Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

08:15 AM
Connect Directly

Domain Registrars Under Pressure to Combat COVID-19-Related Scams

A huge increase in malicious website registrations has prompted concern from US lawmakers.

Providers of domain name registration services are under pressure to ensure they are doing all they can to prevent scammers from setting up fake websites to prey on people looking for information related to the COVID-19 pandemic.

Last week a trio of three US lawmakers — Sens. Mazie Hirono (D-Hawaii), Maggie Hassan (D-N.H.), and Cory Booker (D-N.J.) — sent a letter to the heads of eight domain name registrars and hosting services seeking information on what they were doing to combat COVID-19-related scams. The organizations contacted were GoDaddy, Dynadot, Donuts Inc., Namecheap Inc., Web.com, Endurance International Group, InMotion Hosting, and DreamHost.

The letter expressed alarm at the huge number of domains that have been registered in recent months with names that reference the pandemic or technologies that are used for distance learning and telework, such as Zoom, Microsoft Teams, and Google Classroom. Quoting a report from RiskIQ, the lawmakers noted that by mid-March, more than 10,000 new coronavirus-related domains were being registered daily — including 35,000 on March 16 alone.

The lawmakers wanted to know what the domain name registrars were doing or had done to ensure the legitimacy of entities seeking to register domains — especially since the onset of the pandemic.

They also sought answers on any steps the registrars might have taken to verify whether those registering domains containing words such as "coronavirus," "covid," "pandemic," and "vaccine" were malicious or not. They had similar questions about site registrations referencing COVID-19-related drugs, such as "remdesivir," "chloroquine," and "hyrdroxychloroquine." In addition, the lawmakers wanted domain registrars to clarify what processes they had in place for detecting and penalizing domains and domain owners who were using their websites for illegal purposes.

"Scammers and cybercriminals are preying on the public's increasing need for real-time, verifiable information as COVID-19 spreads across the country," the lawmakers said. "It is imperative that domain name registrars not turn a blind eye to such illicit activity but, rather, act to protect the Internet-using public."  

Dark Reading contacted GoDaddy, Endurance International, and DreamHost for comment on the letter from the senators. In an emailed statement, Brett Dunst, vice president of corporate communications at DreamHost, said his company shared lawmakers' concerns about cybercriminals and other bad actors online.

"While COVID-19 represents a new opportunity for online criminals, the tactics they employ are remarkably consistent over time," he said.

DreamHost is prepared to meet the challenge of keeping criminals offline through a combination of rapid responses to incoming complaints, regular cooperation with law enforcement, and internal systems and processes that proactively identify illegal content, Dunst added.

"We were happy to answer the senators' questions and hope they found our reply to be useful," he said.

GoDaddy and Endurance International did not respond. Others, like Namecheap, have reportedly stopped automated registration of sites containing names that include "coronavirus," "COVID," and "vaccine."

Vendors such as Knowbe4 and others have noted an explosion in phishing emails purporting to contain information on COVID-19 and related matters, such as teleworking, revisions to vacation and health polices because of the pandemic, and messages from HR teams. The phishing emails and other scams have targeted consumers and workers at business and enterprise organizations.

Growing Concerns
One trend that has security researchers especially worried is the high number of people falling for these scams. According to Menlo Security, COVID-19–based phishing lures have been far more successful than other bait in terms of getting people to open malicious attachments or follow links to malicious sites.

Between Feb. 25 and March 25, Menlo Security counted a 25-fold increase in the number of people clicking on URLs to malicious websites with domain names referencing COVID-19 or the coronavirus. People trying to stay current with the latest developments around the deadly pandemic have been less cautious than usual in handling phishing emails and other online scams, Menlo Security and others have noted.

Paul Vixie, CEO of Farsight Security and a designer of several DNS protocol extensions, says what the lawmakers are attempting to do is laudable. But the sheer scale at which the domain industry operates makes quality control hard to achieve.  

At a manual level, quality control can be achieved by asking questions like: "What does this domain sound like if spoken?" or "What does it look like if written?" Or humans can assess whether a domain contains a profanity, or the name of a Fortune 500 company, or a recent headline event such as a school shooting.

"[But] rejection of domain creation based on rules isn't practical," Vixie says. "I've proposed several times in recent years that all new domains be given a 24-hour public-notice period before they go live, including complete WHOIS information, so that complaints or other defenses can have a head start," he notes. "This proposal is anathema to the commercial interests in the domain name industry because lack of accountability is a primary attraction of a domain product."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "How Can I Help My Users Spot Disinformation?"


A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-14
A Insecure Temporary File vulnerability in s390-tools of SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-SP2 allows local attackers to prevent VM live migrations This issue affects: SUSE Linux Enterprise Server 12-SP5 s390-tools versions prior to 2.1.0-18.29.1. SUSE Linux Enterp...
PUBLISHED: 2021-04-14
A stack-based buffer overflow vulnerability has been reported to affect QNAP NAS devices running Surveillance Station. If exploited, this vulnerability allows attackers to execute arbitrary code. QNAP have already fixed this vulnerability in the following versions: Surveillance Station (an...
PUBLISHED: 2021-04-14
In the standard library in Rust before 1.50.3, there is an optimization for joining strings that can cause uninitialized bytes to be exposed (or the program to crash) if the borrowed string changes after its length is checked.
PUBLISHED: 2021-04-14
In the standard library in Rust before 1.53.0, a double free can occur in the Vec::from_iter function if freeing the element panics.
PUBLISHED: 2021-04-14
In the standard library in Rust before 1.19.0, there is a synchronization problem in the MutexGuard object. MutexGuards can be used across threads with any types, allowing for memory safety issues through race conditions.