On Friday, December 18th, the U.S. Department of Justice (DOJ) seized two domain names used for phishing sites with COVID-19 vaccine lures. In the release by the DOJ, these domains were identified in early December by the companies the attackers were impersonating and subsequently reported to the Intellectual Property Rights Center (“IPRC”) and the HSI Cyber Crimes Center (“C3”). The phishing sites cloned Moderna and Regeneron’s sites nearly perfectly, with only a contact form being changed to collect contact information, as reported by BleepingComputer.
As the race to fight COVID-19 continues, it is expected that more of these domains will continue to be brought down or seized. With this specific seizure, it has become apparent the actors behind these sites are preying on fear when many people are dealing with the compounded stress of the current day. Protecting oneself and the organization requires providing clear and trustworthy sources concerning COVID-19 and the vaccines to follow. It is also essential for enterprise defenders to ingest DNS logs if possible for continual monitoring. Setting up keyword alerts for suspicious patterns and comparing against a list of known and trustworthy sites can help identify and provide examples of malicious domains as a teaching tool.