PHISHING DOMAINS PUSHING COVID-19 DRUGS, PREYING ON INNOCENT CONSUMERS As the global death toll rises, unemployment filings reach record highs, and uncertainty skyrockets, everyone is searching for the same thing - relief. While no treatment exists for COVID-19 at the time, hackers are now capitalizing on false treatments, or treatments mentioned in the news to have cured other illnesses, to turn a crisis into an opportunity. 1 Following President Donald Trump’s discussion of potential pharmaceutical treatments, including hydroxychloroquine in a March 19th briefing at the White House, NormShield researchers began combing through data finding radical increases in phishing domains containing these drug names. While several of the phishing domains are not yet active or working links, these researchers found staggering examples of a problematic emerging market in its infancy stages.
As the global death toll rises, unemploymentf ilings reach record highs, and uncertaintyskyrockets, everyone is searching for the samething - relief. While no treatment exists forCOVID-19 at the time, hackers are nowcapitalizing on false treatments, or treatmentsmentioned in the news to have cured otherillnesses, to turn a crisis into an opportunity.
1
Following President Donald Trump’s discussion ofpotential pharmaceutical treatments, includinghydroxychloroquine in a March 19th brief ing atthe White House, NormShield researchers begancombing through data f inding radical increases inphishing domains containing these drug names.While several of the phishing domains are not yetactive or working links, these researchers foundstaggering examples of a problematic emergingmarket in its infancy stages.
Fraudulent DomainsCyber � at tackers � have� used� e-commerce� webs i tes � to � explo i t
unsuspect ing�users � for �decades. �As �COVID-19� inf i l t rates � communit ies
at � an� unimaginable � rate � wor ldwide, � these� cybercr imina ls � appear � to
have�wasted�no� t ime� in �capi ta l i z ing�on� th is �hea l th �cr i s i s .
2
Genera l ly, aparagraphworks bestin 3-4 l ines .
# o
f po
ssib
le p
his
hin
g d
om
ain
s
FIG. 1: # of Possible Drug-Related Phishing Domains (*)
32
196
27 2520
26
167 3
10
rem
desivir
(hydro
xy)chloro
quine
Plaquenil (**
)
azithro
mycin
metfo
rmin
favip
iravir
inte
rfero
n
lopin
avir
ritonavir
arbito
l0
50
100
150
200(*) registered between January 1, 2020and March 31, 2020
(**) Plaquenil is the brand name of hydroxychloroquine.
1Hydroxychloroquine(Plaquenil) and chloroquine(Aralen) are listed in the same category as a result of appearing in the same domainsearches. Hydroxychloroquine and chloroquine are not the same drug. Both drugs are under investigation for treatment of theCOVID-19 coronavirus disease.
NormShield® generates possible characters from a domain name with specific algorithms, then uses these generated names insearches among all domain databases. NormShield’s phishing-domain detection algorithm utilizes many features, including checkingwhether the URL is typo-squatted, the date of registration, and page rank to its contents. Click here for more information.
2
NormShield researchers began with the names of ten medicines, either mentioned byworld leaders and/or having a high frequency on search engines. Most of thesemedicines are already known by scientists and have been used in the treatment ofMalaria, Parkinson’s disease, and some forms of cancer. Using these names,NormShield researchers conducted a search for possible phishing domains. Theresearchers found that over the last two months alone, dozens of domain names,including medicines such as (hydroxy)chloroquine or azithromycin, have beenpurchased or sought after. The f indings for the specif ic mentions of bothhydroxychloroquine and chloroquine are merged for the research purposes of thisreport, as domain names using hydroxychloroquine contain chloroquine.
In the f irst three months of 2020 alone, we detected 362 new possible phishingdomains with references to or containing exact names of these ten medicines.
FIG. 2: # of Possible Drug-Related PhishingDomains
222 444 777
252525 292929
828282
196196196
111 333 666 101010 101010 141414252525
(hydroxy)chloroquine azithromycin
January 1
January 31
February
29
Marc
h 17
Marc
h 18
Marc
h 19
Marc
h 310
50
100
150
200
Timeline
# o
f po
ssib
le p
his
hin
g d
om
ain
s
FIG. 3: # of Possible Phishing DomainsContaining Chloroquine (or
Hydroxychloroquine)
8
4
53
March 17 March 18 March 190
20
40
In a press brief ing on March 19th, President Donald Trump mentioned theinvestigation into the use of chloroquine and azithromycin as potential treatments forCOVID-19. Two days before President Trump’s comments, Elon Musk tweeted thatchloroquine is “worth considering” as a treatment for COVID-19, citing his ownexperience with the drug after contracting Malaria. Shortly following Musk’s tweet, astatement released in the news on the 18th announced Bayer was donating thisMalaria drug to the U.S. government.
On March 28th, the U.S. Foodand Drug Administration(FDA) issued an EmergencyUse Authorization (EUA)permitting the use ofchloroquine phosphatesupplied from the StrategicNational Stockpile. The EUAonly applies to adults andadolescents who weigh 59kgor more and are hospitalizedwith the coronavirus forwhom a clinical trial is notavailable, or participation isnot feasible.
61% (221) of the newlyregistered 362 domains arepossible phishing domainscontaining the names of thesedrugs mentioned chloroquineand azithromycin during thespan of January 1 - March 31.The number of domains createdfor chloroquine ( includinghydroxychloroquine), the drugmentioned most frequently bythe media during this period,accounts for more than half ofthe number of false domainscreated.
Rise in drug-related domains 4While the number of phishing domains catapulted for chloroquine and azithromycin inparticular, domain names containing eight other drugs increased as well. As depictedbelow, only 54 possible phishing domains were registered prior to the media reports inMarch. Following these media reports and comments from inf luential world leaders, anadditional 254 possible phishing domains were created, with chloroquine remainingthe most utilized named drug (see Figures 2 and 3).
In Figure 5, you can see theevolution of these phishingdomains in 2020, and thedramatic spike from February toMarch alone.
# of possible phishing domains
FIG. 4: # of Possible Phishing Domains Containing 10 Speci�edDrugs
54 254March 1-18
March 19-31
0 50 100 150 200 250 300
FIG. 5: # of Possible Phishing DomainsContaining 10 Speci�ed Drugs
161616
383838
308308308
# of possible phishing domains
January
February
March
0 50 100 150 200 250 300
Example of phishing domains 5
As mentioned in the introduction of this report, several of the example sites providedbelow are not yet active or working domains. While every domain below has eitherbeen purchased or selected in 2020, the motives for each domain vary, which oftendetermines the functionality of the link.
Poss ib le �Fraudulent �Domains �Conta in ing�Al leged�COVID-19�Drugs
2020-03-26
Domain Name Creation Date
remdesivirchina(.)com 2020-02-05
remdesivirpharmacy(.)com 2020-02-07
remdesivircoronavirus(.)com 2020-02-07
avigantablet(.)com 2020-02-14
fapilavir(.)shop 2020-02-19
fapilavir(.)store 2020-02-19
azithromycin500mg(.)shop 2020-03-17
favipiravircovid19(.)com 2020-03-19
hydroxychloroquinecoronavirus(.)com 2020-03-19
hydroxychloroquinecovid-19(.)com 2020-03-19
chloroquinecoronavirus(.)com 2020-03-19
plaquenilhydroxychloroquine(.)com 2020-03-19
favipiravir-avigan(.)online 2020-03-19
avigancovid(.)com 2020-03-19
remdesivirus(.)com 2020-03-20
aviganfavipiravir(.)com 2020-03-20
hydroxychloroquine-azithromycin(.)com 2020-03-21
remdesivirbuy(.)com 2020-03-21
azithromycinhydroxychloroquine(.)com 2020-03-22
chloroquineforcovid19(.)com 2020-03-22
plaquenil-covid(.)com 2020-03-23
azithromycinstore(.)com 2020-03-23
corona-chloroquine(.)com 2020-03-25
azithromycinshop(.)com 2020-03-25
azithromycincovid19(.)com
chloroquineforcovid(.)com 2020-03-29
buy-hydroxychloroquine-online(.)com 2020-03-31
What do cybercr iminals want? 6
Attackers often add a payment option to their website in order to capture credit ordebit card information. For example, one of the domains that we examined(www[.]buy-hydroxychloroquine-online[.]com) redirects to an unrelated domain(checkoutpagewithhttps[.]com) if a visitor clicks on “checkout” after adding an item tothe cart. The below image shows what information is asked from the visitor whenredirected to the unrelated domain.
1- �Gather �Personal � Informat ion�&�Mult ip ly � the�Problem
Little do site visitors know, they will often never receive anything for their purchasebecause hackers add features to the site to make them appear legitimate.
Captured below is an example of a fake COVID-19 drug website created on March 31,2020, with the domain address www[.]buy-hydroxychloroquine-online[.]com. You cansee these attackers have become so crafty they even included a lock sign in thedomain bar. This lock sign represents an SSL connection, a visual typically depicting awebsite is secure.
7Some of these domains are even taking it to the extreme of using government websiteattributes to increase their credibility. One of the possible fraudulent domains(hydroxychloroquinecoronavirus[.]com) redirects visitors to the CDC’s off icialwebpage (see below).
We do not know how these domains will be used, however, it is clear these attackersare trying to gain visitor conf idence through false motives.
Attackers are also duplicating website content, almost exactly, under similar domainnames. Such attacks are usually done very quickly. For example, attackers purchase adomain name, create a website, and work to ensure a certain number of people visitthe site to purchase items within a few hours. Shortly after, the hacker will shut downthe website immediately.
We examined the registration records of this domain and found nine additionaldomains with same domain owner records were also registered on the 19th of March,including:
What do cybercr iminals want?
8Below images show the screenshots (taken on March 31st ) of the domains registeredby the same registrant name. All three have similar designs and the same phonenumbers.
What do cybercr iminals want?
9
Typically, even though the attacker purchased the domain for a year, they delete thesite within the same day to eliminate as much proof as possible and leave no tracebehind. In a case like this, it’s common to see the reselling of that domain name by thehosting company. When we examine the false COVID-19 drug domains registered onthe 19th of March, it’s no surprise many of them are now for sale again.
What do cybercr iminals want?
10
While healthcare professionals, pharmaceutical companies, and those on the frontlineshave not yet found a cure to COVID-19, they are making groundbreaking discoverieswith experimental drugs along the way. Opportunists trying to capitalize on thepandemic have already purchased sought-after domains by medical professionals andare now trying to re-sell the domains at a much higher price. Below, you can see adomain purchased on March 23rd available.
Finally, if unprescribed drugs are in fact distributed, the unknown ingredients can beextremely dangerous and often cause serious consequences.
***NormShield researchers added the above f indings based on data trends. Whileour research points to a high likelihood cybercriminals are the origins of the abovesites rather than medical professionals, our team of researchers did not performintrusive tests to track the IP addresses of domain owners.
What do cybercr iminals want?
How To Protect 10
In order to protect public health sectorsduring this crisis and the casualties theymay experience, each country'sgovernment response team (CERT) canclose these domains or restrict access. It isalso recommended that healthcareproviders, professionals, and off icialsbecome educated on the increasingprevalence of these fake drug domains.
1-�What�can�“Public�Institutions”�do?
Companies that produce and sell thesedrugs can track these domains with cyberthreat intelligence services and,subsequently, have many of the sitesconf iscated. For more information pleasecontact us at:
www.normshield.com/contact-us/
2-�What�can�the�“Private�Sector”�do?
As a reminder, currently there is no cure forCOVID-19. It’s also important to know anynon-over-the-counter drug requires aprescription. Buying your medicine onlinecan be easy, just make sure you do itsafely. To learn more about how to buyyour prescribed medicine online, visitwww.fda.gov/cder and click on “ConsumerEducation.”
By combin ing these threed imens ions ; cy bersecur i ty ra t ings ,compl iance contro ls , and theOpenFAIR Ana lys is , i t s impl i f ies thearduous process of assess inghundreds to thousands of th i rd-par t ies . T he NormShie ld p la t formprov ides accurate , quant i ta t ive(MITRE) , and cont inuous ly updateddata to assess and moni tor thecy ber r i sk posture of anyorgan izat ion .
C o p y r i g h t 2 0 2 0 N o r m S h i e l d , I n c .
NormShie ld® is the on ly cy ber r i skrat ing system that enab les enterpr ises tomeasure the probable f inanc ia l loss(OpenFAIR) f rom a cy ber a t tack on ath i rd-par ty, suppl ie r or bus iness par tner.NormShie ld ’s 3D Vendor R isk @ Sca lep lat form un ique ly combines three typesof assessments to prov ide more f ide l i tyand automat ion to the process ofassess ing th i rd-par ty r i sk .
