facebook-owned WhatsApp is one of the most popular instant messaging apps globally, with over 1.5 billion monthly active users. It is widely used across Asia, Africa, Latin America, and Europe. However, WhatsApp has increasingly been documented as a leading factor in the propagation of disinformation, misinformation and political propaganda. But because it is an end-to-end encrypted platform, WhatsApp cannot access or see content being shared by users making it extremely difficult to detect false or malicious information.
Investigations revealed a case where perpetrators targeted users from African countries such as Kenya, South Africa, Uganda, Nigeria, Egypt and Ghana with a digital campaign intended to harvest their banking information. The campaign falsely presented a Covid-19 “relief package” from the government. It enticed WhatsApp users to not only share the campaign with several of their WhatsApp contacts but also willingly share their banking information that could be used for further social engineering attacks and financial crime.
The attack being run from different countries demonstrates coordinated inauthentic behaviour by the perpetrators to deceive citizens in other countries. This is categorised as disinformation.
How users in African countries are scammed into sharing personal & banking information
In previous investigations, perpetrators created and registered personal websites used to run such scams. Unique to this investigation, the perpetrators used fake profiles and web pages on Blogger, a blog-publishing service bought by Google in 2003.
Analysis of the source code of the associated blog sites revealed the links to three blog profiles. The blog profiles had no personally identifiable information and a reverse image search for one of the profile’s pictures showed it was a fake ID that had been used prolifically across social media, blogs and review platforms.
The main perpetrator created the blog profile in April 2020, a month after many governments in Africa imposed curfew and lockdowns in the respective countries. The campaign used the WhatsApp chain-messaging strategy to propagate the intended scam targeting multiple African countries. Blogs customised to Kenya, South Africa, Nigeria, Ghana, Egypt and Uganda were used to deceive users into sharing their banking information with the threat actors.
Independent fact-checkers have debunked a number of claims related to the network of blogs used in the campaign under investigation and found them to be FALSE. Facebook has also flagged posts using URLs pointing to the blog-pages as false information. Social media platforms, civic watchdog organisations and media houses need to increase their efforts in fighting such practices.