Coronavirus Related Phishing

Certificate Transparency Logs

Created as a response to the compromise of a Certificate Authority (CA), certificate transparency logs are designed to make it easier to spot fraudulent domains being registered. They require all CAs to publicly log all TLS certificates when they are registered. Crucially each transparency log is integrity checked, using a hash tree, so the whole log can be verified.

Drinking from the Hose Pipe

As intended, we can use the raw stream of transparency logs for our own analysis. In normal times the focus would be on trying to find malicious phishing domains being registered; domains that look like our own domain or something like a legitimate domain from the typical phishing targets. But let’s use it to try and find anything coronavirus-related.

./certificates -filter="corona" 2020/03/25 09:19:06 Using filter "corona" 2020/03/25 09:19:06 Drinking from the hosepipe... ... 2020/03/27 14:56:30 Ran for 3h0m10.5205424s 2020/03/27 14:56:30 Final stats: 2020/03/27 14:56:30 Certificates seen: 383150 2020/03/27 14:56:30 Updates: 0 2020/03/27 14:56:30 Matched: 189 2020/03/27 14:56:30 Error in processing: 327 ... Count Subject Aggregated Update Type Validation Fingerprint 0 coronacourse.ru /CN=coronacourse.ru PrecertLogEntry Let's Encrypt 5C:7C:AD:62:51:B7:89:B2:56:C6:1C:11:78:35:40:30:35:F7:1F:EB 1 coronavirus-vaccine.co /CN=coronavirus-vaccine.co X509LogEntry Let's Encrypt 87:48:89:B3:B8:40:ED:CD:4A:4A:D9:3B:89:9D:52:72:98:27:3C:16 2 coronavirus-pobedim.ru /CN=coronavirus-pobedim.ru X509LogEntry Let's Encrypt D8:D7:F8:88:4D:53:99:A2:E4:FE:90:BB:30:97:4B:FD:9C:59:BD:BE 3 corona-clean.eu /C=PL/CN=corona-clean.eu PrecertLogEntry Unknown 6B:8C:7A:CC:B1:A6:3A:07:C9:26:E7:33:72:60:88:EC:6A:61:3E:3B 4 coronacourse.ru /CN=coronacourse.ru X509LogEntry Let's Encrypt 78:1B:C2:50:65:4D:54:48:06:92:80:BE:86:25:C8:1D:08:55:EF:BA 5 nyccoronavirus.co /CN=nyccoronavirus.co X509LogEntry Let's Encrypt 28:96:05:D1:43:F7:6D:26:C7:D8:18:CE:78:DD:6F:0B:ED:88:E8:EB ...

Analysis

When running for three hours last week it found 189 certificates with “corona” in the common name, out of 383,150 certificates seen in that same time span. The rate does seem to have slowed a little; earlier last week, running it every now and again when writing the code, we saw about 100 certificates matching for roughly every 80,000 seen.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
6point6

6point6

Leading with strategy, design and architecture, we connect cloud, data, and cyber to engineer and deliver large-scale, complex transformations.