US Pharmaceutical Domain Typosquatted And Duplicated
As part of the EclecticIQ Fusion Centre’s on-going coverage of cyber activity related to COVID-19, analysts began monitoring for the targeting of vaccine producers. On April 21st 2020, EclecticIQ analysts observed the duplication of a major US pharmaceutical company’s domain on a domain registered to look similar to the company’s real domain (typosquatted). Upon further research, the domain was duplicated (mirrored) using a tool called HTTrack Website Copier. This website duplication tool leaves a fingerprint in the html code of the duplicated page, as seen in the image below. The HTML comment indicate it was duplicated February 26th, 2020.
The duplicated website is being hosted on a typosquatted domain. The domain was registered on March 12, 2020 approximately 2 weeks after the duplication took place. The SSL certificate, issued by Let’s Encrypt, was last updated on April 21, 2020. The page has used four different SSL certificates since being registered. This is not typical of legitimate domains. Let’s Encrypt is a free and open Certificate Authority with many features to make domain administrators life’s easier. For these same reasons, it is a preferred Certificate Authority of cyber adversaries due to its ease of use and automation features.
Yandex MX Record Utilized for US Company Highly Suspicious/Unusual
The typosquatted domain has an MX record of mx.yandex[.]net. Yandex is a Russian based internet service provider. While Yandex is not inherently malicious, it unlikely a US pharmaceutical company would utilize this email provider. Moreover, the MX records for the victim company’s other major domain registrations pointed to a commercial US security vendor. Adversaries have regularly used Yandex in phishing campaigns and it speaks to the intent of the adversary to conduct phishing operations.
This type of infrastructure could be used to target the pharmaceutical organisation as well as individuals. A duplicated domain adds a layer of sophistication and believability to the phishing campaign to gain trust from the victim. All the branding on the page appears official and unless the user notices the typo in the domain name the webpage is very convincing. Historically, this kind of infrastructure has been used to deliver malware or harvest credentials for account takeovers.
At this time, the adversary’s objectives remain unclear. Adversaries commonly use geo-political events to theme phishing campaigns. It is plausible the site was created to divert victims in the course of COVID-19 pandemic or in the ongoing Q1 earning season.
COVID-19 Theme Phishing Almost Certainly to Continue
While the pharmaceutical industry is no stranger to targeted attacks; the current race to produce a vaccine for COVID-19 very likely brings additional attention from cyber adversaries. It is almost certain adversaries will continue to use COVID-19 as a theme in ongoing operations. EclecticIQ analysts will continue to monitor related cyber activity and responsible report findings.
The EclecticIQ Fusion Center has disclosed details to US-CERT and affected parties.
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.