BALTIMORE, MD—The U.S. Attorney’s Office for the District of Maryland has seized two domain names that were connected to COVID-19 phishing schemes.
“Mordernatx.com” and “regeneronmedicals.com,” purported to be the websites of actual biotechnology companies developing treatments for the COVID-19 virus, instead appear to have been used to collect the personal information of individuals visiting the sites, in order to use the information for fraud, phishing attacks, and deployment of malware. Individuals visiting those sites now will see a message that the site has been seized by the federal government and be redirected to another site for additional information.
The seizure of the domain names was announced by United States Attorney for the District of Maryland Robert K. Hur and Special Agent in Charge John Eisert of Homeland Security Investigations – Baltimore.
“The U.S. Attorney’s Office and our law enforcement partners are committed to bringing to justice the criminals that try to take advantage of this global pandemic to line their pockets at the expense of the most vulnerable,” said Hur. “I urge citizens to remain vigilant. Don’t provide personal information or click on websites or links contained in unsolicited e-mails. Don’t become a victim.”
“These individuals took advantage of fear during the global pandemic and attempted to steal personal information for nefarious purposes,” said Eisert. “From the cyber realm to counterfeit medication to financial crime, Homeland Security Investigations is committed to detecting, investigating, and disrupting all types of fraud related to the COVID-19 pandemic.”
According to the affidavits filed in support of these seizures, these investigations began in early December 2020, after corporate security for one of the companies located the spoof website and contacted HSI’s Intellectual Property Rights Center (“IPRC”) and the HSI Cyber Crimes Center (“C3”). The other website was identified during an ongoing HSI C3 operation targeting malicious websites. The cases were referred to HSI Baltimore for investigation.
Specifically, on December 10, 2020, the Global Head of Corporate Security for a biotechnology company headquartered in Cambridge, Massachusetts, which has developed a COVID-19 vaccine that is awaiting approval by the U.S. Food and Drug Administration (FDA), contacted HSI IPRC and C3 by e-mail to report that the company’s Cybersecurity Team had detected the domain name mordernatx.com, a fraudulent replication of the company’s website. A review of that website’s online content displayed the name and trademarked logos for the biotechnology company. As detailed in the affidavit, the logos, markings, colors, and text of the mordernatx.com webpage showed no substantive differences from the genuine company website’s landing page, other than the fact that the fraudulent website had a slight misspelling of the company’s name. However, individuals who clicked on the “Contact Us” tab, were redirected to an entry form requesting information such as name, company/institution, title, phone, e-mail, and comments/questions. Additional investigation revealed that the mordernatx.com domain name was registered on about December 8, 2020, through a company headquartered in Kuala Lumpur, Malaysia, with no personal information for the registrar listed.
The second domain name seized, regeneronmedicals.com, was identified on December 9, 2020, during an ongoing HSI C3 investigation targeting malicious websites. Investigators found that the subject domain name contained the name and trademarked logos of, and was visually similar to, the webpage of a biotechnology company headquartered in Westchester County, New York, which was granted an emergency use authorization by the FDA for an antibody cocktail used to treat COVID-19 in high-risk patients with mild to moderate COVID-19. Further investigation revealed that the subject domain name contained two e-mail addresses and a telephone number not found on the official company website. The phone number appeared to be a Voice over IP (VOIP) number. In addition, the “Contact Us” page on the regeneronmedicals.com site directed “Healthcare professionals, patients or caregivers requesting specific product information, reporting an adverse event or reporting a product complaint” to contact the “Medical Department” at the VOIP number. The same “Contact Us” tab also provided a link to submit medical inquiries which directed users to a page that was different from the corresponding page on the authentic website. Investigators also found that the subject domain name was registered on December 6, 2020, and lists the registrant as an individual residing in Onitsha Anambra, Nigeria.
By seizing these sites, the government has prevented third parties from acquiring the names and using them to commit additional crimes, as well as prevented third parties from continuing to access the sites in their present form.