Malicious COVID-19 Domains
I. Targeted Industries
- Financial Services
- Health Care Industry
- General Public
Cyberattacks have used the COVID-19 pandemic to its advantage by deceiving people with fake, malicious domains. Since January 2020, there has been a spike in the registration of COVID-19 related domains, with 50% being malicious (1). The impact has caused attackers to take advantage of people by infecting their system with malware by promising up-to-date information. Many of these domains are used in phishing scams, disguising themselves as important organizations such as the World Health Organization (WHO) and the United States Department of Health and Human Services (HHS) (2). Domains are a crucial component in a malicious campaign because they open multiple different vectors of attack.
III. Background Information
On March 11, 2020, Recorded Future reported an increased number of COVID-19 related domains that were created in concurrence with COVID-19 phishing lures (3). These domains are believed to be infected with malware, ranging from Babyshark to bank trojans and keyloggers (4). Reference terms such as Coronavirus, COVID-19, pandemic, virus, or vaccine are often cited in the domain name (5). Many of these domains have been configured through low-cost registries such as GoDaddy and NameCheap (6). Many companies put restrictions on COVID-19 related domains and removed fraudulent domains (7). “On March 20, the peak day, people registered 3,011 new domains that contained the text ‘COVID’ or ‘Corona,’ in the four largest top-level domains…” with 42,578 observed since February 8.8 New malicious COVID-19 domains continue to be registered daily.
Incorporate these known malicious domains into IDS systems to better identify malicious activity and block them.
- Be Informed
Users should be informed and aware of the various amounts of new malicious domains being registered daily.
- Trusted Websites Only
Users should only visit trusted secure websites, and avoid unknown sites to mitigate risk.
- Phishing Awareness Training
Users should be educated on current and past phishing attempts to mitigate risk. Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
- Safe Browsing Techniques
Users should be educated on safe browsing techniques to identify malicious content. Recommended link: https://www.us-cert.gov/ncas/tips/ST07-001
V. Indicators of Compromise (IOCs)
Some Email systems block files. You can visit the link below to download the identified IOC’s. https://usf.box.com/s/vmoicfez44pjvmk27z0do7xiwdzkurhe
(1) Cimpanu, Catalin. “Thousands of COVID-19 scam and malware sites are being created on a daily basis” ZDNet. March 31, 2020. https://www.zdnet.com/article/thousands-ofcovid-19-scam-and-malware-sites-are-being-created-on-a-daily-basis/
(2) Coble, Sarah. “Domain Registrars Take Action Against Fraudulent COVID-19 Websites” Info Security. March 31, 2020. https://www.infosecurity-magazine.com/news/domainregistrars-combat-covid-19/
(3) Gallagher, Sean. and Brandt, Andrew. “Facing down the myriad threats tied to COVID19.” Sophos. March 31, 2020. https://news.sophos.com/en-us/2020/03/24/covidmalware/
(4) Insikt Group. “Capitalizing on Coronavirus Panic, Threat Actors Target Victims Worldwide” Recorded Future, March 31, 2020. https://go.recordedfuture.com/hubfs/reports/cta-2020-0312-2.pdf
(5) “Recorded Future.” Support, April 3, 2020. https://support.recordedfuture.com/hc/enus/sections/115000618887?flash_digest=83d1083cd2063a22e0c9f42bb301e1b3b97fb35d
(6) “Update: Coronavirus-Themed Domains 50% More Likely to Be Malicious than Other Domains.” Check Point Software. March 31, 2020. https://blog.checkpoint.com/2020/03/05/update-coronavirus-themed-domains-50-morelikely-to-be-malicious-than-other-domains/.