BALTIMORE– Following an investigation conducted by U.S. Immigration and Customs Enforcement (ICE) Homeland Security Investigations (HSI), the U.S. Attorney’s Office for the District of Maryland announced today the seizure of two domain names, “mordernatx.com” and “regeneronmedicals.com,” which purported to be the websites of actual biotechnology companies developing treatments for the COVID-19 virus. These spoofed websites were used to collect the personal information of individuals visiting the sites, in order to use the information for nefarious purposes, including fraud, phishing attacks, and/or deployment of malware. Individuals visiting those sites now will receive a message that the site has been seized by the federal government and be redirected to another site for additional information.
“Our cadre of highly skilled special agents, paired with invaluable private sector partnerships garnered through the National Intellectual Property Rights Coordination Center provide an effective strategy to help identify, disrupt and dismantle illegitimate domains used to defraud potential consumers.” said ICE’s Homeland Security Investigations Executive Associate Director Derek N. Benner. “Under Operation Stolen Promise, ICE HSI utilized it’s broad investigative authority to protect consumers from the increasing and evolving threat posed by COVID-19-related fraud and criminal activity. Now, under Operation Stolen Promise 2.0, HSI’s focus has expanded to combat the next wave of anticipated fraud related to the COVID-19 vaccine and other treatments. This operation illustrates the ongoing efforts of the National Intellectual Property Rights Coordination Center, private industry and international law enforcement agencies in keeping our communities safe and free from corruption. Often, this battle is fought behind the scenes and unknown to the general public. Though, the global population can be assured that our mission remains firmly committed to protecting their health and safety, no matter what.”
“The U.S. Attorney’s Office and our law enforcement partners are committed to bringing to justice the criminals that try to take advantage of this global pandemic to line their pockets at the expense of the most vulnerable,” said U.S. Attorney Robert K. Hur. “I urge citizens to remain vigilant. Don’t provide personal information or click on websites or links contained in unsolicited e-mails. Don’t become a victim.”
“These individuals took advantage of fear during the global pandemic and attempted to steal personal information for nefarious purposes,” said HSI Baltimore Special Agent in Charge John Eisert. “From the cyber realm to counterfeit medication to financial crime, we are committed to detecting, investigating, and disrupting all types of fraud related to the COVID-19 pandemic.”
According to the affidavits filed in support of these seizures, these investigations began in early December 2020, after corporate security for one of the companies located the spoof website and contacted ICE HSI’s Intellectual Property Rights Center (“IPRC”) and the HSI Cyber Crimes Center (“C3”), and the other website was located during an ongoing operation targeting suspicious publicly reachable websites by ICE HSI C3. The cases were referred to HSI Baltimore for investigation.
Specifically, on December 10, 2020, the Global Head of Corporate Security for a biotechnology company headquartered in Cambridge, Massachusetts, which has developed a COVID-19 vaccine that is awaiting approval by the U.S. Food and Drug Administration (FDA), contacted HSI IPRC and C3 by e-mail to report that the company’s Cybersecurity Team had detected the domain name mordernatx.com, a fraudulent replication of the company’s website. A review of that website’s online content displayed the name and trademarked logos for the biotechnology company. As detailed in the affidavit, the logos, markings, colors, and text of the mordernatx.com webpage show no substantive differences from the genuine company website’s landing page, other than the fraudulent website has a slight misspelling of the company’s name. However, individuals who click on the “Contact Us” tab, are redirected to an entry form requesting information such as name, company/institution, title, phone, e-mail, and comments/questions. Additional investigation revealed that the mordernatx.com domain name was registered on about December 8, 2020, through a company headquartered in Kuala Lumpur, Malaysia, with no personal information for the registrar listed.
The second domain name seized, regeneronmedicals.com, was located on December 9, 2020, during an ongoing investigation targeting suspicious publicly reachable websites. Investigators found that the subject domain name contained the name and trademarked logos, and was visually similar to, the webpage of a biotechnology company headquartered in Westchester County, New York, which was granted an emergency use authorization by the FDA for an antibody cocktail used to treat COVID-19 in high-risk patients with mild to moderate COVID-19. Further investigation revealed that the subject domain name contained two e-mail addresses and a telephone number not found on the official company website. The phone number appears to be a Voice over IP (VOIP) number. In addition, the “Contact Us” page on the regeneraonmedicals.com site directs “Healthcare professionals, patients or caregivers requesting specific product information, reporting an adverse event or reporting a product complaint” to contact the “Medical Department” at the VOIP number. The same “Contact Us” tab also provides a link to submit medical inquiries which directs users to a page that is different from the same page on the official website. Investigators also found that the subject domain name was registered on December 6, 2020, and lists the registrant as an individual residing in Onitsha Anambra, Nigeria.
By seizing these sites, the government has prevented third parties from acquiring the names and using them to commit additional crimes, as well as prevented third parties from continuing to access the sites in their present form.
ICE HSI launched Operation Stolen Promise in April 2020 to protect the Homeland from the increasing and evolving threat posed by COVID-19-related fraud and criminal activity. As of November 25, 2020, the agency has seized more than $26 million in illicit proceeds; made 170 arrests; executed 148 search warrants and analyzed more than 69,000 COVID-19 domain names. Working with U.S. Customs and Border Protection, more than 1,600 shipments of mislabeled, fraudulent, unauthorized or prohibited COVID-19 test kits and other related items have been seized. For its role in the operation, C3 applies technological, operational, and criminal investigative expertise, products, and services to target the criminals and organizations attempting to commit cybercrimes and exploitation related to COVID-19.
Federal law enforcement is united in its efforts to fight against COVID-19 fraud. ICE HSI has identified tips to recognize and report COVID-19 fraud. If you think you are a victim of a fraud or attempted fraud involving COVID-19, you may also call the National Center for Disaster Fraud Hotline at 1-866-720-5721 or for more information e-mail justice.gov/coronavirus.