research-article

Identifying and Characterizing COVID-19 Themed Malicious Domain Campaigns

Authors:

Mohamed Nabeel,

Ting YuAuthors Info & Claims

CODASPY '21: Proceedings of the Eleventh ACM Conference on Data and Application Security and Privacy

Pages 209 - 220

https://doi.org/10.1145/3422337.3447840

Published: 26 April 2021 Publication History

Abstract

Ever since the beginning of the outbreak of the COVID-19 pandemic, attackers acted quickly to exploit the confusion, uncertainty and anxiety caused by the pandemic and launched various attacks through COVID-19 themed malicious domains. Malicious domains are rarely deployed independently, but rather almost always belong to much bigger and coordinated attack campaigns. Thus, analyzing COVID-themed malicious domains from the angle of attack campaigns would help us gain a deeper understanding of the scale, scope and sophistication of the threats imposed by such malicious domains. In this paper, we collect data from multiple sources, and identify and characterize COVID-themed malicious domain campaigns, including the evolution of such campaigns, their underlying infrastructures and the different strategies taken by attackers behind these campaigns. Our exploration suggests that some malicious domains have strong correlations, which can guide us to identify new malicious domains and raise alarms at the early stage of their deployment. The results shed light on the emergency for detecting and mitigating public event related cyber attacks.

Supplementary Material

MP4 File (codas756.mp4)

Presentation video

Download
25.98 MB

References

[1]

2014. HTTPS as a Ranking Signal. https://tinyurl.com/jlb49mh. (2014). [Online; accessed 20-September-2020].

[2]

2020. Analyzing 136,000 New Domains with COVID-19 Themes. (2020). https: //spycloud.com/analyzing-136k-new-domains-with-covid-19-themes/.

[3]

2020. CertStream: CT Log Update Stream. https://certstream.calidog.io/. (2020).

[4]

2020. COVID-19 ? Malware Makes Hay During a Pandemic. (2020). https://www.mcafee.com/blogs/other-blogs/mcafee-labs/covid-19-malwaremakes-hay-during-a-pandemic/.

[5]

2020. Developing Story: COVID-19 Used in Malicious Campaigns. (2020). https://www.trendmicro.com/vinfo/in/security/news/cybercrime-and-digitalthreats/coronavirus-used-in-spam-malware-file-names-and-maliciousdomains.

[6]

2020. dnstwist - Domain name permutation engine for detecting homograph phishing attacks, typo squatting, and brand impersonation. (2020). https: //github.com/elceef/dnstwist.

[7]

2020. Facebook Squatting Campaign - X-Force Early Warning. (2020). https:// exchange.xforce.ibmcloud.com/collection/0bba931626276966f9f7503a950fe8c0.

[8]

2020. Facing down the myriad threats tied to COVID-19. (2020). https://news. sophos.com/en-us/2020/04/14/covidmalware/?cmp=30728.

[9]

2020. MaxMind: IP Geolocation and Online Fraud Prevention. (2020). https: //www.maxmind.com/en/home.

[10]

2020. Millions of people fell for crypto-Ponzi schemes in 2019. (2020). https://www.technologyreview.com/2020/01/30/275964/cryptocurrency-ponziscams-chainalysis/.

[11]

2020. Nueva campaña de Phishing del Banco de Chile vinculados a Covid-19. (2020). https://twitter.com/lixah_cl/status/1244571674219106304.

[12]

2020. Passive DNS historical internet database: Farsight DNSDB. (2020). https: //www.farsightsecurity.com/solutions/dnsdb/.

[13]

2020. Studying How Cybercriminals Prey on the COVID-19 Pandemic. (2020). https://unit42.paloaltonetworks.com/how-cybercriminals-prey-on-thecovid-19-pandemic/.

[14]

2020. URL and website scanner - urlscan.io. (2020). https://urlscan.io/.

[15]

2020. WhoisXMLAPI. https:whoisxmlapi.com. (2020). [Online; accessed 20- September-2020].

[16]

Josh Aas, Richard Barnes, Benton Case, Zakir Durumeric, Peter Eckersley, Alan Flores-López, J. Alex Halderman, Jacob Hoffman-Andrews, James Kasten, Eric Rescorla, Seth Schoen, and Brad Warren. 2019. Let's Encrypt: An Automated Certificate Authority to Encrypt the Entire Web. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS '19). ACM, New York, NY, USA, 2473--2487. https://doi.org/10.1145/3319535.3363192

Digital Library

[17]

Tabrez Ahmad. 2020. Corona Virus (COVID-19) Pandemic and Work from Home: Challenges of Cybercrimes and Cybersecurity. Available at SSRN 3568830 (2020).

[18]

Hyrum S. Anderson, Jonathan Woodbridge, and Bobby Filar. 2016. DeepDGA: Adversarially-Tuned Domain Generation and Detection. In Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security. 13--21.

Digital Library

[19]

Manos Antonakakis, Roberto Perdisci, David Dagon, Wenke Lee, and Nick Feamster. 2010. Building a Dynamic Reputation System for DNS. In Proceedings of the 19th USENIX Conference on Security. 273--290.

[20]

Manos Antonakakis, Roberto Perdisci, Wenke Lee, Nikolaos Vasiloglou, II, and David Dagon. 2011. Detecting Malware Domains at the Upper DNS Hierarchy. In Proceedings of the 20th USENIX Conference on Security. USENIX Association, 27--42.

[21]

Leyla Bilge, Sevil Sen, Davide Balzarotti, Engin Kirda, and Christopher Kruegel. 2014. Exposure: A Passive DNS Analysis Service to Detect and Report Malicious Domains. ACM Transactions on Information and System Security 16, 4 (apr 2014), 14:1--14:28.

Digital Library

[22]

Timm Boettger, Ghida Ibrahim, and Ben Vallis. 2020. How the Internet reacted to Covid-19. In Proceedings of IMC'20.

Digital Library

[23]

Massimo Candela, Valerio Luconi, and Alessio Vecchio. 2020. Impact of the COVID-19 pandemic on the Internet latency: A large-scale study. Elsevier Public Health Emergency Collection (2020).

[24]

Farsight Security, Inc. 2019. DNS Database. https://www.dnsdb.info/. (2019). Accessed: 28-02-2019.

[25]

Anja Feldmann, Oliver Gasser, Franziska Lichtblau, Enric Pujol, Ingmar Poese, Christoph Dietzel, Daniel Wagner, Matthias Wichtlhuber, Juan Tapiador, Narseo Vallina-Rodriguez, Oliver Hohlfeld, and Georgios Smaragdakis. 2020. The Lockdown Effect: Implications of the COVID-19 Pandemic on Internet Traffic. In Proceedings of IMC'20.

Digital Library

[26]

Kensuke Fukuda and John Heidemann. 2015. Detecting Malicious Activity with DNS Backscatter. In Proceedings of the 2015 ACM Conference on Internet Measurement Conference. 197--210.

Digital Library

[27]

Aditya Grover and Jure Leskovec. 2016. node2vec: Scalable feature learning for networks. In Proceedings of the 22nd ACM SIGKDD international conference on Knowledge discovery and data mining. 855--864.

Digital Library

[28]

Ren He, Haoyu Wang, Pengcheng Xia, Liu Wang, Yuanchun Li, Lei Wu, Yajin Zhou, Xiapu Luo, Yao Guo, and Guoai Xu. 2020. Beyond the Virus: A First Look at Coronavirus-themed Mobile Malware. (2020). arXiv:cs.CR/2005.14619

[29]

Arvin Hekmati, Gowri Ramachandran, and Bhaskar Krishnamachari. 2020. CONTAIN: Privacy-oriented Contact Tracing Protocols for Epidemics. arXiv preprint arXiv:2004.05251 (2020).

[30]

Issa M. Khalil, Bei Guan, Mohamed Nabeel, and Ting Yu. 2018. A Domain is Only As Good As Its Buddies: Detecting Stealthy Malicious Domains via Graph Inference. In Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy (CODASPY '18). ACM, New York, NY, USA, 330--141. https: //doi.org/10.1145/3176258.3176329

Digital Library

[31]

Panagiotis Kintis, Najmeh Miramirkhani, Charles Lever, Yizheng Chen, Rosa Romero-Gómez, Nikolaos Pitropakis, Nick Nikiforakis, and Manos Antonakakis. 2017. Hiding in Plain Sight: A Longitudinal Study of Combosquatting Abuse. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM, New York, NY, USA, 569--586.

Digital Library

[32]

Orsolya Király, Marc N Potenza, Dan J Stein, Daniel L King, David C Hodgins, John B Saunders, Mark D Griffiths, Biljana Gjoneska, Joël Billieux, Matthias Brand, et al. 2020. Preventing problematic internet use during the COVID-19 pandemic: Consensus guidance. Comprehensive Psychiatry (2020), 152180.

[33]

Clemens Kolbitsch, Paolo Milani Comparetti, Christopher Kruegel, Engin Kirda, Xiaoyong Zhou, and XiaoFeng Wang. 2009. Effective and Efficient Malware Detection at the End Host. In Proceedings of the 18th Conference on USENIX Security Symposium. USENIX Association, 351--366.

[34]

Harjinder Singh Lallie, Lynsay A. Shepherd, Jason R. C. Nurse, Arnau Erola, Gregory Epiphaniou, Carsten Maple, and Xavier Bellekens. 2020. Cyber Security in the Age of COVID-19: A Timeline and Analysis of Cyber-Crime and CyberAttacks during the Pandemic. (2020). arXiv:cs.CR/2006.11929

[35]

Tianshi Li, Jackie, Yang, Cori Faklaris, Jennifer King, Yuvraj Agarwal, Laura Dabbish, and Jason I. Hong. 2020. Decentralized is not risk-free: Understanding public perceptions of privacy-utility trade-offs in COVID-19 contact-tracing apps. arXiv preprint arXiv:2005.11957 (2020).

[36]

Joseph K. Liu, Man Ho Au, Tsz Hon Yuen, Cong Zuo, Jiawei Wang, Amin Sakzad, Xiapu Luo, and Li Li. 2020. Privacy-Preserving COVID-19 Contact Tracing App: A Zero-Knowledge Proof Approach. Cryptology ePrint Archive, Report 2020/528. (2020). https://eprint.iacr.org/2020/528.

[37]

Andra Lutu, Diego Perino, Marcelo Bagnulo, Enrique Frias-Martinez, and Javad Khangosstar. 2020. A Characterization of the COVID-19 Pandemic Impact on a Mobile Network Operator Traffic. In Proceedings of IMC'20.

Digital Library

[38]

Mohamed Nabeel, Issa M. Khalil, Bei Guan, and Ting Yu. 2020. Following Passive DNS Traces to Detect Stealthy Malicious Domains Via Graph Inference. 23, 4 (2020). https://doi.org/10.1145/3401897

[39]

Rennie Naidoo. 2020. A multi-level influence model of COVID-19 themed cybercrime. European Journal of Information Systems 29, 3 (2020), 306--321. https://doi.org/10.1080/0960085X.2020.1771222

[40]

Enrico Palumbo, Giuseppe Rizzo, Raphaël Troncy, Elena Baralis, Michele Osella, and Enrico Ferro. 2018. Knowledge graph embeddings with node2vec for item recommendation. In European Semantic Web Conference. Springer, 117--120.

[41]

Peng Peng, Limin Yang, Linhai Song, and Gang Wang. 2019. Opening the blackbox of virustotal: Analyzing online phishing scan engines. In Proceedings of the Internet Measurement Conference. 478--485.

Digital Library

[42]

B. Rahbarinia, R. Perdisci, and M. Antonakakis. 2015. Segugio: Efficient BehaviorBased Tracking of Malware-Control Domains in Large ISP Networks. In Proceedings of the 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. 403--414.

[43]

Elissa M. Redmiles. 2020. User Concerns & Tradeoffs in Technology-Facilitated Contact Tracing. arXiv preprint arXiv:2004.13219 (2020).

[44]

Konrad Rieck, Philipp Trinius, Carsten Willems, and Thorsten Holz. 2011. Automatic Analysis of Malware Behavior Using Machine Learning. Journal of Computer Security 19, 4 (Dec. 2011), 639--668.

[45]

Leonard Schild, Chen Ling, Jeremy Blackburn, Gianluca Stringhini, Yang Zhang, and Savvas Zannettou. 2020. "Go eat a bat, Chang!": An Early Look on the Emergence of Sinophobic Behavior on Web Communities in the Face of COVID19. arXiv preprint arXiv:2004.04046 (2020).

[46]

Ruoxi Sun, Wei Wang, Minhui Xue, Gareth Tyson, Seyit Camtepe, and Damith Ranasinghe. 2020. Vetting Security and Privacy of Global COVID-19 Contact Tracing Applications. arXiv preprint arXiv:2006.10933 (2020).

[47]

Xiaoqing Sun, Mingkai Tong, Jiahai Yang, Liu Xinran, and Liu Heng. 2019. HinDom: A Robust Malicious Domain Detection System based on Heterogeneous Information Network with Transductive Classification. In 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019). USENIX Association, Chaoyang District, Beijing, 399--412. https://www.usenix.org/conference/raid2019/presentation/sun

[48]

Acar Tamersoy, Kevin Roundy, and Duen Horng Chau. 2014. Guilt by Association: Large Scale Malware Detection by Mining File-relation Graphs. In Proceedings of the 20th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. ACM, 1524--1533.

Digital Library

[49]

Van Tong and Giang Nguyen. 2016. A Method for Detecting DGA Botnet Based on Semantic and Cluster Analysis. In Proceedings of the Seventh Symposium on Information and Communication Technology. 272--277.

Digital Library

[50]

Anh Viet Vu, Jack Hughes, Ildiko Pete, Ben Collier, Yi Ting Chua, Ilia Shumailov, and Alice Hutchings. 2020. Turning Up the Dial: the Evolution of a Cybercrime Market Through Set-up, Stable, and Covid-19 Eras. In Proceedings of IMC'20.

Digital Library

[51]

Huiyi Wang, Liu Wang, and Haoyu Wang. 2020. Market-level Analysis of Government-backed COVID-19 Contact Tracing Apps. arXiv preprint arXiv:2012.10866 (2020).

[52]

Liu Wang, Ruiqing Li, Jiaxin Zhu, Guangdong Bai, and Haoyu Wang. 2020. When the Open Source Community Meets COVID-19: Characterizing COVID-19 themed GitHub Repositories. arXiv preprint arXiv:2010.12218 (2020).

[53]

Florian Weimer. 2005. Passive DNS Replication. In FIRST Conference on Computer Security Incident. 98.

[54]

Pengcheng Xia, Haoyu Wang, Xiapu Luo, Lei Wu, Yajin Zhou, Guangdong Bai, Guoai Xu, Gang Huang, and Xuanzhe Liu. 2020. Don't Fish in Troubled Waters! Characterizing Coronavirus-themed Cryptocurrency Scams. arXiv preprint arXiv:2007.13639 (2020).

[55]

Pengcheng Xia, Haoyu Wang, Bowen Zhang, Ru Ji, Bingyu Gao, Lei Wu, Xiapu Luo, and Guoai Xu. 2020. Characterizing cryptocurrency exchange scams. Computers & Security 98 (2020), 101993.

[56]

Jialong Zhang, Sabyasachi Saha, Guofei Gu, Sung-Ju Lee, and Marco Mellia. 2015. Systematic Mining of Associated Server Herds for Malware Campaign Discovery. In Proceedings of the 35th IEEE International Conference on Distributed Computing Systems. 630--641.

[57]

Yury Zhauniarovich, Issa Khalil, Ting Yu, and Marc Dacier. 2018. A Survey on Malicious Domains Detection Through DNS Data Analysis. ACM Comput. Surv. 51, 4, Article 67 (July 2018), 36 pages. https://doi.org/10.1145/3191329

Cited By

Koide TFukushi NNakano HChiba D(2023)PhishReplicant: A Language Model-based Approach to Detect Generated Squatting Domain NamesProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627111(1-13)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627111
Sharma BKarunanayake IMasood RIkram M(2023)Don’t Be a Victim During a Pandemic! Analysing Security and Privacy Threats in Twitter During COVID-19IEEE Access10.1109/ACCESS.2023.326064311(29769-29789)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3260643
Hoheisel Rvan Capelleveen GSarmah DJunger M(2023)The development of phishing during the COVID-19 pandemicComputers and Security10.1016/j.cose.2023.103158128:COnline publication date: 1-May-2023
https://dl.acm.org/doi/10.1016/j.cose.2023.103158
Show More Cited By

Index Terms

Identifying and Characterizing COVID-19 Themed Malicious Domain Campaigns
1. Networks
  1. Network properties
    1. Network security
2. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Network security

Recommendations

Unsupervised Clustering for Identification of Malicious Domain Campaigns
RESEC '18: Proceedings of the First Workshop on Radical and Experiential Security

New malicious domain campaigns often include large sets of domains registered in bulk and deployed simultaneously. Early identification of these campaigns can often be accomplished with distance functions or regular expressions of registered domains, ...
Unraveling Threat Intelligence Through the Lens of Malicious URL Campaigns
AINTEC '23: Proceedings of the 18th Asian Internet Engineering Conference

The daily deluge of alerts is a sombre reality for Security Operations Centre (SOC) personnel worldwide. Those on the front-lines of cybersecurity face the unenviable task of prioritising threats amongst a flood of URLs found within malicious ...
Data-Driven Characterization and Detection of COVID-19 Themed Malicious Websites
2020 IEEE International Conference on Intelligence and Security Informatics (ISI)
COVID-19 has hit hard on the global community, and organizations are working diligently to cope with the new norm of "work from home". However, the volume of remote work is unprecedented and creates opportunities for cyber attackers to penetrate home ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CODASPY '21: Proceedings of the Eleventh ACM Conference on Data and Application Security and Privacy

April 2021

348 pages

ISBN:9781450381437

DOI:10.1145/3422337

General Chair:
Anupam Joshi
University of Maryland, Baltimore County, USA
,
Program Chairs:
Barbara Carminati
University of Insubria, Italy
,
Rakesh M. Verma
University of Houston, USA

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 April 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Key Research and Development Program
Qatar National Research Fund
National Natural Science Foundation of China

Conference

CODASPY '21

Sponsor:

SIGSAC

CODASPY '21: Eleventh ACM Conference on Data and Application Security and Privacy

April 26 - 28, 2021

Virtual Event, USA

Acceptance Rates

Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
242
Total Downloads

Downloads (Last 12 months)32
Downloads (Last 6 weeks)0

Reflects downloads up to

Other Metrics

View Author Metrics

Citations

Cited By

Koide TFukushi NNakano HChiba D(2023)PhishReplicant: A Language Model-based Approach to Detect Generated Squatting Domain NamesProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627111(1-13)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627111
Sharma BKarunanayake IMasood RIkram M(2023)Don’t Be a Victim During a Pandemic! Analysing Security and Privacy Threats in Twitter During COVID-19IEEE Access10.1109/ACCESS.2023.326064311(29769-29789)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3260643
Hoheisel Rvan Capelleveen GSarmah DJunger M(2023)The development of phishing during the COVID-19 pandemicComputers and Security10.1016/j.cose.2023.103158128:COnline publication date: 1-May-2023
https://dl.acm.org/doi/10.1016/j.cose.2023.103158
Sakly HSaid MAl-Sayed ALoussaief CSakly RSeekins J(2023)Blockchain Technologies for Internet of Medical Things (BIoMT) Based Healthcare Systems: A New Paradigm for COVID-19 PandemicTrends of Artificial Intelligence and Big Data for E-Health10.1007/978-3-031-11199-0_8(139-165)Online publication date: 2-Jan-2023
https://doi.org/10.1007/978-3-031-11199-0_8
Cheng YLiu YWang LZhang ZChai TDu Y(2022)Evaluating the Effectiveness of Handling Abusive Domain Names by Internet EntitiesElectronics10.3390/electronics1108117211:8(1172)Online publication date: 7-Apr-2022
https://doi.org/10.3390/electronics11081172

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents