As a new government website went live in January to offer free COVID-19 test kits, a rash of new domain names were registered. Some had remarkably similar URLs, or were nearly the same but slightly misspelled.
Cybersecurity experts said the goal was likely the same for all of them: bogus domain names that can be used for phishing attacks and other scams.
Suspected fraudsters have registered more than 600 suspicious domain registrations since Jan. 15, around the time Biden administration announced details about a program in which the US Postal Service would deliver COVID-19 tests to Americans’ homes, email security firm Proofpoint Inc. told Bloomberg News. The look-alike URLs are often meant to trick COVID-weary Americans into thinking they are signing up for a free nasal swab, when in fact they might be handing personal data over to a cybercrime syndicate, cybersecurity experts said.
The government website for free COVID tests, covidtests.gov, opened for business on Jan. 18, along with a related site, special.usps.com, where users are directed to place an order with the Postal Service.
Area 1 Security Inc. identified more than 60 domain names, from Jan. 13 to Jan. 22, that “closely” resembled the URLs of the government websites, including covidtestsgov.com, covidtestgov.net, specialusps.com, specialuspscovidtest.com and freecovidtestgov.org. It also found more than 200 domain names, from Dec. 19 to Jan. 22, that “loosely” resemble the actual government website names. Those include 4covidtests.com, covidrests.com, specialsps.com and spwcialusps.com.
Juliette Cash, principal threat researcher at Area 1 Security, said simply registering a similar name isn’t proof that the domains are malicious. But she said such names are often used in cyberattacks. And since they are newly registered, there’s very little history about the sites “so they can bypass typical defenses,” Cash said.
Domain scams didn’t start with the COVID-19 pandemic. Fraudsters have always sought to capitalize on global events, like the Olympics or presidential elections, to trick people into opening malicious emails, then turning over their personal information. Yet the unique nature of the coronavirus pandemic — from health concerns and shifting government guidelines to ripple effects like employment uncertainty — has been a boon to hackers.
Ongoing focus on the latest pandemic-related news, such as the government’s efforts to ramp-up testing and the Omicron wave, is far different from the kinds of email fraud that was popular before 2020, said Sherrod DeGrippo, a vice president at Proofpoint focused on threat research and detection.
“Typically it would be a scam that said something like, ‘Look at my resume,’” she said. “COVID is special because people are always talking about it. If you miss an email that includes a shipping receipt, no big deal. But if you miss a test result, that’s not good.”
Fresh domains that use sloppy spelling or slight variations can provide the web infrastructure to support a phishing operation, giving hackers a URL they can use as a disguise in the sender column of an email. Impersonating a legitimate sender – masquerading as an accountant who requests a wire transfer, for instance – helped thieves steal a reported $1.8 billion from U.S. individuals and organizations in 2020, according to the FBI.
Virus-themed email fraud was already enough of a problem by April 2020 for the Department of Homeland Security to publish an alert warning about a “large volume” of attempts, with subject lines warning recipients about nonexistent outbreaks in their community.
In some cases, spammers push out mass-email campaigns in which messages arrive in user inboxes with spreadsheet attachments. The body of the message claims that the accompanying Excel file includes a list of co-workers who have tested positive for COVID-19, or are due to be dismissed because of virus-related corporate restructuring. A recipient who downloads the file, instead of satisfying their curiosity, infects their computer with the malware lurking inside.
“The whole foundation of social engineering is that it puts people in an emotional headspace where they take logic and put it in the back seat,” DeGrippo said. Covid has provided an enticing hook for hackers because messages about the virus just aren’t easy to ignore.
“Whenever you see something that says ‘because of COVID,’ critical thinking tends to go out the window,” she said. “If you’re just a consumer at home the key thing is to slow down and really read the thing you’re seeing and ask ‘Is it appropriate to click on this?’