Never in the history of humanity has ever been an epoch where human activity has been at a standstill like this. In this apocalyptic scenario, we are locked inside our homes but working, chatting, watching movies online, and performing our duties, too.
During this time of uncertainty and increased online activity, anti-social elements seek to exploit this pandemic for personal gains. ICANN, the global internet registry has issued a communique stating that there has been a barrage of new domain registrations in the last three months, especially those related to the theme ‘corona’ or ‘COVID-19’.
On a single day of 20 March, more than 3000 domains were registered with the theme ‘covid’ or ‘corona’.
In one month, more than 100,000 new web domain names were registered containing terms like corona, covid, and virus.
Before 2020, ‘corona’ domains were largely related to a beer brand name, geographical locality, or service. On a comparative baseline of Jan-March last year, these accounted for a monthly average of 288 certificates. Prior to 2020, no references to ‘covid’ existed in any certificate registrations, excepting an accessory manufacturer COVID, based in Arizona.
Significant Jump in Coronavirus Related Domain Names
ICANN also expressed deep concerns that while some of them may be for legitimate purposes by governments, individuals and corporates, many of these are most probably malicious. An analysis shows that 6.5% of domains are related to malicious activities and are ‘fake domains’—a fraudulent website that looks similar or identical to the legitimate one.
Some reasons for the rise in such fake domain registrations are as follows:
- For abject virus-related sales such as masks, preventative care, cleaning supplies or services, bogus vaccines among others
- For outright fraud, phishing, misinformation, and the distribution of malware
- To compromise the original site’s target audience by serving malware
- To draw readership from the original website and display alternative content
- To trick the users into sharing their private information, such as banking credentials or other account passwords
- To get money transferred by creating identical websites of authority, government(schemes), banks etc.
- To create confusion and/or spread hatred among a targeted community.
‘PM-CARE Fund’ and Other Frauds
Within a few hours of the announcement about Prime Minister's Citizen Assistance and Relief in Emergency Situations Fund (PM CARES Fund) half a dozen similar sounding websites were created, but tracked down. These had names such as “PM-care” etc. National Cyber Security coordinator chief Lt Gen Pant said “Fortunately, we have an efficient mitigation mechanism and organisations like CERT-In and the bank staff which are working round the clock to block such malicious sites.”
The United States Justice Department has filed its First Enforcement Action Against COVID-19 Fraud. It took this action in a federal court to combat coronavirus (COVID-19) pandemic related fraud. The enforcement action filed in Austin against operators of a fraudulent website follows Attorney General William Barr’s recent direction for the department to prioritize the detection, investigation, and prosecution of illegal conduct related to the pandemic. It was found that the operators of the website “coronavirusmedicalkit.com” were involved in a wire fraud scheme which sought to profit from the COVID-19 pandemic.
Apart from governments, domain registrars are also initiating steps to combat fraud.
Namecheap, a domain registrar, has established special reporting channels for COVID-19 related fraud and/or abuse. Namecheap will no longer be accepting any new domain applications which include the words “coronavirus,” “covid,” and “vaccine”. They have urged users to report illegal or abusive activity related to COVID-19 on their portal. Godaddy, one of the most popular registrars, has been taking down malicious pandemic themed domains.
How COVID and Coronavirus Themed Lures Work
Corona themed lures range from run-of-the mill scams to non-targeted spam campaigns which are primarily used for credential harvesting. COVID-19-specific malware and phishing ‘kits’ are also on sale by professional cybercriminals.
There are many ways cyber criminals are taking advantage of the pandemic. For example, an attacker impersonates a (senior) executive in email and issues instructions such as approving payments or tricking the victim into making money transfers to the bank accounts of the fraudster. The pandemic provides a strong context for changes in regular business practices facilitating the tactic.
In many cases the victims are induced to follow a malicious link ostensibly to get “more or updated information” on the COVID-19 infection rates in their local area.
Such malicious links lead to a malicious payload which downloads additional exploits, this way a communication call back with cybercriminals is established. The cybercriminal can then remotely control actions on the victim’s machine and conduct any harmful act.
Nation state groups are also not behind, the ‘Chinese’ APT group Mustang Panda in March 2020 delivered implants through multiple spam campaigns. Multiple malicious documents were used in emails and other communications to compromise victim infrastructure.
Malicious android app (APK) downloads have also seen quite a surge. Around 15th of March this year a new family of Android ransomware called CovidLock, began targeting users. The most worrisome aspect is that these malicious apps were hosted on sites masquerading as hosts for valid real-time pandemic related information tracking apps. Once the device is infected the ransomware tricks users into providing full device control by asking for misleading permissions through request dialogs.
The dark web is also abuzz with (.onion) sites claiming to sell COVID-19 and coronavirus related supplies. Everything ranging from masks, sanitiser and cleaning supplies are available for purchase if payments are made in BTC (bitcoins). Users should be made aware that these are scams, which just collect Bitcoins and never deliver anything. Another dangerous trend is to sell cures and vaccines charging upto USD 5000.
How Indian Authorities Are Combatting Coronavirus Themed Cyber Crime
Under Section 69A of the Information Technology Act 2000, the government has power to issue directions for blocking of websites/URLs for public access of any information through any computer resource if they threaten the sovereignty and integrity of the country, foreign relations, public order, and security of the state, among other grounds.
If the government/authority requests the ISP to block a specific page, it’s added to the blacklist, and isn’t allowed on the bridge and authorities can also request for blocking of full domain. However, this approach is flawed with limitations as it is only country specific and with VPN/proxies/TOR this can be surpassed easily.
CERT-IN is the single authority for issuing instructions in the context of blocking of websites in India. CERT-IN, after verifying the authenticity of the complaint and after satisfying that action of blocking of the website is absolutely essential, instructs the Department of Telecommunications (DOT) - (LR Cell) to block the website. DOT, under whose control the Internet Service Providers (ISPs) are functioning will ensure the blocking of websites and inform CERT-IN accordingly.
Another procedure for blocking of websites is via court orders, many of which are passed in intellectual property right infringement cases.
Lessons for Corporates and Individuals
One should not click on a link or download an app unless one is very sure of the authority/organisation/company to which the app/site belongs. Corona themed messages, sites and communications, links or malicious documents—when used by cybercriminals—may contain the following hooks which should be considered as Red Flags:
1. Urgency – Communication on sms or email which creates a sense of urgency which delivers threats of negative consequences in relation to coronavirus pandemic should be cautiously treated.
2. Authority - People easily comply with requests received from people with more authority than they have, thus corona themed messages and sites may impersonate government or medical authorities.
3. Emotion – Does the message evoke strong emotions or make you panic, fearful, hopeful, or curious? The use of threatening language, false claims of support, or attempt to whip your curiosity to find out more are used as successful baits.
4. Scarcity – Is the message offering something which is too good to be true? It may also contain panic messages about short supply of something. Avoid them!
Apart from this, general cyber hygiene principles like using anti-virus patching and upgrading operating system and softwares should be regularly done. In case of suspected breach it should be immediately brought to the notice of relevant authorities.
(Brijesh Singh is Inspector General of Police, Maharashtra. He tweets @brijeshbsingh . Khushbu jain is practicing Advocate in Supreme Court of India. She tweets @advocatekhushbu. This is an opinion piece. The views expressed above are the author’s own. The Quint neither endorses nor is responsible for them.)
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)