COVID-19 and Cyber Scams. Photo: Cybercrime Magazine.

Typosquatting Protection: A Necessary Defense Against Coronavirus-Themed Campaigns?

How can you defend against cybercriminals that use social engineering baits every time something big occurs?

Jonathan Zhang, CEO at Whois XML API

Walnut, Calif. – Mar. 13, 2020

Cybercriminals keep up with social engineering baits every time something big hits the fan — and ethics is surely not one of their considerations. So, even the coronavirus that has been causing worldwide concern and panic has figured in ploys to lure and deceive users. Let’s take a closer look at what these threats entail and how to build up defenses, notably by practicing typosquatting protection.

Threats in the Time of the Coronavirus

It’s not the first time that we have seen attackers use sites claiming to provide pertinent information on a disease to conduct attacks. Back in 2014, we witnessed ebola-related phishing scams and malware campaigns. History is repeating itself with the latest coronavirus outbreak. In the past few months, we have seen at least two major coronavirus-themed attacks:

  • Cybercriminals are spreading Emotet, a banking Trojan that steals victims’ accounts and other credentials via fake emails with malicious attachments. To lend credibility to their claims, they pretend to be part of respected healthcare organizations giving information on how to avoid contracting the illness.
  • Attackers are also using the outbreak as a phishing attack lure, claiming to be part of the Centers for Disease Control and Prevention (CDC) to convince users to click an embedded link. The linked page looks like an Outlook page that asks potential victims to log in to view the supposedly useful content. To make the link look authentic, the phishers used a domain look-alike (cdc-gov[.]org), which closely resembles the spoofed organization’s (cdc[.]gov).

Bulk-Registered Coronavirus-Themed Domains

We further checked for the existence of typosquatting domains by reviewing typosquatting data feed files from January 21 to February 17, 2020. We noticed a spike in bulk domain registrations for keywords related to the coronavirus with 750 new domains found within that period.

We further scrutinized them and found that a majority are parked and up for sale. That is not surprising since registering potentially profitable domains is done all the time. Some owners even put the domains to use by housing pay-per-click ads while they wait for buyers, which is not an illegal practice. Overall, to our knowledge, none of the sites hosted on the domains so far showed ties to phishing or other fraudulent activities.

Yet while these sites do not cause harm to visitors from an information security standpoint, it certainly does not help them looking for reliable data about the coronavirus. Take this site (which domain we kept hidden), for instance:

In its current state, it does not look like it is a valid information source. Now say its design is made better and hypothetically used by cybercriminals. It may fool a lot of unwary users. 

For the moment, having dug deeper into it, a few things caught our attention:

  • Why is a page that is in the development stage publicly visible (especially when the subject is of such importance)?
  • Why did its owner redact his/her registrant information?
  • Why are the news articles on it mostly from third-party blogs instead of reputable news outfits or government institutions?
  • Why would an information page ask users for their phone numbers and email addresses?

While none of this is proof of foul play, visitors should remain wary.

Additionally, our typosquatting data feed file for February 17, 2020, revealed seven more newly registered domains with the keyword “coronavirus”:

  • coronavirus-insurance[.]com
  • coronavirusinsurances[.]com
  • coronavirusinsurance[.]world
  • coronavirusinsurance[.]earth
  • coronavirusmedics[.]com
  • coronavirusmedical[.]com
  • coronavirusmedic[.]com

Note their theme. Any one of them could be used to lure victims looking for insurance or medical treatment providers into a phishing scam.

Best Practices for Typosquatting Protection

Proactive investigations using tools such as a typosquatting data feed can help users avoid falling prey to cyberattacks.

Apart from avoiding typosquatting domains, users can also look out for newly registered domains (NRDs) that mimic the domains of healthcare organizations such as the World Health Organization (WHO) or the CDC with a brand monitoring tool. By tracking keywords such as “WHO” and “CDC,” they can receive alerts every time a domain with these are registered. It is advisable to verify findings, however, with a WHOIS lookup to see if the NRDs are indeed connected to the organizations they claim to be part of.

A domain’s reputation score is also a good indicator as to whether it can be trusted or not. We subjected one of the URLs indicated as an indicator of compromise (IoC) for the Emotet campaign (http[:]//erasmus-plius[.]tomasjs[.]com/wp-admin/kfespccg/) in our domain reputation tool and found that apart from having issues and misconfigurations, the domain does not match the one indicated in its certificate.

Scammers are always up for profit, even if it means using tragic events like the coronavirus outbreak. Users and visitors must, therefore, remain vigilant and pay attention to related sites, messages, files, and other lures that can be used against them by following best cybersecurity practices including typosquatting protection.

Whois XML API Archives

Jonathan Zhang is the founder and CEO of Threat Intelligence Platform (TIP)—a data, tool, and API provider that specializes in automated threat detection, security analysis, and threat intelligence solutions for Fortune 1000 and cybersecurity companies. TIP is part of the WhoisXML API Inc. family, a trusted intelligence vendor by over 50,000 clients.

Sponsored by Whois XML API

Precise and exhaustive data is vital for cyber-security professionals to analyze and prevent cyber crime. Whois XML API offers a comprehensive collection of domain, WHOIS, DNS and threat intelligence data feeds that are essential to their work. It’s an exhaustive Cyber-security package that offers a maximum coverage of both real-time and historic data, complete with instruments for threat hunting, threat defense, cyber forensic analysis, fraud detection, brand protection, data intelligence enrichment across variety of SIEM, Orchestration, Automation and Threat Intelligence Platforms.