The COVID-19 pandemic has led to a worldwide social distancing experiment, spiking sales of remote working tools, personal protective equipment, hand sanitizer, toiletries, guns, drugs, alcohol, and much more.
However, the most sought-after item was information — credible and reliable information on COVID-19, virus research, vaccine development, local regulations, and social developments.
Wherever society goes, criminal activity is sure to follow, and in the 21st century, illegal activity has become automated and scaled like never before. Almost overnight, thousands of coronavirus-related domains appeared online.
In this short article, we wanted to take a quick glance at one particular victim of the pandemic — the Internet.
Since the beginning of the year, over 120,000 domains containing keywords, such as “COVID” or “Corona”, have been discovered, Euronews reports. In March alone, 40,000 such domains appeared. For this particular quick study, we used CyberTotal, our AI-driven threat intelligence platform, to auto-evaluate the severity and threat levels of March domains. The results were not encouraging.
However, before we talk about what we found, let’s talk about how we found it. We’ll need to talk about Threat.
CyberTotal assigns a domain one of three possible Threat levels: High, Medium, or Low.
A label of “High Threat” means that CyberTotal classifies this domain as malicious with a high degree of confidence; do not interact with this domain at all. A “Medium Threat” suggests users practice extreme caution with these domains. A “Low Threat” indicates that this should be a fairly safe domain; however, caution, as always, is still needed.
CyberTotal calculates Threat as a function of Severity and Confidence. Severity calculates how malicious a particular domain is on a scale of 1 to 10; numerous factors go into this calculation, including the domain’s reputation among various antivirus vendors, passive DNS, passive URLs, subdomain DNS, WHOIS, OSINT, SSL Certificates, open ports, and much more. Confidence calculates how confident CyberTotal is with its Severity ranking, also on a scale from 1 to 10. In the picture above, Detected indicates that 12 of 93 antivirus vendors classify this domain as malicious or containing malicious files and/or activity.
Of the domains evaluated, only 6 percent were classified as a Low Threat — six percent. Remember that a Low Threat classification does not rule out the possibility that there is a malicious link or other malicious activity on every page of one domain. It’s still possible.
That leaves 94 percent of the evaluated domains ranging from possibly safe to so incredibly saturated with malware you shouldn’t even type the address into your browser unless you know exactly what you’re doing.
As a result, we strongly urge organizations to (a) treat all coronavirus-related emails and websites with extreme caution, (b) remind staff to be vigilantly aware of coronavirus-related phishing attacks, and (c) acquire their pandemic updates directly from reliable and trusted sources, such as the John Hopkins COVID-19 Resource Center or your local government equivalent of the CDC.
Hopefully, this is nothing new for you.
Hopefully, your IT security team is on point and keeping you and your organization up-to-date and secure. You may have never even clicked on a suspicious link before.
But what if you did?
Where would you go, and what would you see?
Let’s take a quick glance behind two notoriously malicious domains, see what they look like, what would happen if you went there, and how we know they’re malicious.
This is the first of two domains we will discuss. Case 2 has an obviously malicious homepage; Case 1’s is less obvious. By seeing two domains on opposite sides of the spectrum, it will be easier for you to picture everything else in between, and there’s a lot of middle ground out there.
The domain coronavirus-testing[.]com claims to provide coronavirus testing and additional services for pneumonia screening. To their credit, their homepage is decent looking and, at a quick glance, seems normal. However, no cybercriminal adds a homepage button labeled: Click to Download Malware. Let’s take a look behind the screen.
Looking at the familiar top left corner, we see that CyberTotal immediately classifies the Case 1 domain as High Threat — completely avoid this domain. Remember that Threat is a function of Severity (Case 1 was given 9 out of 10) and Confidence (7 out of 10). Severity is a function of several factors, including the 11 factors at the bottom of the dashboard.
Below the IP address, we see where it is registered, where it’s located, malicious activity associated with Case 1, who hosts it, when its last activity occurred, and more.
Moving to the bottom of the CyberTotal Dashboard, we see the Reputation View.
By accessing the Reputation View of CyberTotal we can drill down into each of the 12 antivirus vendors and see how they labeled Case 1. Out of 93 antivirus vendors, 12 have already labeled Case 1 as a malicious/malware site; some even go a step further and mention this particular domain has been used for or is capable of C2.
Moving right along the CyberTotal Dashboard, we can access the Passive URL View.
Passive URL data offers a wealth of information for IT security teams and research analysts. In the Passive URL View, we see a list of URLs linked to the Case 1 domain and their reputation. The eventuall[.]com URL, for example, is a definite red flag as 12 out of 80 threat intelligence sources, as recently as the 26th of April 2020, have classified the URL as malicious.
Continuing our quick glance at the CyberTotal Dashboard, we take a quick stop at the WHOIS data for Case 1.
Do you see the problem?
We will give you a second.
If you remember their homepage, they claimed that:
“Due to our extensive development over the years within the industry, we have the infrastructure in place to deliver over 50,000 tests per day to the people that need them. We work with the best to deliver the best.”
However, if they did indeed have “years” of experience within the industry, then it seems highly suspicious that their domain was registered on March 7, 2020. Even if a legitimate organization registered the domain, it is highly suspicious that their legitimate domain wasn’t linked to this particular homepage and vice versa.
While the homepage for the Case 1 domain does a decent job of visually masking its malicious intentions, threat intelligence tools, like CyberTotal, can expose malicious domains in a quick and thorough fashion. Upon further inspection, our Research Team concluded that the Case 1 domain has a high possibility of being a phishing website.
Phishing? Phishing is an attempt of obtaining a user’s credentials (personal information, passwords, etc.) through seemingly legitimate methods (email, websites, etc.) but for nefarious purposes, including identity and monetary theft. Phishing is typically done through email as it allows the threat actor to easily scale up their attack. There are various degrees of social engineering with phishing emails, with some emails linking their targets to phishing websites, such as Case 1.
Many threat actors rely on phishing as a key vector for initial access. Successful phishing attacks typically play on the victim’s behavioral response to greed, fear, or recent trends. The paranoia surrounding a worldwide pandemic provides the perfect lure.
As stated earlier in this article, over 120,000 domains with keywords such as “COVID-19” or “coronavirus” have appeared since January 1, 2020. The vast majority of domains we sampled from March alone have a high probability of being malicious.
Our second case, coronavirus19news[.]com, claims to be a news website dedicated to COVID-19. Similar to Case 1, the Case 2 domain is also quite notorious. Numerous threat intelligence sources, including our own threat intelligence platform, have labeled this domain as malicious with a high degree of confidence.
Unlike the homepage of Case 1, Case 2 does not mask their intentions that well as the homepage design looks quite questionable. The page does not look polished and looks tossed together without much thought, save for the excellent photo of Xi Jinping.
As we did for Case 1, a quick look into the Reputation View is more than enough to see malicious intentions masked beneath Xi Jinping’s pic. However, unlike Case 1, Case 2 looks to be even more severe with threat intelligence sources classifying the Case 2 domain as a phishing site, C2, cryptomining, scam, and ransomware.
These two domains are two of many malicious web domains seeking to harm users. It’s important to remember that malicious web domains no longer necessarily look as if they were designed in the 90s. They could appear extremely legitimate and could even mimic legitimate web domains.
Being experienced in the use of cyber threat intelligence platforms, such as CyberTotal, to auto-evaluate domains, is an incredible tool that could save your enterprise millions in fees and damages.
Here is a list of over 140 coronavirus-related scams to further your cyber education.
While we only briefly looked at two High Threat domains, it’s important to remember that the most important number on the graph above isn’t the 59 percent; it’s the 6 percent. Only 6 percent of the domains from the March sample were classified by CyberTotal as Low Threat, leaving the other 94 percent to be Medium to High Threat.
Due to this major imbalance, it is advisable to take a zero-trust security policy on all coronavirus-related emails. We also strongly advise following trusted sources for up-to-date coronavirus information.
If you don’t have access to a trusted threat intelligence tool, such as our CyberTotal, go through the following checklist to determine whether a domain is malicious or not.
Stay safe, everyone — physically and digitally.
Writer: CyCraft
CyCraft is a cybersecurity company founded in 2017, focusing on autonomous AI technology. Headquartered in Taiwan, it has subsidiaries in Japan and Singapore. CyCraft provides professional cybersecurity services to government agencies, police and defense forces, banks, and high-tech manufacturers throughout the Asia-Pacific region. It has received strong backing from the CID Group and Pavilion Capital, a Temasek Holdings Private Limited subsidiary.