Cooperating and defending against COVID-19 scammers

By on 14 May 2020

Category: Tech matters

Tags: , , ,

Blog home

As if the novel coronavirus wasn’t bad enough, networks around the world are currently facing an increasing infestation by callous cyber criminals who cynically exploit the pandemic to scam users and to deploy malware.

Social engineering and phishing are not new threats but the danger here to both end users and essential operator staff is that the emergency could lead to people letting their guards down.

That is, for example, a well-crafted email that mimics a government or health authority in a particular economy and sent to users in that region might be deemed to be credible as people are worried about the COVID-19 pandemic and feel they need to open the message and check what it says.

If this is a concern and at the operator level you want to take action to mitigate the threat, the COVID-19 Cyber Threat Coalition (COVID-19 CTC), comprising thousands of independent and vendor information security researchers could be a resource worth checking out.

The coalition’s Chief Security Fanatic, Nick Espinosa, explained that COVID-19 CTC is a temporary organization that came together on 9 March 2020.

“We’re here as long as the COVID-19 issue is a cyber threat,” says Nick.

“Once that is past, we’re happy to turn over our feeds and more to existing bodies for threat intel sharing, like the Cyber Threat Alliance.”

COVID-19 CTC recently published a blocklist with data sets that could be used to deny access to malicious sites seeking to exploit the COVID-19 pandemic. The data is curated, vetted and sourced by threat intelligence indicator sharing among COVID-19 CTC members.

The COVID-19 CTC blocklist currently comprises four data sets freely downloadable with no registration required, as ASCII text files:

  • domain.txt
  • hash.txt
  • ip.txt
  • url.txt

Of these, the domain.txt and and url.txt are populated at the moment.

APNIC’s Senior Internet Security Specialist, Adli Wahid, is familiar with the work of COVID-19 CTC and that of other, similar groups and looked into the blocklist and what it can do.

“The two COVID-19 CTC data sets that are provided currently can be used to block malicious sites at the DNS level,” explains Adli.

“Smaller installations could use a Pi-Hole security device to sinkhole malicious sites. It’s also possible to set up special zones for BIND that stop malicious domains from resolving, or redirecting users to landing pages that warn them about scam attempts.”

“There are COVID-19 CTC feeds that can be used with threat intelligence sharing products like the open-source Malware Information Sharing Platform (MISP). MISP can use the feeds to create intrusion detection rules for Snort and similar systems to detect and block attacks.”

The people behind MISP also operate an instance for sharing COVID-19 themed threat intel, which you can register for.

“Another use is to incorporate the COVID-19 CTC data into security information and event management (SIEM) systems to look for malicious activity,” adds Adli.

While the COVID-19 CTC data sets are a useful resource for operators defending against scammers, Adli hopes that future versions will have time and date-stamped entries.

“With those fields added, it would be possible to verify the age of the entries and also to use a subset of them for analysis spanning a given time range,” he says.

Obviously, using any kind of blocklist against COVID-19 themed scams must be done with care so as to avoid false positives and negatively impacting your infrastructure.

Concerned about the clear danger the deadly pandemic represented to public health, in New Zealand, the Domain Name Commission (DNC) triggered the official powers granted to it after the Christchurch mass shootings, and began in March 2020 to actively validate COVID-19 related domain names. Domain name commissioner Brent Carey said the emergency and exceptional powers allow for the suspension of domain names with fake registration details.

The powers have been extended to 15 October 2020 and the DNC is being transparent about the process. Brent said the DNC is publishing weekly lists of domain names that are less likely to be associated with malicious websites, or email addresses. The lists published are in text format, and can be incorporated into defensive systems’ feeds.

Other ccTLD operators have acted on COVID-19 abuse as well, and share information with each other such as keywords to look out for, as well as monitoring new registrations.

The .eu registry, EURid vzw, is using machine learning with its Abuse Prevention and Early Warning Systems (APEWS) to protect end users from domain name misuse. Other registrants are cooperating with the police forces and cybersecurity organizations in their respective jurisdictions, to keep COVID-19 criminals at bay.

Juha is a technology writer and journalist, based in New Zealand. He is a contracted contributor to the APNIC Blog.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *