A Quick Glance Behind the Mask:
How Covid19 Infected the Internet
The Infection Spread Overnight
The COVID-19 pandemic has led to a worldwide social distancing experiment, spiking sales of remote working tools, personal protective equipment, hand sanitizer, toiletries, guns, drugs, alcohol, and much more.
However, the most sought-after item was information — credible and reliable information on COVID-19, virus research, vaccine development, local regulations, and social developments.
Wherever society goes, criminal activity is sure to follow, and in the 21st century, illegal activity has become automated and scaled like never before. Almost overnight, thousands of coronavirus-related domains appeared online.
In this short article, we wanted to take a quick glance at one particular victim of the pandemic — the Internet.
March Madness
Since the beginning of the year, over 120,000 domains containing keywords, such as “COVID” or “Corona”, have been discovered, Euronews reports. In March alone, 40,000 such domains appeared. For this particular quick study, we used CyberTotal, our AI-driven threat intelligence platform, to auto-evaluate the severity and threat levels of March domains. The results were not encouraging.
However, before we talk about what we found, let’s talk about how we found it. We’ll need to talk about Threat.
What is Threat?
CyberTotal assigns a domain one of three possible Threat levels: High, Medium, or Low.
A label of “High Threat” means that CyberTotal classifies this domain as malicious with a high degree of confidence; do not interact with this domain at all. A “Medium Threat” suggests users practice extreme caution with these domains. A “Low Threat” indicates that this should be a fairly safe domain; however, caution, as always, is still needed.
CyberTotal calculates Threat as a function of Severity and Confidence. Severity calculates how malicious a particular domain is on a scale of 1 to 10; numerous factors go into this calculation, including the domain’s reputation among various antivirus vendors, passive DNS, passive URLs, subdomain DNS, WHOIS, OSINT, SSL Certificates, open ports, and much more. Confidence calculates how confident CyberTotal is with its Severity ranking, also on a scale from 1 to 10. In the picture above, Detected indicates that 12 of 93 antivirus vendors classify this domain as malicious or containing malicious files and/or activity.
March Madness Results
Of the domains evaluated, only 6 percent were classified as a Low Threat — six percent. Remember that a Low Threat classification does not rule out the possibility that there is a malicious link or other malicious activity on every page of one domain. It’s still possible.
That leaves 94 percent of the evaluated domains ranging from possibly safe to so incredibly saturated with malware you shouldn’t even type the address into your browser unless you know exactly what you’re doing.
As a result, we strongly urge organizations to (a) treat all coronavirus-related emails and websites with extreme caution, (b) remind staff to be vigilantly aware of coronavirus-related phishing attacks, and (c) acquire their pandemic updates directly from reliable and trusted sources, such as the John Hopkins COVID-19 Resource Center or your local government equivalent of the CDC.
Hopefully, this is nothing new for you.
Hopefully, your IT security team is on point and keeping you and your organization up-to-date and secure. You may have never even clicked on a suspicious link before.
But what if you did?
Where would you go, and what would you see?
Let’s take a quick glance behind two notoriously malicious domains, see what they look like, what would happen if you went there, and how we know they’re malicious.
WARNING: As the following domains are malicious, we strongly urge you NOT to visit them as they may attempt to install malware onto your device via drive-by downloads or other means. View them at your own risk.
Case 1 — Coronavirus Testing
This is the first of two domains we will discuss. Case 2 has an obviously malicious homepage; Case 1’s is less obvious. By seeing two domains on opposite sides of the spectrum, it will be easier for you to picture everything else in between, and there’s a lot of middle ground out there.
The domain coronavirus-testing[.]com claims to provide coronavirus testing and additional services for pneumonia screening. To their credit, their homepage is decent looking and, at a quick glance, seems normal. However, no cybercriminal adds a homepage button labeled: Click to Download Malware. Let’s take a look behind the screen.
Looking at the familiar top left corner, we see that CyberTotal immediately classifies the Case 1 domain as High Threat — completely avoid this domain. Remember that Threat is a function of Severity (Case 1 was given 9 out of 10) and Confidence (7 out of 10). Severity is a function of several factors, including the 11 factors at the bottom of the dashboard.
Below the IP address, we see where it is registered, where it’s located, malicious activity associated with Case 1, who hosts it, when its last activity occurred, and more.
Moving to the bottom of the CyberTotal Dashboard, we see the Reputation View.
By accessing the Reputation View of CyberTotal we can drill down into each of the 12 antivirus vendors and see how they labeled Case 1. Out of 93 antivirus vendors, 12 have already labeled Case 1 as a malicious/malware site; some even go a step further and mention this particular domain has been used for or is capable of C2.
Moving right along the CyberTotal Dashboard, we can access the Passive URL View.
Passive URL data offers a wealth of information for IT security teams and research analysts. In the Passive URL View, we see a list of URLs linked to the Case 1 domain and their reputation. The eventuall[.]com URL, for example, is a definite red flag as 12 out of 80 threat intelligence sources, as recently as the 26th of April 2020, have classified the URL as malicious.
Continuing our quick glance at the CyberTotal Dashboard, we take a quick stop at the WHOIS data for Case 1.
Do you see the problem?
We will give you a second.
If you remember their homepage, they claimed that:
“Due to our extensive development over the years within the industry, we have the infrastructure in place to deliver over 50,000 tests per day to the people that need them. We work with the best to deliver the best.”
However, if they did indeed have “years” of experience within the industry, then it seems highly suspicious that their domain was registered on March 7, 2020. Even if a legitimate organization registered the domain, it is highly suspicious that their legitimate domain wasn’t linked to this particular homepage and vice versa.
While the homepage for the Case 1 domain does a decent job of visually masking its malicious intentions, threat intelligence tools, like CyberTotal, can expose malicious domains in a quick and thorough fashion. Upon further inspection, our Research Team concluded that the Case 1 domain has a high possibility of being a phishing website.
Phishing in Pandemic Waters
Phishing? Phishing is an attempt of obtaining a user’s credentials (personal information, passwords, etc.) through seemingly legitimate methods (email, websites, etc.) but for nefarious purposes, including identity and monetary theft. Phishing is typically done through email as it allows the threat actor to easily scale up their attack. There are various degrees of social engineering with phishing emails, with some emails linking their targets to phishing websites, such as Case 1.
Many threat actors rely on phishing as a key vector for initial access. Successful phishing attacks typically play on the victim’s behavioral response to greed, fear, or recent trends. The paranoia surrounding a worldwide pandemic provides the perfect lure.
As stated earlier in this article, over 120,000 domains with keywords such as “COVID-19” or “coronavirus” have appeared since January 1, 2020. The vast majority of domains we sampled from March alone have a high probability of being malicious.
Case 2 — Coronavirus News
Our second case, coronavirus19news[.]com, claims to be a news website dedicated to COVID-19. Similar to Case 1, the Case 2 domain is also quite notorious. Numerous threat intelligence sources, including our own threat intelligence platform, have labeled this domain as malicious with a high degree of confidence.
Unlike the homepage of Case 1, Case 2 does not mask their intentions that well as the homepage design looks quite questionable. The page does not look polished and looks tossed together without much thought, save for the excellent photo of Xi Jinping.
As we did for Case 1, a quick look into the Reputation View is more than enough to see malicious intentions masked beneath Xi Jinping’s pic. However, unlike Case 1, Case 2 looks to be even more severe with threat intelligence sources classifying the Case 2 domain as a phishing site, C2, cryptomining, scam, and ransomware.
Two of Many
These two domains are two of many malicious web domains seeking to harm users. It’s important to remember that malicious web domains no longer necessarily look as if they were designed in the 90s. They could appear extremely legitimate and could even mimic legitimate web domains.
Being experienced in the use of cyber threat intelligence platforms, such as CyberTotal, to auto-evaluate domains, is an incredible tool that could save your enterprise millions in fees and damages.
Here is a list of over 140 coronavirus-related scams to further your cyber education.
In Summary
While we only briefly looked at two High Threat domains, it’s important to remember that the most important number on the graph above isn’t the 59 percent; it’s the 6 percent. Only 6 percent of the domains from the March sample were classified by CyberTotal as Low Threat, leaving the other 94 percent to be Medium to High Threat.
Due to this major imbalance, it is advisable to take a zero-trust security policy on all coronavirus-related emails. We also strongly advise following trusted sources for up-to-date coronavirus information.
If you don’t have access to a trusted threat intelligence tool, such as our CyberTotal, go through the following checklist to determine whether a domain is malicious or not.
- Check whether the domain has a trusted parent domain, such as a government health care organization.
- Check the domain certificates and check for trusted organizations.
- Check the reputation of this domain, e.g., whether this domain is referenced or cited by other authoritative and trusted organizations.
- If still in doubt, it’s best not to trust this domain.
Stay safe, everyone — physically and digitally.
Follow Us
When you join CyCraft, you will be in good company. CyCraft secures government agencies, Fortune Global 500 firms, top banks and financial institutions, critical infrastructure, airlines, telecommunications, hi-tech firms, and SMEs.
We power SOCs with our proprietary and award-winning AI-driven MDR (managed detection and response), SOC (security operations center) operations software, TI (threat intelligence), Health Check, automated forensics, and IR (incident response), and Secure From Home services.
Additional Related Resources
- CyCraft CEO, Benson Wu, and CyCraft Global Project Manager, Chad Duffy, speak on the latest MITRE ATT&CK Evaluations. Read their thoughts on our results and the philosophy powering CyCraft.
- Learn how we detected and defeated a foreign APT targeting Taiwan’s high-tech ecosystem. Read our full analysis and malware reversal.
- Has your organization recently shifted to a Work From Home environment? Learn how to receive three free months of our Secure From Home service.
- Our Enterprise Health Check drops your mean dwell time down from 197 days to under 1 day without false positives or false negatives. Know with confidence if hackers have penetrated your enterprise.
