Cybercriminals have registered large numbers of COVID-19 themed domains which are being used for a variety of scams. Internet service providers are being ordered to take down the websites but given the sheer number of malicious websites that have been set up, that process is taking some time.
In the United Kingdom, Her Majesty’s Revenue and Customs (HMRC) has ordered internet service providers to take down 292 COVID-19 themed websites that were being used for nefarious purposes. 237 of the websites were independently identified as malicious by HMRC and 55 were reported to HMRC by the public. The sites were being used for phishing, malware distribution, and a variety of scams. While it is certainly good news that the websites have now been taken down, they represent just a tiny percentage of the websites that are exploiting the COVID-19 pandemic to obtain credentials, defraud consumers, and distribute malware and ransomware.
Until these sites can all be taken down, there are steps that can be taken by businesses to block coronavirus scams. The COVID-19 Cyber Threat Coalition has released a block list of more than 26,000 URLs and domain names that have been confirmed as being used for scams, phishing, and malware distribution.
The COVID-19 Cyber Threat Coalition consists of volunteers drawn from the cybersecurity community, cyber intelligence firms, antivirus software vendors and others, who have been collating information on COVID-19 threats since the end of March. Their aim is to identify threats and provide that information to businesses free of charge to allow them to take steps to reduce risk.
Two block lists have been created. The URL blocklist consist of 13,863 malicious URLs and the domain blocklist contains 12,258 malicious hostnames and domains. These URLs and domains have all been used in COVID-19 themed attacks on the healthcare industry, government, and businesses during the pandemic.
The block lists can be used by web filtering solutions, secure gateways, firewalls, and other security solutions to prevent users from visiting the websites. The block lists are updated every 10 minutes, so they should be refreshed frequently to ensure they provide protection against more recently identified malicious URLs and domains.
You can obtain the blocklists on the following links: