COVID-19 caught everyone by surprise. No one thought a virus could inflict so much damage to the global economy, but it has. As thousands of businesses closed shop and millions of employees lost their jobs, governments and international organizations alike sought to provide financial assistance to the severely affected.
One of today’s biggest donation drives is managed by the World Health Organization (WHO). The COVID-19 Solidarity Response Fund is a collaboration among several organizations, including WHO, the United Nations (UN) Foundation, and the Swiss Philanthropy Foundation. Backed by highly trusted and well-respected institutions, the fund has successfully raised more than US$210 million from hundreds of thousands of donors.
Given the enormous amount of money involved, it is not surprising that scammers would attempt to get a piece of the pie through typosquatting. A successful scam can, after all, elicit contributions ranging from US$25 to US$2,500 or more from unwary visitors.
WHO also released a warning about how some groups may be exploiting and using their donation drive and the current health crisis to carry out fraudulent acts. Some threat actors may even pose as WHO staff members to obtain their credit card and banking details.
So, we decided to put our domain and IP intelligence solutions to work and analyze suspicious bulk domain registrations detected by our Typosquatting Data Feed with names containing the string “covid19responsefund” and close variants.
The Domain Intelligence Check
On 5 March 2020, the UN Foundation registered the domain covid19responsefund[.]org to serve as the collaboration’s website for the donation drive. Note that its WHOIS record details are public as shown in this WHOIS Lookup report, clearly distinguishing the UN Foundation as the domain registrant.
By 14 March 2020, one day after the project’s launch, we saw 12 new domain registrations that were confusingly similar to covid19responsefund[.]org. This list can be found using typosquatting data feeds, which shows groups of similarly named domains registered on the same day.
While maintaining the same domain name (albeit misspellings and the addition of special symbols), the newly registered domains (NRDs) sported a variety of top-level domain (TLD) extensions, among which:
- covid19responsefund[.]nu
- covid19responsefund[.]mobi
- covid19responsefunds[.]com
- covid19responsefund[.]com
- covid-19responsefund[.]com
- covid19responsefunds[.]org
- covid19responsefund[.]top
- covid19responsefund[.]xyz
- covid-19responsefund[.]org
- covid19responsefund[.]biz
- covid19responsefund[.]se
- covid19responsefund[.]info
A careful evaluation of the NRDs using WHOIS API revealed that most of them weren’t registered in the U.S. and, therefore, are unlikely to be related to the actual donation page.
The DNS and IP Intelligence Check
A deeper dive using DNS Lookup allowed us to find that covid-19responsefund[.]org and covid-19responsefund[.]com (notice the addition of the hyphen [-] in-between “covid” and “19” and the different TLD extension in the second domain) share the same IP address 47[.]91[.]169[.]15. That’s apart from having nearly identical WHOIS registration details. These bits of information could indicate that the same person is behind these two domains.
It is also interesting to note that covid-19responsefund[.]org and covid-19responsefund[.]com are both suspected of ties to phishing, according to VirusTotal. That said, it may be best to refrain from visiting the two domains.
What’s more, DNS Lookup API shows that the UN Foundation’s site covid19responsefund[.]org has a different IP address — 3[.]210[.]181[.]204. A Reverse IP/DNS Lookup, which reveals domains hosted on the same IP address, shows that the address is dedicated.
Source: (http://www.circleid.com/)
