Typosquatting or more commonly known as a URL hijacking attack in which fraudsters create fake domain names that are a spoofed version of the actual/original that’s being replicated.
The Coronavirus pandemic gave rise to different coping mechanisms for companies across the globe. Businesses had to make do with reduced workforces or even close shop. Thousands of flights, hotel accommodations, and events got canceled. Governments and the World Health Organization (WHO) monitored the situation and made critical decisions via remote conferencing apps.
Amid these events, hundreds of thousands of consumers have requested refunds from airlines, cruise lines, entertainment companies, fitness centers, and even hospitals and assisted-living facilities. Many may not be happy with the speed at which their requests are being processed or the lack of response sometimes encountered. And so, a lot of people are considering resorting to legal help.
In parallel, Whois API’s researchers observed a big trend in the registration of typosquatting data feed files for coronavirus- & legal-themed newly registered domains. Let’s illustrate.
Why the Surge in Coronavirus-Themed Legal Domains?
Typosquatting Data Feed detected several coronavirus-themed domain name registrations even before the WHO classified the coronavirus outbreak a pandemic. This time, researchers witnessed domains that included the word “lawsuit” such as coronaviruslawsuit[.]com and coronaviruslawsuits[.]com in typosquatting data feeds for the 29 and 31 January, respectively. The ensuing months saw a surge in the registration of similar domains.
There’s no doubt that legal professionals own some of the new domains, perhaps to get new clients. Still, this doesn’t coincide with the fact that the legal industry is calling for kindness amid this global crisis. A partner of top law firm Wachtell even released a memo expressing his dismay at the number of trivial and nonessential cases as the pandemic rages.
Also, law firms would most likely opt to host coronavirus-related services and updates on their existing websites instead of using new domain names. As such, there is a high probability that threat actors are using several of these domains to execute phishing and malware attacks or for domain parking. Cases in point are the following coronavirus-themed domains registered in March, 2020:
Upon the review of these domains, Whois API’s Threat Intelligence Platform (TIP) detected potentially dangerous content, connections to malware activities, and irregularities in name server configurations, among other vulnerabilities.
Who Are the Potential Targets and What Could They Lose?
Anyone affected by the pandemic is the likely victim of coronavirus-themed malicious attacks. Based on the domains detected by Typosquatting Data Feed, this includes cruise line clients, relatives of nursing home patients who suffered from virus infection, and hospital workers who might want to sue their employers for failing to provide them with PPE (personal protective equipment). Some domains even target specific locations.
Target Profiles Based on Domain Names
Cruise Line Clients
Relatives of Nursing Home Patients
The Washington Post also reported a surge in lawsuits that are consistent with the target profiles above. A couple aboard the Diamond Princess cruise ship, for one, filed a legal complaint about the cruise line’s mishandling of the outbreak.
A nurses ‘union has likewise filed lawsuits against the state of New York and two hospitals, contending that officials there did not provide appropriate protective gear to hospital workers. A daughter of a nursing home patient also sued Pennsylvania’s health department for allegedly failing to monitor the state’s facilities.
More coronavirus-related lawsuits could be filed in the coming weeks as people strive to make sense of the situation. Threat actors, on their end, would likely continue to see this as an income-generating opportunity using fake legal websites and domains as a lure.
Unsuspecting victims looking for legal assistance could easily fall for the ruse and click malicious links or download malware-laden files. The damage could range from annoying adware to dangerous keyloggers and ransomware that steal user credentials and confidential information.
Typosquatting Protection from Coronavirus-Themed Scams
While antivirus software and firewalls can offer protection, they can’t always detect coronavirus-themed malware and money scams.
People, therefore, need to be aware that not all websites and emails that claim to provide legal assistance can be trusted. The domain names listed above, for example, are not necessarily malicious, nor are they all legitimate. How could one check? The following measures can help:
- Check the WHOIS records of suspicious domains using a WHOIS database download service.
- Look at a website without visiting it by using a screenshot lookup tool.
- Check if a domain is involved in malicious activities by running it on Threat Intelligence Platform or VirusTotal.
- Call or visit the website of your state’s bar association to check if the person or law firm is licensed.
The surge in coronavirus-themed domain registrations could just be one proof that threat actors are taking advantage of the emotions brought about by the pandemic. Still, people should avoid getting blinded and fail to recognize a scam—typosquatting protection measures such as those we listed above can work to avoid becoming a victim.