image of breaking badness
Breaking Badness
Breaking Badness

A Year in COVID Cybercrime


To mark the approximate anniversary of the pandemic declaration and lockdowns, we presented a special episode of Breaking Badness. As we recorded the episode, over 2.7 million people worldwide, and over 540,000 in the US, had lost their lives from the disease. But, while it may pale in comparison with the public health crisis, the cybercrime and fraud based on COVID-19 is taking a toll as well. We looked at the various ways criminals are capitalizing on the pandemic, from ransomware to fake vaccines to disinformation campaigns. But we also learned more about some of the great work that is being done to combat this activity.

The Interminable March

March, 2020, went on record as the longest month in human history, at least according to—well, pretty much everyone. It was the month when not only the magnitude of the pandemic became really clear, but also when its impact on our lives—everyone’s, not just frontline workers or folks who had the virus themselves—became significant. March 2020 was when a lot of companies began, or even fully completed, the shift to remote work. It was when “flatten the curve” became household words. And March of 2020 is when CovidLock hit. Researcher and frequent Breaking Badness co-host Chad Anderson, and DomainTools alumnus Tarik Saleh were doing something that has become a standard practice for the research team at DomainTools: they were hunting for malicious online infrastructure and activities tied to a news item—in this case, COVID-19. In March, they found a domain that linked to a COVID-19 tracking app that was not what it appeared to be. Instead, it was an Android ransomware that locked the phone, demanding a $100 ransom in Bitcoin. Fortunately, Chad and Tarik were able to reverse-engineer decryption keys so that victims would not have to pay the criminals in order to get their phones back.

As background to that, Chad and fellow researchers Sean McNee and Turbo Conwell had begun looking for sketchy COVID-themed domains in December of 2019. They found some…and more…and more….and more. Soon, Chad had to write some automation to help him efficiently sift through them to sort out good vs bad. There were thousands of domains per day with a COVID theme being registered in the spring of 2020. Many of them held nasty surprises. The job of finding the badness was significant enough that a group called the COVID-19 Cyber Threat Coalition (CCTC) formed; at its peak, the CCTC had around 4,000 volunteers around the world, creating a blocklist for COVID-related domains. Nick Espinosa, the CCTC’s official spokesperson, was a guest on the episode and gave some great insights into the work the Coalition did.

Long story short—CovidLock was far from the only pandemic-related ransomware. There was a ton of it, for both mobile and desktops…and that led to the next scourge we saw last year: hospital ransomware.

Hammering Hospitals

Ransomware related to COVID-19 didn’t just affect users who happened to click on malicious links or download malicious apps. The summer and fall of 2020, a time when the virus was still rampaging, saw a rash of ransomware attacks on hospitals. What may have been the first death attributed to hospital ransomware occurred in September. Hospitals, of course, are in an agonizing spot if they get hit: paying the ransom is never considered a good practice, but what do you do when lives could be on the line? Not an easy choice to make, as Tarik pointed out on the episode.

Not only that—the popularity of double-extortion ransomware made this even worse, because not only did hospitals face the compromise of care systems, they also could face serious HIPAA violation repercussions if patient data were put online as part of the extortion. Ransomware didn’t even exist when HIPAA was written, so there is no “out” for hospitals if they fall victim to this.

Vaccine Shenanigans

The world breathed at least a bit of a sigh of relief when the two major COVID-19 vaccines, from Pfizer and Moderna, were approved in late 2020. It felt like there was at least a little light at the end of the tunnel, even if it was faint and still very far away. But even with the somewhat accelerated pace of the rollouts, for many people, the wait is likely to be many more weeks or months. And if you hadn’t guessed already, fraudsters have been preparing for that market demand.

Sketchy online pharmaceutical sales are almost as old as the Internet itself—at least, the consumer-oriented web. If you have an email account, there’s a good chance that you’ve seen ads for mail-order pills, usually for weight loss or bedroom enhancement. But just as it opened opportunities for ransomware, the pandemic opened a market for vaccines, or, shall we say, “vaccines.” Chad did a lot of research on the underground markets for not only fake vaccines themselves, but related items like vaccination record cards. Another scam vector is sites that supposedly notify users of overflow appointments or doses near them. Some of these sites ask for credit card information. Needless to say….run away. Legit vaccine notification sites (Dr. B’s is an example) do NOT need payment.

Mis and Dis

Another online feature of the pandemic has been the extensive mis- and disinformation campaigns around everything from the origin of the virus to the severity of the symptoms to the ways it spreads to the efficacy of vaccines—to the really nutso conspiracy theories about 5G, Bill Gates, and microchips. Nick Espinosa from the CCTC has noted a lot of this content online, as has Kate Starbird from the University of Washington (follow Kate for lots of interesting info on misinformation and disinformation). On the podcast, we ran some audio from a panel discussion Kate participated in last Spring, in which she talked about how big events create fertile ground for these kinds of campaigns. Malicious actors as well as well-meaning but uninformed folks jump into the information vacuum when big swaths of the population are trying to get as much info as they can about important or worrisome events.

As for the efficacy of the deliberate disinformation campaigns, their efforts are certainly succeeding: a Kaiser family foundation poll from February of 2021 found that 55% American adults had gotten vax or wanted to ASAP. The remaining 45%? even split bw “definitely not” and “wait and see.”

The list goes on, too. The Harvard Kennedy School Misinformation Review found that when Italy was the epicenter of the pandemic, it became the focus of state-sponsored disinformation campaigns. The Australia Institute found 10 distinct Twitter botnets; they could tell that they were bots because of signals like accounts that retweeted within one second of other tweets. This paper from SAGE explores the 5G and COVID conspiracy theory:

As has been widely documented, the source of a lot of the disinformation about COVID is Russian. An article from December of 2020 by the Homeland Security Affairs Journal described both historical and recent Russian disinformation campaigns, and ways in which they are and will continue to weaponize doubts, false or misleading information, and the polarization that those things keep amplifying.

There’s a good chance that future, regular weekly episodes of Breaking Badness will include discussion of new COVID-themed malicious online activity. For now…be safe out there!

That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!