DOJ Seizes Fake Domains Impersonating Moderna, RegeneronProsecutors: Websites Spoofed Pharmaceutical Firms for ID Theft
Federal investigators have seized two domains impersonating the pharmaceutical firms Moderna, which has begun shipping a COVID-19 vaccine, and Regeneron, which developed a treatment for COVID-19, according to the U.S. Justice Department.
The investigation into the two sites was launched earlier this month after fraudsters were found impersonating the names of the two pharmaceutical companies and using the spoofed websites to steal identities that could be used to create phishing campaigns and spread malware, according to the U.S. Attorney's Office for the District of Maryland, which is overseeing the case.
The fake domains - "mordernatx.com" and "regeneronmedicals.com" - used similar names, trademarked logos and graphics of companies to create realistic-looking websites that harvested the personal information of victims visiting the sites, according to the Justice Department.
The cybersecurity team at Moderna located the spoofed website and contacted federal authorities, who then started an investigation, according to the Justice Department. The investigation was led by a unit of the Department of Homeland Security.
The investigators found those who visited the fake Moderna site and clicked on the "contact us" tab were redirected to an entry form requesting information, such as name, company or institution, title, phone number and email address. They were also encouraged to fill out a comments and questions form, according to the Justice Department.
"A review of that website's online content displayed the name and trademarked logos for the biotechnology company. The logos, markings, colors, and text of the mordernatx.com webpage showed no substantive differences from the genuine company website's landing page, other than the fact that the fraudulent website had a slight misspelling of the company's name," Justice Department officials say.
The investigation also revealed that the mordernatx.com domain name was registered around Dec. 8 through a company based in Kuala Lumpur, Malaysia, with no personal information about who registered and created it.
The other domain seized during the investigation was regeneronmedicals.com, which federal agents discovered on Dec. 9. The domain name was registered on Dec. 6 to an individual in Onitsha, Anambra, Nigeria, according to the Justice Department.
The investigators found that this domain contained a name and trademarks that were similar to the biotechnology company Regeneron, based in Westchester County, New York, investigators say. Regeneron was recently granted an emergency use authorization by the U.S. Food and Drug Administration for an antibody cocktail designed to treat COVID-19 in high-risk patients.
Investigators found that the fake domain contained two email addresses and a telephone number not found on the official company website. That telephone number turned out to be a VOIP number created by the fraudsters.
"The 'contact us' page on the regeneronmedicals.com site directed 'healthcare professionals, patients or caregivers requesting specific product information, reporting an adverse event or reporting a product complaint' to contact the 'medical department' at the VOIP number," the federal investigators note.
The "contact us" tab on the website also provided a link to submit medical inquiries, which directed users to a page that was different from the corresponding page on the company's authentic website. The page was likely designed to steal personal information and credentials, according to the Justice Department.
Earlier this month, the U.S. Cybersecurity and Infrastructure Security Agency, citing a report by IBM, warned organizations involved in COVID-19 vaccine production and distribution of a global phishing campaign targeting the cold storage and transport supply chain. Many vaccines in development must be kept at low temperatures before being administered.
CISA pointed to an IBM Security X-Force report describing the phishing campaign that aims to harvest account credentials.
IBM says the campaign, which started in September, spans six countries and targets organizations and agencies that support the Cold Chain Equipment Optimization Platform program (see: Phishing Campaign Targets COVID-19 'Cold Chain').
Also this month, Interpol warned of a potential surge in organized crime activity tied to COVID-19 vaccines. The alert followed a recent report of spikes in alleged cyberattacks by suspected North Korean hackers against companies working on vaccines and treatments (see: Interpol: Organized Crime to Capitalize on COVID-19 Vaccines ).