Blog – Criminals using Covid-19 Pandemic as cover

Criminals using Covid-19 Pandemic as cover. IT & Cybersecurity “essential”

03-23-2020

Malicious actors always seek to take advantage of world affairs or popular subjects. With the world grinding to halt over fears and restrictions due to the COVID-19 pandemic, malicious actors are clearly making moves to seize the moment with different attack vectors against users looking out for Coronavirus related information and also against businesses trying to operate during this crisis. 

As seen recently, sites such as the fake coronavirus tracker (CovidLock Ransomware), maps, SMS Spam, and fake healers have targeted innocent people simply looking for information on current events related to the coronavirus pandemic.  

CovidLock Ransomware. Source DomainTools

Source *


Due to the spread of the coronavirus, millions of people around the world are under lockdowns and millions of them have been advised to work from home. The relocation of this workplace from offices to homes has affected the internet as well as the number of users of teleconferencing, entertainment, education, ordering, delivering and work-related applications are simultaneously using the internet. This, of course, has been noticed as well by the criminals who are switching to infrastructure-based attacks such as DDoSing delivery sites as well.

The number of new domains with the name *coronavirus* attached to it is surging, and although not all the new domains popping are necessarily malicious there is definitely a drive from domain squatters seeking to profit from interest in coronavirus-derived domains. 

A quick look at the domain registrations during the beginning of February by the researcher Malware Uktonos found a total of 212 domain registrations, some of these registrations suggest clear for-profit use intended. 

Domain Name
hxxps://coronavirus-rx.com/
hxxps://coronavirustest.net/
hxxps://coronaviruscure.com/
hxxps://coronaviruskits.com/
hxxps://coronaviruscures.com/

And although many of the registrations seem to indicate they’re driven by domain squatting, there were a couple of domains that were clearly fraudulent. The following graphics show the suspected domains. 

vaccine-coronavirus[.]com
Registrar NAMECHEAP INC
NameCheap, Inc.
IANA ID: 1068
URL: http://www.namecheap.com
Whois Server: whois.namecheap.com
Dates 52 days old
Created on 2020-01-29
Expires on 2021-01-29
Updated on 0000-12-31

This site was already charging for a fake vaccine. Source @MalwareUtkonos

The second site was another fraudulent site claiming to be a funding site, however, it’s unclear what these funds were going to be used for. 

Source *

coronavirusfund[.]org
Registrar Domain.com, LLC
IANA ID: 886
URL: www.domain.com
Whois Server: whois.domain.com(p)
Dates 56 days old
Created on 2020-01-25
Expires on 2021-01-25
Updated on 2020-01-27

Thanks to Jose Nazario from Censys.io we can also grab information on the certificate for this suspicious website. 

As it can be seen in the graphs these domains were recently registered and functioning. These sites were taken down by quick action from @MaltwareUtkonos reaching out to registrars.

Because cybercrime will continue to target innocent and desperate people, it is imperative for the community to collaborate, alert, and act on these threats as they are likely to keep replicating and appearing time and time again. 

In these uncertain times, it is necessary to understand that many businesses are vulnerable as well to these types of attacks.s our reliance on infrastructure grows as the workplaces shift to remote settings, criminals will also shift to infrastructure vector attacks such as DDoS, ransomware or destructive payloads. 

IT & Security community professionals are  “ESSENTIAL” to keep these systems operating. During the Wannacry campaign, many healthcare institutions were affected because they were running unpatched and outdated systems, in some instances, placing life-saving procedures ON HOLD. More recently the US HHS site was attacked as well. Immediate access to information, as well as the infrastructure that allows actions on data to make critical decisions, is imperative.