Top open source resources to stay vigilant against COVID-themed cyber attacks

 

As the coronavirus pandemic spreads rapidly across the globe, a panic-stricken populace already confined to their homes, faces the emerging threat of COVID-themed cyber attacks. The trend of recent cyber crimes indicates a spike in the number of COVID-related malicious domains, malware attacks, as well as phishing campaigns. As a result, organizations are left with the daunting prospect of securing their assets, and that of their clients, against adversaries profiting from the pandemic. Without an effective strategy, or the right intelligence, it will be impossible to ward off such attacks.

In this article, we have consolidated popular open source threat intel resources that can help you combat COVID-themed cyber attacks. These open source resources provide the latest intelligence and observations on cyber threats to alleviate the impact such attacks could have on the global community.

COVID-19 Cyber Threat Coalition

Cyber Threat Coalition (CTC)  is the result of combined efforts of around 3,000 security professionals who gather, analyse, and share intelligence pertaining to new COVID-themed threats. At present, the largest contribution of COVID-themed datasets are produced by CTC.  Moreover, they prioritize and defend essential services and the front-line medical sector, against threats. The telecommunication sector is also a part of essential services, as more people shift to remote work.

How does CTC alert organizations?

  • Typically, they examine millions of data points contributed by organizations or individuals, and run the indicators through several security products. 
  • If at least 10 of these security products identify the data point as a threat, CTC volunteers manually verify such findings and add malicious feeds to its Blocklist. If only 5-9 security product vendors identify the data point as malicious, they will be manually verified as malicious feeds before adding them to the Blocklist.
  • This Blocklist helps organizations and individuals, across the globe, block malicious traffic arising from fraudulent activities.
  • Additionally, they have a Beta MISP feed that details the various threat indicators (accessible to those who have set up MISP).

How can you contribute?

  • CTC maintains a Slack workspace, the invitation for which is available on their official website. This workspace is for researchers who may have information regarding COVID-themed cyber attacks. In addition, they also have a slack room to announce updates, and new developments: #ctc-official-announcements 
  • Their Alienvault open threat exchange (OTX) also gathers data feeds from researchers. CTC considers Alienvault OTX as their primary source of raw data feeds. They are encouraging anyone with high quality threat intel, to join this platform.  

Here is the CTC Blocklist for vetted malicious domains and IP addresses:

COVID-themed cyber attacks: Alienvault OTX group
Alienvault OTX group

COVID-19 CTI League

(https://cti-league.com/)

This is a collective of experts and Incident Responders, from across 40 countries, which gathers COVID-related threat intelligence. Senior Microsoft and Amazon officials are also part of this team. CTI League is geared towards neutralizing cyber threats against the front-line medical sector and critical infrastructure. 

How is the medical sector benefiting from the CTI League?

  • CTI accepts IR (Incident Response) requests from organizations, to detect security incidents and keep them in check. To achieve this, the CTI League connects with researchers and analysts from 22 different time zones. Volunteers help the community find the most appropriate individuals who can secure medical institutions and resources in their location.
  • They assist in taking down websites, web pages, or files from the internet, and escalate cyber attacks, malicious activities, or critical vulnerabilities, to law enforcement agencies and national CERTs.
  • They provide reliable databases, of high-priority indicators of compromise, that help the medical sector investigate and block malicious activities. 

Cyber Threat Alliance

(https://www.cyberthreatalliance.org/)

This is a not-for-profit membership organization that focuses on phishing lures and malware attacks. They help thwart attempts to harm the medical sector, in the time of this unprecedented crisis.

What are they offering?

PhishLabs

(https://www.phishlabs.com/covid-19-threat-intelligence)

Phishing is the most common cyber threat. And even as the world tries to make sense of the coronavirus epidemic, scammers are busy cashing in on the fear and anxiety.  PhishLabs, a team of cybersecurity experts, combines their efforts to provide free resources of Coronavirus-related threat intelligence, with their primary focus on phishing attacks.

What have they got to offer?

Their database is updated with the latest on COVID-themed phishing email, malicious URLs, and domains. They present and share the data in a zip file containing phishing lures (as image files), and phishing URLs (in .xlsx format).

PhishLabs image files
PhishLabs image files

Checkphish: Coronavirus Scam Tracker 

(https://checkphish.ai/coronavirus-scams-tracker)

Checkphish maintains a global dashboard that tracks the latest Coronavirus-themed phishing scams. The results are classified into scams and suspicious sites. Moreover, for each website, it provides scam feeds in the .tsv format.

Sample: https://checkphish.ai/data/covid_feed.tsv

Checkphish scam tracker feed
Checkphish scam tracker feed

The dashboard also allows you to run free URL scans to identify malicious websites. For each queried domain and the domains which are already in the list the dashboard also incorporates website screenshots, Passive DNS (of hosts and domains hosted on given IP), details of similar domains, and their WHOIS information.

COVID-themed cyber attacks: Checkphish dashboard
Checkphish dashboard

MISP 

(https://covid-19.iglocska.eu)

Malware Information Sharing Platform (MISP) is an open source threat intelligence platform. They provide IDS signatures for COVID-19 cyber intrusions in various formats such as: STIX, STIX2, Text, csv, etc., They also allow users to automate the process of collecting information. Researchers and interested parties are only required to send a direct message to the team to access https://covid-19.iglocska.eu/.

Events on MISP
Events on MISP
Post that directs users to a frequently updated dataset
Post that directs users to a frequently updated dataset

RiskIQ

RisqIQ PassiveTotal offers access to RisqIQ datasets such as passive DNS, extensive DNS data, WHOIS registration details, and SSL certificate details. And, as a response to the rising number of COVID-themed cyber attacks, they also share lists of Coronavirus-related domain names that contain ‘covid’, ‘coronav’,  ‘vaccine’, ‘pandemic’, or ‘virus.’ These may or may not be malicious. To facilitate an investigation into these domains, interested analysts are allowed 30-days access to use PassiveTotal, RiskIQ’s threat research platform. 

Links to the lists of COVID-themed domain names:

https://covid-public-domains.s3-us-west-1.amazonaws.com/list.txt (consolidated list)

https://covid-public-domains.s3-us-west-1.amazonaws.com/covid-YYYYMMDD

https://covid-public-domains.s3-us-west-1.amazonaws.com/covid-20200420

Covid-19 Medical Supply Scams from RisqIQ dashboard.
Covid-19 Medical Supply Scams from RisqIQ dashboard.

RisqIQ Dashboard: https://community.riskiq.com/

Github CTI league Repo

(https://github.com/COVID-19-CTI-LEAGUE/PUBLIC_RELEASE)

A GitHub repository, dubbed as COVID-19-CTI-League, also shares vetted, approved IOCs of COVID-themed cyber attacks. Even though the name of the repository resembles the community CTI League (discussed earlier), they aren’t related. 

COVID-themed cyber attacks: CTI League Slack discussion  
CTI League Slack discussion

Independent Researchers And Feeds

Although we have listed out the big names in cyber security, it is important to know that there are individual researchers and cyber security bloggers committed to resolve and neutralize the attacks surfacing during the epidemic. They share their analysis and findings on social media platforms such as Twitter. Here are some of them:

@dustyfresh

Twitter user DustyFresh has set up a feed, updated every 30 seconds, which scans for new COVID-related hostnames discovered in certificate transparency logs. He uses keywords coronavirus, covid19, covid-19, covid, pandemic, etc. 

Although most of the domains in this list are considered malicious, it is upto researchers to figure this out.

@sshell_

Another researcher who goes by the Twitter handle @sshell_ created a real-time dashboard of malicious websites. This dashboard leverages RiskIQ’s feed (mentioned earlier) and lists COVID-themed malicious domains in real-time.

@sshell feed
@sshell feed

@LukasStefanko 

Independent researcher and ESET mobile malware analyst, Lukas Stefanko, tracks COVID-related malware attacks that target Android users, on a daily basis. 

Threatfeeds.io

(https://threatfeeds.io/)

This is another open source threat intelligence platform that gathers Indicators of Compromise from various sources. It allows users to download data for free.

MalwareBazaar

(https://abuse.ch/blog/introducing-malwarebazaar/)

Abuse.ch provides free malware samples that are easily downloadable. MalwareBazaar hopes to help researchers understand malware samples and use the intelligence for further analysis. 

Advisories

The official Twitter accounts of government agencies are also provide regular updates on the latest scams and scamming tactics: 

@CyberDost

Indian Ministry of Home Affairs offers tips and advises the public on safe internet practices, through its Twitter handle @CyberDost and its official website National Cyber Crime Reporting Portal. These platforms can also be used to report any malicious cyber activity that you come across. 

@Europol

This is the Twitter handle of European Union’s Agency for Law Enforcement Cooperation. Europol shares recent trends in cyber attacks and scams themed after the Coronavirus pandemic.

 

Figure 1: Homepage of hxxp://paytm-megaoffer.com*

Chronic Phishing Targets Paytm, Flipkart, Amazon users

During the 2019 — 2020 holiday season, XVigil identified several phishing sites targeting popular eCommerce companies. Many of the domains were registered in December and were subsequently taken down after Christmas or New Year. This indicates that the sites’ main targets were shoppers, eager to avail holiday discounts.

Detection of phishing sites

XVigil’s fake domain finder monitors the web for fake or similar looking domains that might infringe on a brand. When we calibrated XVigil to monitor Indian eCommerce companies, we detected a wide range of phishing domains.

Examples of sites detected by XVigil:
Homepage of phishing site hxxp://paytmmallcart.com*
Figure 1: Homepage of hxxp://paytmmallcart.com*

hxxp://paytm-megaoffer.com*
hxxp://wowbuzz4.com/pytm_mall*
hxxp://paytmmallcart.com*
hxxp://flipkart-loot-offers.com*
hxxp://newyearflipkart.com*
hxxp://flpkartchrismus.com*
hxxp://amaazon.club*
hxxp://amozonsale.online*
hxxp://amaz-onofferzz.in*

 

Overall Investigation

  • Firstly, we ascertained the phishing sites’ domain details, including the server, IP, registrant, and admin.
  • Prima facie, we were able to determine that the sites had certain similarities:
    • Irrespective of the eCommerce site being targeted, the most common payment platform was Paytm payment gateway.
    • Many of sites, including 2 Paytm phishing sites (hxxp://paytm-megaoffer.com* , hxxp://wowbuzz4.com/pytm_mall*) were hosted on the same IP. So, both the sites could be the work of the same scammer/ group of scammers.
  • Some sites, though not hosted on the same server, share overall website design, look and feel, site navigation, and data input methods.

Paytm phishing analysis

  • The sites appear familiar and trustworthy because:
    • The look and feel of the sites are similar to the official Paytm site.
    • Usage of Paytm logo.
    • Transacting through the widely trusted Paytm payment gateway.
  • The sites list a limited number of products, but at highly discounted prices. For example: the listed price of the iPhone 11 is INR 5999. And there is a countdown that indicates the offer is valid only for the next few minutes. These factors make it tempting, for even the most discerning of customers, to make hasty purchases.
  • The following characteristics of the sites are proof of the scammers’ rudimentary technical skills:
    • Presence of default or dummy content.
    • Poor web design features such as blurred images and grammatical errors.
    • Poor coding practices such as the absence of validation of details entered in the phone number and pin code fields.
    • The conspicuous lack of https certification.
    • Limited product catalogue.
    • Unbelievably low pricing.

      Dummy content in the blog section of phishing site hxxp://paytmmallcart.com*
      Figure 2: Dummy content in the blog section of hxxp://paytmmallcart.com*
How the phishing sites work

The shopper browses the site and adds the product to the cart.

The iPhone 11 listed for INR 5999 on phishing site hxxp://paytmmallcart.com*
Figure 3: The iPhone 11 listed for INR 5999 hxxp://paytmmallcart.com*

The billing section collects the customer’s personal details including phone number, email id, and address. The scammers could use these details to devise other fraudulent schemes.

Billing page of phishing site hxxp://paytmmallcart.com* collects personal details of users
Figure 4: Billing page of hxxp://paytmmallcart.com* collects personal details of users

The customer is directed to the payment page.

Paytm payment listed as the only payment option on phishing site hxxp://paytmmallcart.com*
Figure 5: Paytm payment listed as the payment option on hxxp://paytmmallcart.com*

The customer then lands on the Paytm payment gateway to complete the transaction.

Users are redirected to Paytm payment gateway.
Figure 6: Users are redirected to Paytm payment gateway

Paytm Payment Gateway Analysis

Many phishing sites, irrespective of the eCommerce company they are targeting, use the Paytm payment gateway. It is notable that there are merchants registered with fake names such as ‘for’. One of the merchants goes by ‘One Communications’. The name closely mimics One97 Communications, which is Paytm’s parent company; lending the site an air of legitimacy.

Paytm payment gateway merchant ‘One Communications’
Figure 7: Paytm payment gateway merchant ‘One Communications’

From the source code of the payment pages we identified the following merchant details:

  • hxxp://paytm-megaoffer.com*
    Merchant: One Communications
    MID: kRdXWH24078674748775
  • hxxp://paytmmallcart.com*
    Merchant Name: for
    MID: GPZvOS78323169981271
  • hxxp://flipkart-loot-offers.com*
    Merchant: Online Mobile Shop
    MID: kLJwiy42558605770665
  • hxxp://newyearflipkart.com*
    Merchant: Lucky Mobile And Lamination
    MID:  nixGaL07658395498481

Source Code Analysis

  • We analysed the source codes of both the sites and discovered that hxxp://paytm-megaoffer.com* was importing the hxxp://wowbuzz4.com/pytm_mall* source code.
  • It was found that hxxp://paytm-megaoffer.com* and hxxp://wowbuzz4.com/pytm_mall* have the same Google Analytics ID (UA-131481750-1). It is uncommon for 2 unrelated sites to have the same Google Analytics ID.

This indicates that both the sites belong to the same scammer/ group of scammers.

Source code of phishing site hxxp://paytm-megaoffer.com*
Figure 8: Source code of hxxp://paytm-megaoffer.com*

Attribution

The contact details used to register hxxp://paytmmallcart.com* are not available, and that of hxxp://wowbuzz4.com/pytm_mall* cannot be traced back to any person or organization. However, hxxp://paytm-megaoffer.com* can be traced back to Parate Traders, a business in Nagpur.

Despite having different name servers, hxxp://wowbuzz4.com/pytm_mall* and hxxp://paytm-megaoffer.com* are hosted on the same IP. Therefore, whoever runs hxxp://paytm-megaoffer.com*, is likely responsible for hxxp://wowbuzz4.com/pytm_mall* also.

Impact of phishing

Social media post of a user scammed by a Paytm phishing site
Figure 9: Social media post of a user scammed by a Paytm phishing site

Phishing scams are the oldest and most rampant type of cyber threats. They are fairly simple to orchestrate, but have the potential to severely impact a company’s reputation and revenue.

Apart from the targeted eCommerce companies, phishing also damages the reputation of the payment gateway that facilitates the fraud. Paytm for Business enables a variety of online and offline transactions. Hence its reputation, among shoppers and legitimate merchants, will be tarnished by the concerted misuse.

We found a social media poster who claims to have lost money to a Paytm phishing site. Other than the immediate loss of money, users could become victims of other scams that leverage the personal details, collected via the phishing sites.

Mitigation

Considering how easy it is to buy a domain, phishing cannot be tackled by taking down pages or sites. Also, companies often detect phishing sites, only after users have been affected. To begin with, eCommerce companies should proactively monitor and take down phishing sites. In addition, Paytm should also disable/block the scammers’ Paytm for Business accounts. This will hinder transactions on all phishing sites that use the same merchant accounts.

In the long term, eCommerce companies should identify and counteract the servers that host these phishing sites. Furthermore, they should also take action against scammers, whom they can identify, by leveraging the domain details and MIDs.

Conclusion

Phishing sites such as hxxp://paytm-megaoffer.com*, hxxp://wowbuzz4.com/pytm_mall*, and hxxp://paytmmallcart.com*, are not anomalies. When combined with the misuse of Paytm payment gateway, these scams indicate, a concerted effort to exploit Paytm and its users.

A company’s brand image is the fruit of sustained effort and strategic planning. However, it takes only one malicious attack, to undo the hard won trust and goodwill of their customers. And any damage to this intangible asset can have serious and far-reaching consequences.

A continuous monitoring tool, such as CoudSEK’s XVigil, helps companies sustain continual brand scan, to effectively combat fake pages, impostors, rogue applications, and domains.

*Note: All http links have been obfuscated to hxxp to avoid spam alerts. [/vc_column_text][/vc_column][/vc_row]