Note: This article has been amended after finding out that coronavirussurvey[.]com is a legitimate online property that is part of the Harvard Humanitarian Initiative (HHI)‘s surveying efforts. We apologize for any misunderstanding about the earlier and strongly encourage everyone to take part in the survey, which URL link can be found on HHI’s Twitter page https://twitter.com/HHI.

Having crossed the two-million mark in coronavirus infections worldwide, citizens from all nations are facing a difficult time. Sadly, cyber threats and attacks currently spreading online are making the situation worse. As companies shift to remote operations, users hoping to continue working despite ongoing home quarantines are facing an even more significant challenge—trying to achieve business-as-usual while getting plagued with online threats.

This post looks at coronavirus-themed threats, which we expect to become increasingly common in the next weeks/months, and which users can monitor with the help of domain intelligence tools starting with Typosquatting Data Feed and WHOIS Lookup among other sources.

Detecting Coronavirus-Themed Bulked Registrations

Since the number of coronavirus-afflicted individuals began its continuous rise, we saw the number of coronavirus-related bulk domain registrations increase as well. We specifically looked at the number of newly registered domains (NRDs) containing the term “corona” on 29 February 2020. Via our Typosquatting Data Feed service, we identified 189 NRDs scattered across 36 bulk registrations.

We subjected these NRDs to a WHOIS Lookup query to obtain ownership information from our WHOIS domain database and discovered that:

• Registrar GoDaddy accounted for 77 of the NRDs, followed by 1&1 IONOS SE (17 NRDs), and Name.com, Inc. and NameSilo, LLC (9 NRDs each).
• Most of the NRDs (105) are U.S.-based, followed by those which registrations appear in Canada and Israel (8 NRDs each) and Russia (7 NRDs).

We then queried the NRDs on Screenshot API to see if any of these were active. While most were parked, inactive, or unreachable, we did notice that 33 of the NRDs contained coronavirus-related content.

A False Positive with Cybersecurity Implications

Among the 33, we paid particular attention to coronavirussurvey[.]com because it sports the brand and logo of Harvard University (Note: coronavirussurvey[.]com page is no longer viewable). We specifically wanted to find out if the site belongs to the prestigious institution or if a cyber attacker is using its name for malicious gain.

Our Bulk WHOIS Lookup results showed a privacy-protected registration with registered details in Ontario, Canada. We found this suspicious as we all know that Harvard University is U.S.-based as is evident in harvard[.]edu’s WHOIS record.

Also, our expectation would have been for the university to host its survey on their official domain name as opposed to newly-registered ones—as 70% of these can be malicious, suspicious, or not safe for work. At the time, we also queried coronavirussurvey[.]com on Threat Intelligence Platform (TIP) and found that VirusTotal had identified it as a possible phishing source.

To our surprise, however, the above survey was legitimate and happening, though under the domain coronavirussurvey[.]org (which share the same WHOIS record details of coronavirussurvey[.]com), as can be seen from the Harvard Humanitarian Initiative’s Twitter page:

While coronavirussurvey[.]com turned out to be a false positive, in the sense that it was flagged as a phishing entity but was a legitimate surveying effort, two cybersecurity implications can be drawn.

First, domain privacy can send investigators in the wrong direction. While domain privacy services offer a right to privacy, it can also have the effect of obfuscating investigations ran by cybersecurity specialists and law enforcement investigators. In the above case, a more apparent connection between coronavirussurvey[.]com’s and harvard[.]edu’s WHOIS records could have helped in establishing the former domain’s legitimacy. Also, there is a concern that cybercriminals might be able to abuse domain privacy services to operate undetected while carrying their deeds.

Second, it’s important to note that the surge in coronavirus-themed domain registrations over the past weeks is also raising global concerns. Some of these domains are indeed questionable at best, including corona-cure[.]com, as identified from a warning letter by the U.S. Food and Drug Administration. As such, the public may become increasingly wary of coronavirus-themed domain registrations.