DNS Abuse Forum - May 25

Home / Blogs

Measuring Abuse: How Much COVID-Related Abuse Is There, Really?

Like measuring COVID's impact, so too measuring the impact of COVID-related abuse on the Internet is difficult, there are those that would foolishly dismiss the danger entirely, others over-state the problem, perhaps to prompt sales of tools and services.

Battling Metrics

Using a petite sample of 6,100 registrations at 12 European ccTLDs Peter Van Roste, the General Manager of CENTR, concluded that " ... the COVID-19 pandemic has had no significant impact on the DNS, either in terms of registrations or in levels of abuse detected."

DomainTools, on the other hand, has a COVID-19 Threat List — domains that are scoring 70 or higher using their risk assessment. The list has over 150,000 entries.

Microsoft said that they have only seen 66,000 COVID-related URLs, but give no indication as to time period or if these were unique URLs or a total.

Google noted that Gmail and G-Suite see 240 million COVID-related spam and phish emails daily.

One thing is certain: The amount and type of abuse varies from network to network, and to declare everything is fine based on one world-view you believe to be ubiquitous, or that the sky is falling based upon another, extrapolated to 'everybody else' is simply poor analysis.

Extraordinary Times

Several registrars have taken proactive action to manually review COVID-related registrations. Apparently they are concerned enough to review new entries in the DNS.

However, and this is an important caveat, determining what is abusive is actually quite difficult. Geo-specific content, protective measures such as the IP ranges of registrars, hosting providers and security firms are regularly denied access by even unsophisticated phishing kits, abusive content buried several directories deep, referrer URLs required to see the nasty content ... seemingly innocuous sites can be drive-by malware infection points: All of these measures may give the wrong impression to a reviewer.

Numerous Slack workspaces have sprung up — the COVID19 Cyber Threat Coalition has 3,600+ members , the COVID-19 CTI League 1,750 participants.

Interpol is concerned enough to issue an alert.

The FBI has seen a spike in COVID-related cyber attack reports

Size Doesn't Matter

Let's cede that the amount of abuse hasn't risen significantly, with the new veneer of COVID-19, but the tenor certainly has changed. The impact of abuse is far more severe than normal.

Medical infrastructure is being hit with DDoS attacks, ransomware campaigns. That takes abuse to a level rarely seen before.

Spam touting diet pills, penis enlargement potions that do not work is bad, but a victim's pocketbook is only a little lighter. Oh well.

COVID-related spam is far further down the path to perdition, the highway to hell: selling PPE that doesn't work exposes the user to a potentially deadly disease. Selling someone shoddy PPE, or a false cure or a fake preventative measure risks health and even life itself.

COVID-related phishing is particularly pernicious. People's financial status is, to say the least, precipitous, and to take what money someone has at this point in time, particularly cold-hearted.

By way of example, there are hundreds installations of a phishing exploit of Canada's Emergency Relief Fund.

These funds are for people in dire need, and having that interfered with is one step beyond.

The German government may have been victim to a phishing scheme using COVID-related methodology.

Attacks on hospital infrastructure is at the best of times sociopathic. Now, such actions are unspeakably evil.

All in all, yes, measurements will vary wildly. What will not vary is that COVID-related Internet abuse is inherently more destructive, more pernicious than what has gone on before. Let's not dismiss this as 'nothing to see here.' There certainly is a lot to see and take protective action upon.

By Neil Schwartzman, Executive Director, The Coalition Against unsolicited Commercial Email - CAUCE

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet


Spot on Neil. You can only measure By Derek  –  May 01, 2020 9:03 am PDT

Spot on Neil. You can only measure what you understand.

From the trenches of non-delivery advance fee fraud: A company who pays for an order of masks to a bogus mask company, suddenly finds the courier contacting them because even more fees are due, all a sham, domain two or three years old where registrar experts ignored reports, certainly illustrates the point.

Sexiness does not always meet realities. Existing infrastructure is simply redeployed in new ways. Bogus commodity non-delivery fraudsters that have been ignored are still doing what they do, perhaps launch a new ...facemask… domain, but for each one, there are more where victims are diverted to.

Add Your Comments

 To post your comments, please login or create an account.




Sponsored byVerisign

Domain Management

Sponsored byMarkMonitor

IPv4 Markets

Sponsored byIPXO

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byAppdetex

Threat Intelligence

Sponsored byWhoisXML API

DNS Abuse Forum - May 25