The world has been on edge for the past weeks as many nations enforced mass quarantines amid the continued rise in the number of Coronavirus-infected patients. As a result, about a third of the global population is staying at home to avoid further spread of the virus, and people have been relying on online channels to stay updated.

Having one’s guard down when accessing the Internet, however, isn’t a good idea. Cybercriminals have been quick in finding ways to use the pandemic to their advantage, affecting devices, systems, people, and organizations.

Cybersecurity: Something Else Users Should Be Wary Of

We have seen many coronavirus-related websites crop up to keep Netizens updated on the state of the pandemic. While most sites are safe enough to view and access, some may comprise malware or were created purely with the intent to display ads, misinform, or even phish visitors. Here’s a rundown of some of the coronavirus-themed online threats we have seen so far:

• A master boot record (MBR) wiper called “Coronavirus” that overwrites Windows system users’ computers, thus rendering them useless
• Phishing campaign using a malware-laced attachment disguised as a document from the Centers for Disease Control and Prevention (CDC)
• Malicious Android apps that spy on users who installed them on their devices

This post features a possible recent addition to the baits cybercriminals use to lure users to malicious hosts—coronavirus-themed maps—and what can be done from a cybersecurity standpoint to detect and investigate related dangerous internet domain names.

How to Tell If a Coronavirus Infection Map May Damage Your Computer with a Threat Intelligence Platform

Scrutinizing the reputability of any domain with a solution such as Threat Intelligence Platform (TIP) before accessing it can be your first step. We obtained a list of IoCs, subjected them on TIP, and found that coronavirusstatus[.]space and gisanddata[.]maps[.]arcgis[.]com appear on VirusTotal as malware hosts.

If not done already, security operations centers (SOCs) might want to exclude access to these domain names. Additionally, security architects and product managers can automate similar threat queries by integrating TIP into their security solutions. Doing so would allow them to filter out better malicious domains and IP addresses that could put their networks at risk of data theft.

The WHOIS Perspective: Looking at Records of Legitimate and Known Dangerous Domain Names

TIP isn’t the only source of cyber threat intelligence that one can use to defend himself or his organization against coronavirus-themed cyber attacks. Security professionals might also be interested in comparing what the WHOIS domain record of a legitimate website featuring a Coronavirus map looks like, as opposed to a fraudulent one, with a tool like WHOIS API.

So let’s take a look, for example, at coronavirus[.]jhu[.]edu, the domain name on which John Hopkins University (JHU) Center for Systems Science and Engineering (CSSE) hosts its COVID-19 Map:

From the above, we can see that:

• jhu[.]edu was registered as far back as 19 March 1987, making it an established domain with over 30 years of existence.
• Johns Hopkins University’s details publicly appear in the registrant section.

In contrast, we identified a possibly dangerous domain—corona-virus-map[.]com—with the following WHOIS record:

Here it can be noted that:

• The domain name has been registered much more recently, only a few months back, actually. This clearly (and not surprisingly) coincides with the spread of the virus.
• The domain in question was recently repossessed by registrar GoDaddy, likely because of policy violations and ties to malicious activity.

In spite of the repossession, we wanted to find out who the previous owner of corona-virus-map[.]com was, so we subjected the domain to a WHOIS History API query. We learned that a Russian-based organization called “Artemiy” owned it back in February of this year.

At times when the world is already in a state of panic, no one needs additional headaches brought on by cyberattacks. Enabling automatic threat and domain intelligence is an excellent first step toward ensuring protection against malicious entities that can lead to more devastating consequences. As part of this, SOC personnel tasked to get to the bottom of threats can add Threat Intelligence Platform, WHOIS API, and WHOIS History API to their arsenals.