DNS Abuse Forum - May 25

Home / Industry

COVID-19-Related Bulk Domain Registrations: A Possible Case of DNS Abuse?

Addressing Domain Name System (DNS) abuse has been a priority of the Internet Corporation for Assigned Names and Numbers (ICANN), notably since March 2020. During its 70th conference, the organization's members talked about creating a web page defining DNS abuse-related terms, which should be updated over time, to help users report cases.

Considering the ensuing pandemic and how it has led to cyber threats throughout 2020 and contributed to instances of DNS abuse, we looked at the COVID-19-related domain registration trends for nearly the past 18 months (1 October 2019 — 31 March 2021). We then determined how many of these had redacted/privacy-protected WHOIS records and were tagged "malicious."

The Data

We collated daily lists of newly registered domains (NRDs) containing the strings "coronavirus," "covid," and "vaccine." In the course of 18 months, a total of 184,744 COVID-19-related NRDs made their way into the DNS. An average of 338 domains were thus registered daily.

Chart 1: Number of COVID-19-related domains across top-level domains (TLDs) registered daily

As shown in Chart 1, a majority of the NRDs (136,128 domains) contained the string "covid," followed by those with "coronavirus" (33,392 domains), and finally by those with "vaccine" (15,224 domains).

Analysis and Findings

We took a closer look at the .com NRDs containing "covid" (limited to 1,000) between January and March 2020 (when the registrations peaked) to come up with some interesting findings regarding the trend presented earlier. The .com TLD was chosen because it remains the most popularly used domain name extension (52%), according to a 2021 study. We chose the "covid" string, meanwhile, as it sparked more interest over time on average, according to Google Trends. The string "vaccine," on the other hand, may refer to domains that aren't necessarily related to COVID-19.

Source: Google Trends

Of the 1,000 .com NRDs, which we have looked at more closely, only 50 or 5% are publicly attributable via WHOIS records using either a personal or corporate administrative contact email address. Examples include 19covidiots[.]com, 2020coviddefence[.]com, and 4cornerscovid[.]com.

Chart 2: Volume of attributable versus non-attributable COVID-19-related .com NRDs

Hiding behind the veil of anonymous domain registration is not illegal, of course. And privacy protection and WHOIS record redaction are also not telltale signs of ties to malicious activity either. But it is also typical of cybercriminals to hide their identities no matter what, and one way of doing that is by taking advantage of anonymity services even if they are not necessarily covered by the General Data Privacy Regulation (GDPR) mandates (e.g., citizens of European Union [EU] member states or companies that operate in the region).

Chart 3: Volume of COVID-19-related .com domains that may or may not have ties to malicious activity

Given that, we subjected the non-attributable .com domains (e.g., with redacted, privacy-protected, or incomplete WHOIS records) to VirusTotal queries to determine how many were connected to malicious activity. Of the 950 domains in our list, 65% were malicious, 9% were suspicious (i.e., mostly had ties to spam campaigns), and 26% were nonmalicious. An overwhelming majority (74% or almost a third) may require blocking. A majority of the suspicious and malicious domains were cited for ties to phishing attacks.


Based on the data from the short study, we could safely conclude that a majority of the COVID-19-related NRDs are non-attributable to specific individuals or organizations and may be involved in suspicious or even malicious activity.

Organizations and individuals that do not want to be taken in by cyber attackers taking advantage of the ensuing pandemic may benefit from monitoring COVID-19-related NRDs even today. And even if travel restrictions and strict quarantines may have been lifted in several countries, caution remains advisable since interest in the disease remains high, still possibly leading to new types of phishing scams.

Security professionals who wish to maintain their organizations' resilience to COVID-19-related threats may contact us for more information on subscribing to and using our NRD data feeds. We also recently launched the Typosquatting Community Feed, an apply-only feed reserved for the security community.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider – Whois API, Inc. (whoisxmlapi) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.  Visit Page

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Threat Intelligence

Sponsored byWhoisXML API

Domain Management

Sponsored byMarkMonitor

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

Brand Protection

Sponsored byAppdetex

IPv4 Markets

Sponsored byIPXO

DNS Abuse Forum - May 25