COVID-19 Fake Domains. PHOTO: Cybercrime Magazine.

Beware Of And Other Coronavirus-Themed Domains

The likely victims, and what they can lose

Jonathan Zhang, CEO at Whois XML API

Walnut, Calif. – May 11, 2020

With people losing jobs and businesses closing shop due to the coronavirus pandemic, the U.S. government has decided earlier this year to release financial aid. This assistance comes in the form of a US$2-trillion monetary stimulus package with the implementation of the Coronavirus Aid, Relief, and Economic Security (CARES) Act. To date, some 88 million eligible Americans have received stimulus checks amounting to US$1,200 per individual.

And as the government hints on giving out another round of stimulus checks, there are debates on how these could reach citizens faster. Some suggested using digital dollars for additional financial aid. The approach, it’s said, would be faster or maybe even instantaneous compared to sending out regular checks that would take weeks for citizens to receive by mail.

While distributing the stimulus packages through digital currency could arguably make sense, there is also a need to educate Americans about the dangers of online financial transactions and fraudulent schemes around them. A newly registered domain (NRD) database, for instance, revealed that thousands of coronavirus-themed domain names have started popping up. And this is not a good sign. Among these domain names are those that possibly make use of the stimulus package as a lure. We dug deeper into the stimulus-themed domains using typosquatting data feed.

Why the Surge in Coronavirus Stimulus-Themed Domain Registrations?

The Internal Revenue Service (IRS) is the government agency tasked to distribute stimulus checks. U.S. citizens can check their eligibility and the status of their stimulus payout on this page—irs[.]gov/coronavirus/get-my-payment — hosted on the IRS website. Additionally, they can ask questions and clarifications or give feedback.

So, the government agency doesn’t need a new domain name to inform citizens. That makes the surge in coronavirus-stimulus-themed domain names a cause for concern. Examples of such recently registered domains include the following:

  • donateyourstimuluscheck[.]org
  • donateyourstimuluscheck[.]com
  • donationyourstimuluscheck[.]com
  • coronavirusstimuluspackage[.]info
  • coronavirusstimuluspackage[.]org
  • thecoronavirusstimuluspackage[.]com
  • covidstimulus[.]icu
  • covid19stimulus[.]org
  • covid-stimulus[.]icu
  • getyourstimuluscheck[.]info
  • getyourstimuluscheck[.]org
  • getyourstimuluscheck[.]com
  • stimulusconsultant[.]org
  • stimulusconsultant[.]info
  • stimulusconsultant[.]com
  • covid19stimulusloanassistance[.]com
  • covid19stimulusloanassistance[.]net
  • covid19stimulusloanassistance[.]info
  • covid19stimulusloanassistance[.]org
  • homelessstimulus[.]com
  • homelessstimulus[.]us
  • homelessstimulus[.]org
  • homelessstimulus[.]net

The domain “getyourstimuluscheck” with different top-level domain (TLD) extensions, for one, is quite suspicious. Eligible citizens can get their stimulus payouts via bank deposit or check. There are no middlemen in the payout, so citizens should be wary about emails and websites telling them to fill up or download a form so they can claim their checks.

While some of these domains may serve legitimate purposes and provide relevant information, several may also be deceiving or fraudulent. How would we know?

The WHOIS records of most of the domains were redacted for privacy, for one, and so aren’t as transparent as one could wish when it comes to finding out more about stimulus packages and monetary benefits. The registrant countries of some of the domains are also not the U.S., making them all the more suspicious.

So, while we can’t say for sure, these domains may figure in various nefarious activities such as financial scams, malware distribution, and data theft —or at the very least domain parking.

The Likely Victims and What They Could Lose

We are living in desperate times, and everyone, regardless of economic status, is affected by the pandemic. Iconic businesses have closed stores and manufacturing plants, including Apple, Barnes & Noble, Bloomingdale, Boeing, Ford, and General Motors. The U.S. Chamber of Commerce reported that one in four small businesses have shut down due to the coronavirus pandemic. As a result, hundreds of thousands of people lost their jobs.

So, many could fall victim to coronavirus-themed scams. Even those who are not eligible to receive a stimulus check could fall for the ruse in the hope that they, too, can get financial assistance. And worse, victims could lose so much more than the amount on their stimulus checks. A hopeful click on a link embedded in a phishing email could plant a keylogger on a victim’s device, allowing threat actors to steal sensitive information such as bank details and Social Security numbers.

In the worst-case scenario, cybercriminals could access victims’ bank accounts, steal their money and identity, and even redirect future stimulus checks to a different address. Cyber fraud could also be made a lot easier for threat actors if potential future stimulus packages were to get paid out in digital dollars.

Protection from Financial Scams

Protecting oneself from coronavirus-themed scams is not very different from doing so against any other type of financial scams. Education is key. Citizens should be made aware of the fact that stimulus-themed scams will or probably already exist, possibly evidenced by the number of suspicious domain registrations that use the theme.

Companies that are still operating using a reduced workforce should also reinforce their cybersecurity infrastructure, and take into account that employees are working from home.

There has been a significant increase in coronavirus-themed domain registrations, including stimulus-themed domain names as the ones cited above. Using a typosquatting database for domain monitoring can therefore be worthwhile, especially when used together with WHOIS lookup tools or a historic WHOIS database to learn more about the registrants behind these registrations.

Whois XML API Archives

Jonathan Zhang is the founder and CEO of Threat Intelligence Platform (TIP)—a data, tool, and API provider that specializes in automated threat detection, security analysis, and threat intelligence solutions for Fortune 1000 and cybersecurity companies. TIP is part of the WhoisXML API Inc. family, a trusted intelligence vendor by over 50,000 clients.

Sponsored by Whois XML API

Precise and exhaustive data is vital for cyber-security professionals to analyze and prevent cyber crime. Whois XML API offers a comprehensive collection of domain, WHOIS, DNS and threat intelligence data feeds that are essential to their work. It’s an exhaustive Cyber-security package that offers a maximum coverage of both real-time and historic data, complete with instruments for threat hunting, threat defense, cyber forensic analysis, fraud detection, brand protection, data intelligence enrichment across variety of SIEM, Orchestration, Automation and Threat Intelligence Platforms.