With news reporting, government policy and public consciousness occupied by the ongoing coronavirus pandemic, it is not surprising that the situation has caught the attention of cybercriminals.
At times of public uncertainty and worry, it is not uncommon for cybercriminals to come up with news ways, or modify existing scams, to capitalise on situations. During the ebola outbreak, those in the cybersecurity industry noted a spike in ebola-related phishing attacks, with scammers pushing fake products and cures.
This has also been the case during the coronavirus pandemic. Approximately £2m has been lost in the UK to scams related to Covid-19 so far this year, according to Action Fraud.
Part of the problem lies in the registration of domains, with scammers trapping those eager to find new advice or resources related to the pandemic using malicious websites.
Coronavirus-related websites have spiked
Nominet is the UK’s domain registry which, through authorised domain registrars, has registered the 13 million .uk domains currently in existence. Nominet CEO Russell Haworth tells Verdict that in recent years, the organisation has expanded its focus to include cybersecurity.
“We’ve grown quite rapidly over the course of the last two decades, in the sense that a lot of businesses in the registry market are growing as well, given the demand of domains related to the growth of the internet. Over the course of the last five years, more particularly over the last three years, it’s been a harder market to grow in just given the saturation of the market,” he says.
“What we’ve done is used our DNS skills to expand into the cybersecurity market. So, as it stands at the moment, we’ve got two sides of the business. One is really focused on domains and being a registry. And then the other side is as a cybersecurity company selling enterprise software to governments and enterprises around the world. So our big client in the UK, for example, is the National Cybersecurity Centre and we’re part of their active cyber defense platform.”
Between 1 November 2018 and 31 October 2019, Nominet suspended over 28,000 domains used for criminal activity, around 0.22% of the domains currently registered. During the ongoing pandemic, this has invariably included domains related to Covid-19.
Nominet is working proactively to stop malicious domains from making their way online, and potentially duping victims. At the time of writing, it has now blocked the registration of 1700 .uk domains related to Covid-19.
“What we’re doing is at the point of registration, we are looking at whether there’s suspicious domains that could be used for fraudulent activity, particularly with keywords that are related to coronavirus or Covid-19. And in that context we’re working with the DCMS, and equally the medicines healthcare products regulatory agency, the MHRA, to ensure that we are blocking domains at the points of registration,” says Haworth.
“So far, we’ve looked at 1300 Covid-19 related domain registrations, and we’ve put them on hold pending diligence. A small proportion, around 270, have responded to our satisfaction which basically implies that there’s about 1000 which are problematic. Which is not necessarily the case, but really what it means is we as a registry are taking proactive steps working with the government to try and preempt some of the suspicious activity at domain level, so before it gets created.”
Keeping the UK namespace safe
The organisation deploys a tool called Domain Watch to protect users from malicious phishing activity. Using a combination of manual and automated processes, it identifies domains that could be used for phishing.
Last month, Nominet also introduced enforcement landing pages for pages suspended due to susupicious activity, meaning those who end up on the sites will be shown advice intended to help prevent them fall for future scams.
“We’ve got a strategy whereby we’re trying to keep the UK namespaces safe. In this particular circumstance we’re looking at using Domain Watch to block those and do some additional checks. And once they pass those additional checks they can be released and people can use them. It’s an extra step we’re taking but I think it’s important,” says Haworth.
“One domain that we caught was called ‘coronaloner.co.uk’. That was somebody who was a former journalist that was trying to set up a blog to explain her experiences working from home. So these things can be for very legitimate purposes and they can be used for nefarious activity. ‘coronavirusmedication.co.uk’ was one example where we found that there was criminal activity associated with it. And we’re working with government agencies and police to proactively to do that.”
Nominet is also working with law enforcement to remove domains that have already been registered. It has already taken down 180 fraudulent sites related to coronavirus.
“For [websites] that are already out there, we work with law enforcement agencies to either react to requests that they come to us with,” explains Haworth. “We can take those down very quickly, within a day, it’s just a case of doing some validation on what we’re given from the law enforcement to ensure that we’re satisfied.”
“Be extra cautious”
RSA Security’s fraud & Risk Intelligence unit found that thousands of domains with the words “coronavirus” and “Covid-19” were registered in January. It warned that risks such as account takeovers targeted at children, fake e-commerce sites offering medical supplies, fake news apps and phishing emails targeting people’s health fears had emerged as a result of the pandemic.
Nominet has observed similar trends in the types of sites most commonly spoofed by fraudsters, noting that sites appearing to offer sought-after supplies such as face masks and hand sanitiser have spiked.
“Most are medical related, either supplies or medicine. Those are the sorts of things where it’s easy to promise a solution that perhaps isn’t entirely accurate. Areas like that are definitely on the upswing. And spoofing government sites has always been an issue,” says Haworth.
“The reason why we’re working with the medicines and healthcare products regulatory agency, is they’ve recognised that this is a challenge more generally, when people are registering covid or coronavirus related terms and that needs to be addressed.”
According to the National Cyber Security Centre there have been “more UK government-branded scams relating to Covid-19 than any other subject” since the beginning of last month.
For users, Haworth advises extra vigilance at this time.
“I think the consumer advice that we would always give is look at the URL and the domain and try and make sure that if you are clicking on something, you know what you’re clicking on and being extra cautious about domains you don’t recognise. So if users do see any phishing attempts, we would encourage them to report into Action Fraud,” he says.
“But really when you’re trying to get official government information that is not from nhs.uk or gov.uk, then I think we would encourage people to think twice before they click on something. And often if it looks too good to be true then it probably is.”
“It’s a team effort”
The other side of the organisation is also well-positioned to assist in the prevention of coronavirus related attacks. Nominet is part of the National Cybersecurity Centre and we’re part of their active cyber defense platform, helping to protect government and public service platforms from malware. Last year, Nominet analysed over five billion Domain Name System (DNS) queries and proactively blocked around 30 million suspicious events every month on the government platforms.
Interpol has warned that cybercriminals may look to take advantage of the increased pressure hospitals are under to carry out cyberattacks.
“The part that we get involved in is the protective DNS. And what government is trying to do is roll that protective DNS out to as many NHS trusts around the country as they can,” says Haworth.
“So by extension, the more the NHS trusts get onto the protective DNS platform ,that’s provided by the National Cybersecurity centre, then we’ll esentailly keep those organisations safe from a malware perspective.”
Be it through malicious domains or hacking attempts, Haworth warns that while cybercriminals can still profit from Covid-19, this type of attack will likely persist.
“These things go in cycles. One could say, it started quickly and it will continue for as long as people can make money out of it. To the extent that we as a community of either registries or registrars work together to block it at the moment it’s created or taken down once we’ve got knowledge of those sites. I certainly think we’re getting better in using machine learning, as well as looking at our own processes to suspend those sites and working with law enforcement and other agencies. So I think it’s a team effort. I think it’s difficult to say how long it’s going on for but certainly it’s spiking at the moment,” he says.
“I would assume that over time through continuous activity that we’re doing as a community we’ll start to make it harder for people to capitalise on the kind of easy money that’s made out of it. Who knows where it’s going to lead from there but I think if we can start to stem the tide of phishing, particularly those people who are clicking on links that are taking them to sites that people can profiteer from, right the way through to the telecoms looking at SMSs that people are clicking on and WhatsApp groups. I think it could go on for a while through a number of different platforms, but I think the curve will flatten as we all get a bit smarter about how we can tackle them.”