Covid domain registrations soar, many by bad actors

Nearly half a million Covid-related domains have been created in the past two years, many of which are used by online scammers and peddlers.

The pandemic has created an environment in which bad actors are using a range of Covid-related “hooks” to commit cybercrimes and fraud, affecting consumers and brands, explained CSC, a domain registrar that released a study of more than 478,000 domain names linked to pandemic keywords on Tuesday.

Over the study period, the report notes, the range of entities taking advantage of the growth in Covid awareness to build websites to attract traffic and generate revenue increased. At the same time, the proliferation of sites has resulted in more suspicious and malicious domain registrations.

“It’s insane the amount of fraud and counterfeit products we’ve seen associated with those 478,000 domain names,” said CSC CTO Ihab Shraim.

“The pandemic is an endless money-printing machine for these malicious actors,” he told TechNewsWorld.

“They are all using this pandemic to make some serious revenue out of it,” he added. “They make millions of dollars a month.”

Leverage brands

The report acknowledged that some Covid-related domain registration activity could be linked to domain speculators trying to cash in on a potentially hot domain name, but there were also signs of malicious third-party operations.

For example, domains operating Covid-related brand names, such as Pfizer, Moderna and Johnson & Johnson, used the same infrastructure previously identified with harmful websites. Additionally, some sites have used tactics favored by bad actors to disguise themselves and then launch attacks, such as domain parking and pay-per-click.

The report also noted that among domains operating brand names, about half contained no content, while the other half were involved in pay-per-click or other types of advertising schemes.

This site is branded with the World Health Organization, but the logo is wrong, none of the social media links at the bottom of the page or the menu options at the top work. This is most likely a phishing page intended to collect personal information. (Source: CSC)


He added that a third of inactive sites contained active MX records that could be used as a future launching pad for malicious activity.

“Domain names are valuable to threat actors looking to capitalize on newsworthy events, especially those involving fear or financial motivations,” observed Chris Clements, vice president of architecture. solutions at Cerberus Sentinel, a cybersecurity consulting and penetration testing company in Scottsdale, Arizona.

“The reason is quite simple,” he told TechNewsWorld. “The more they can surface their scam emails or scam websites, the more likely they are to trick their victims into trusting them.”

“This trust gives them a much higher chance of stealing sensitive information or money from their targets,” he added.

Confusing areas

Additionally, domain names can be confusing to many people, noted Erich Kron, a security awareness advocate at KnowBe4, a security awareness training provider in Clearwater, Florida.

“The KnowBe4.com domain name is different from KnowBe4.net or even Know-Be4.com, a difference that cybercriminals take advantage of, knowing that many people don’t understand that they are different,” he said. told TechNewsWorld. “It allows these scammers to fake websites easily and in a way that looks authentic.”

“Covid-19 is a great topic for cybercriminals because of the newsworthy stories and constant developments,” he said.

“With every development,” he continued, “tips are released and often revised, making it easier to use these stories as a lure to trick people into visiting malicious websites or opening infected documents claiming to be updated advice or new findings in the battle against the virus.

“Shortages of tests and vaccines are also powerful topics to spur people to action,” he observed.

“Whenever there is a high-visibility incident, attackers use it to create decoys to lure victims,” added John Bambenek, principal threat hunter at Netenrich, an IT operations and digital security company in San Jose, California.

“I’m sure once filming starts in Ukraine, the decoys will switch to that very quickly,” he told TechNewsWorld.

Domain ecosystem issues

Bambenek argued that the fundamental problem with the current domain system is that many registrars and companies in the domain ecosystem are willing to look the other way as they accept money from criminals to use their services. to commit crimes.

“Once the United States relinquished control of this system,” he said, “there was no longer any possibility of claiming that it would be operated as a public good.”

Kron explained that the problems with the domain system are largely due to the simplicity and low cost of registering domain names.

“There is little to no verification of domain names, even those using Covid and pandemic related keywords, or even companies such as vaccine makers, to ensure ownership can be traced to an individual or an organization,” he said.

“Essentially,” he continued, “anyone can register almost any domain name in minutes, and without any liability.”

“Cybercriminals have perfected the technique of registering domain names with very little effort and cost, often knowing that the domain would last 48 hours or less,” he added.

Cloud computing has compounded the problem, said Brian Johnson, CSO at Armorblox, an enterprise communications protection provider in Sunnyvale, California. “Phishing and corporate email compromise attacks that use these ephemeral ‘snapshot’ domains cannot be detected by existing security tools,” he told TechNewsWorld.

Additionally, domains can be vulnerable to a number of attacks, added Sanjay Raja, vice president of Gurucul, a threat intelligence firm in El Segundo, California.

“Threat actors can take advantage of expired domains, problems with SSL certificates, poor security checks at domain registrars, domain extensions that are actually registered by threat actors, but seem legitimate credentials and domain hijacking through phishing attacks or other credential theft methods,” he said. says TechNewsWorld.

“These are just some of the tactics used that ultimately lead to users being presented with domains that allow compromising networks and installing and executing malware or ransomware,” he said.

High market activity

Other areas covered in the report included e-commerce, mobile apps, phishing, and social media.

The pandemic has seen the emergence of very high volumes of Covid-related market activity, he noted. Many of these listings were for counterfeit or substandard or ineffective products, appearing in response to unprecedented consumer demand.

In the mobile realm, Covid-related apps found in major app stores were legitimate, CSC reported, but a significant number of programs found outside of stores were malicious.

The report also noted that Covid-related phishing campaigns contained a number of content types, including emails leading users to websites intended to collect personal information, distributing malware via attachments and directly soliciting financial donations.

Similarly, fake social media profiles have been used to direct users to phishing sites or solicit donations. Additionally, the pages of these sites have been used to present e-commerce content of dubious quality, offer app-based trackers with malicious payloads, and spread misinformation.