Update: Coronavirus-themed domains 50% more likely to be malicious than other domains

Check Point’s Global Threat Index shows cyber-criminals are exploiting interest in the global epidemic to spread malicious activity through several spam campaigns relating to the outbreak of the virus

Concerns about COVID-19, or novel coronavirus, seem to have become as contagious as the virus itself, with headlines spreading across virtually every media outlet.  For example, CNN.com hosts over 1,200 articles mentioning the disease, and a search on the website of The Financial Times produces over 1,100 results.

As the virus spreads across the globe, people are naturally searching online for the latest information and updates on how it might affect them, and what they can do to protect themselves and their families.  And as you might expect, cyber-criminals are quick to take advantage of these concerns for their own gain.

As we recently reported, hackers around the globe have found the Coronavirus serving them well as an enabler for their activities, and are still riding the wave of the epidemic. Our Global Threat Index for January 2020 shows cyber-criminals are exploiting interest in the global epidemic to spread malicious activity, with several spam campaigns relating to the outbreak of the virus.

Since January 2020, based on Check Point Threat Intelligence, there have been over 4,000 coronavirus-related domains registered globally. Out of these websites, 3% were found to be malicious and an additional 5% are suspicious. Coronavirus- related domains are 50% more likely to be malicious than other domains registered at the same period, and also higher than recent seasonal themes such as Valentine’s day.


Many of these domains will probably be used for phishing attempts. As of now, Check Point already spotted and protects online users from many websites known to be related to malicious activities that lure the victims to their websites with discussions around the virus, as well as from scam websites that claim to sell face masks, vaccines, and home tests that can detect the virus.

Targeted Italian phishing campaign aims for widespread infection

In addition, a widespread targeted coronavirus themed phishing campaign was recently spotted targeting Italian organizations, hitting over 10% of all organizations in Italy with the aim of exploiting concerns over the growing cluster of infections in the country. Here is an example of the mail content:

English translation:

Due to the number of cases of coronavirus infection that have been documented in your area, the World Health Organization has prepared a document that includes all the necessary precautions against coronavirus infection.

We strongly recommend that you read the document attached to this message.

With best regards,

Dr. Penelope Marchetti (World Health Organization – Italy

The email contains a malicious document file, named f###########.doc (#=digit) and with the email subject “Coronavirus: Informazioni importanti su precauzioni” (English translation- Coronavirus: Important information about precautions), and the email is signed off by a doctor from World Health Organization (WHO) based in Italy. However we did a search online and could not find a doctor by the name of Penelope Marchetti with WHO or Organizzazione Mondiale della Sanità (OMS). Also, the senders’ email addresses are not from official WHO or OMS domains, and most of them were not Italian at all.

Here is a shot from the malicious doc file:

Clicking on “enable editing” and “enable content” will lead to the download of Ostap Trojan-Downloader, which is known to be a Trickbot downloader. Trickbot is a dominant banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customizable malware that can be distributed as part of multi purpose campaigns.

Staying protected

So how can you avoid falling victim to these scam attempts? Our recommendations for safe online behavior are:

  1. Be cautious with emails and files received from unknown senders, especially if they prompt for a certain action you would not usually do.
  2. Ensure you are ordering goods from an authentic source. One way to do this is NOT to click on promotional links in emails, and instead Google your desired retailer and click the link from the Google results page.
  3. Beware of “special” offers. “An exclusive cure for Coronavirus for $150” is usually not a reliable or trustworthy purchase opportunity but most likely fraud. At this point of time there is no cure for the coronavirus and even if there was, it definitely would not be offered to you via an email.

Beware of lookalike domains, spelling errors in emails or websites, and unfamiliar email senders.

Protect your organization with a holistic, end to end cyber architecture, to prevent zero-day attacks.