insights

Coronavirus related phishing

April 3, 2020

TL;DR

Be very cautious of any email or message content focused on the coronavirus, as there’s a mass of related phishing and ransomware campaigns looking to exploit the current situation. We’ve done some of our own research, looking at the public logs for registrations of website TLS certificates, and can confirm there’s a wave of virus-related certificates being issued. A large proportion are undoubtedly legitimate, but many will be intended for nefarious purposes.

See our recent phishing blog for more information on the current phishing threats.

Introduction

It’s been widely reported, but bears repeating: most kinds of cyber security threats are seeking to take advantage of the current crisis to attack people. See the coverage from the NCSC, The Guardian, CyberScoop, and Microsoft, among others.

There’s a full spectrum of criminality looking to profit from the virus, targeting regular people and industry; this includes router attacks, fake instructions from IT, and fake surgical equipment and treatments. However, the primary threat seems to be from virus-related phishing, some of which is getting through the standard defences. This is predominantly email, but SMS variants are around too, some latching onto the official HMG texts that went out last week:

In a similar vein there are the many fake HMRC campaigns, such as this one that was received by one of our Cyber team. The address was from the domain “telenet-ops.be”:

Finally, now that Test, Track and Trace is coming into force, the scammers are already looking to use it to their advantage:

Some are taking the crisis on-board though; the Maze ransomware crew haven’t gone so far as to stop their activity, but are at least offering a discount:

Image from Catalin Cimpanu on Twitter 

Yes, ransomware crews put out press releases now.

Monitoring Certificate Logs

We were looking at TLS certificate logs as part of our phishing research. Inspired by a tweet from X0rz, we thought it’d be interesting to use the same work to instead look for coronavirus inspired certificate registrations. But first, some background on certificate logs.

Certificate Transparency Logs

Created as a response to the compromise of a Certificate Authority (CA), certificate transparency logs are designed to make it easier to spot fraudulent domains being registered. They require all CAs to publicly log all TLS certificates when they are registered. Crucially each transparency log is integrity checked, using a hash tree, so the whole log can be verified.

This is especially important as it’s now easier to register a certificate without first completing extensive checks. Services like Let’s Encrypt issue certificates if you can prove the domain is yours, and they do it for free. Other CAs charge money as they have to apply more rigorous checks: Organisation Validated (OV) verifies the business identity, and Extended Validation (EV) checks require even more information to issue. These last two kinds of certificate are not issued by Let’s Encrypt, “primarily because we cannot automate issuance for those types of certificates“.

For more on transparency logs, here’s the original RFC, and the Google Project blog has a good explaition. If you want to see a live stream, look here.

Drinking from the Hose Pipe

As intended, we can use the raw stream of transparency logs for our own analysis. In normal times the focus would be on trying to find malicious phishing domains being registered; domains that look like our own domain or something like a legitimate domain from the typical phishing targets. But let’s use it to try and find anything coronavirus-related.

We wrote a short program that takes advantage of the Go version of the certstream library, which aggregates the various certificate logs into a single feed and provides an easy mechanism for analysis. See the live certstream page if you want an idea how many certificates are registered per second.

The output looks something like this:

./certificates -filter="corona"
2020/03/25 09:19:06 Using filter "corona"
2020/03/25 09:19:06 Drinking from the hosepipe...
...
2020/03/27 14:56:30 Ran for 3h0m10.5205424s
2020/03/27 14:56:30 Final stats:
2020/03/27 14:56:30 Certificates seen: 383150
2020/03/27 14:56:30 Updates: 0
2020/03/27 14:56:30 Matched: 189
2020/03/27 14:56:30 Error in processing: 327
...
Count           Subject                          Aggregated                        Update Type             Validation       Fingerprint
0               coronacourse.ru                  /CN=coronacourse.ru               PrecertLogEntry         Let's Encrypt    5C:7C:AD:62:51:B7:89:B2:56:C6:1C:11:78:35:40:30:35:F7:1F:EB
1               coronavirus-vaccine.co           /CN=coronavirus-vaccine.co        X509LogEntry            Let's Encrypt    87:48:89:B3:B8:40:ED:CD:4A:4A:D9:3B:89:9D:52:72:98:27:3C:16
2               coronavirus-pobedim.ru           /CN=coronavirus-pobedim.ru        X509LogEntry            Let's Encrypt    D8:D7:F8:88:4D:53:99:A2:E4:FE:90:BB:30:97:4B:FD:9C:59:BD:BE
3               corona-clean.eu                  /C=PL/CN=corona-clean.eu          PrecertLogEntry         Unknown          6B:8C:7A:CC:B1:A6:3A:07:C9:26:E7:33:72:60:88:EC:6A:61:3E:3B
4               coronacourse.ru                  /CN=coronacourse.ru               X509LogEntry            Let's Encrypt    78:1B:C2:50:65:4D:54:48:06:92:80:BE:86:25:C8:1D:08:55:EF:BA
5               nyccoronavirus.co                /CN=nyccoronavirus.co             X509LogEntry            Let's Encrypt    28:96:05:D1:43:F7:6D:26:C7:D8:18:CE:78:DD:6F:0B:ED:88:E8:EB
...

The Go code is here on GitHub.

Analysis

When running for three hours last week it found 189 certificates with “corona” in the common name, out of 383,150 certificates seen in that same time span. The rate does seem to have slowed a little; earlier last week, running it every now and again when writing the code, we saw about 100 certificates matching for roughly every 80,000 seen.

It’s hard to put a figure on how many are genuine or nefarious, but it’s equally hard to accept that there are that many legitimate sites being registered. In many cases it’s hard to tell each way: many don’t have an existing website, but then why would you if you’re only just registering a certificate.

Without wanting to cast aspersions on genuine companies, it seems unlikely that the following example is legitimate (it is based on freecoronavirusnet, but let’s not use the full URL), as it’s offering free internet:

There are some funny/interesting examples too, for example “coronavirus-survival.co.uk”, which bizarrely is about using Minecraft to kill the time.

A lot are jumping on the bandwagon purely for commercial means: “crazycoronacomedy.com”, “isurvivedcoronatshirt.com” and “coronawristbands.com” are all things we can look forward to in these difficult times. Unless they’re charities, in which case: sorry, good for you.

And finally, kudos to whoever was quick enough to register “coronacannabis” under a bunch of Top Level Domains, including “coronacannabis.green”. Let’s hope they’re somewhere where it’s been legalised.

For our latest research, and for links and comments on other research, follow our Lab on Twitter.

Get in touch if you’d like to chat to us.

Cyber Lab