Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/22/2020
08:15 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Domain Registrars Under Pressure to Combat COVID-19-Related Scams

A huge increase in malicious website registrations has prompted concern from US lawmakers.

Providers of domain name registration services are under pressure to ensure they are doing all they can to prevent scammers from setting up fake websites to prey on people looking for information related to the COVID-19 pandemic.

Last week a trio of three US lawmakers — Sens. Mazie Hirono (D-Hawaii), Maggie Hassan (D-N.H.), and Cory Booker (D-N.J.) — sent a letter to the heads of eight domain name registrars and hosting services seeking information on what they were doing to combat COVID-19-related scams. The organizations contacted were GoDaddy, Dynadot, Donuts Inc., Namecheap Inc., Web.com, Endurance International Group, InMotion Hosting, and DreamHost.

The letter expressed alarm at the huge number of domains that have been registered in recent months with names that reference the pandemic or technologies that are used for distance learning and telework, such as Zoom, Microsoft Teams, and Google Classroom. Quoting a report from RiskIQ, the lawmakers noted that by mid-March, more than 10,000 new coronavirus-related domains were being registered daily — including 35,000 on March 16 alone.

The lawmakers wanted to know what the domain name registrars were doing or had done to ensure the legitimacy of entities seeking to register domains — especially since the onset of the pandemic.

They also sought answers on any steps the registrars might have taken to verify whether those registering domains containing words such as "coronavirus," "covid," "pandemic," and "vaccine" were malicious or not. They had similar questions about site registrations referencing COVID-19-related drugs, such as "remdesivir," "chloroquine," and "hyrdroxychloroquine." In addition, the lawmakers wanted domain registrars to clarify what processes they had in place for detecting and penalizing domains and domain owners who were using their websites for illegal purposes.

"Scammers and cybercriminals are preying on the public's increasing need for real-time, verifiable information as COVID-19 spreads across the country," the lawmakers said. "It is imperative that domain name registrars not turn a blind eye to such illicit activity but, rather, act to protect the Internet-using public."  

Dark Reading contacted GoDaddy, Endurance International, and DreamHost for comment on the letter from the senators. In an emailed statement, Brett Dunst, vice president of corporate communications at DreamHost, said his company shared lawmakers' concerns about cybercriminals and other bad actors online.

"While COVID-19 represents a new opportunity for online criminals, the tactics they employ are remarkably consistent over time," he said.

DreamHost is prepared to meet the challenge of keeping criminals offline through a combination of rapid responses to incoming complaints, regular cooperation with law enforcement, and internal systems and processes that proactively identify illegal content, Dunst added.

"We were happy to answer the senators' questions and hope they found our reply to be useful," he said.

GoDaddy and Endurance International did not respond. Others, like Namecheap, have reportedly stopped automated registration of sites containing names that include "coronavirus," "COVID," and "vaccine."

Vendors such as Knowbe4 and others have noted an explosion in phishing emails purporting to contain information on COVID-19 and related matters, such as teleworking, revisions to vacation and health polices because of the pandemic, and messages from HR teams. The phishing emails and other scams have targeted consumers and workers at business and enterprise organizations.

Growing Concerns
One trend that has security researchers especially worried is the high number of people falling for these scams. According to Menlo Security, COVID-19–based phishing lures have been far more successful than other bait in terms of getting people to open malicious attachments or follow links to malicious sites.

Between Feb. 25 and March 25, Menlo Security counted a 25-fold increase in the number of people clicking on URLs to malicious websites with domain names referencing COVID-19 or the coronavirus. People trying to stay current with the latest developments around the deadly pandemic have been less cautious than usual in handling phishing emails and other online scams, Menlo Security and others have noted.

Paul Vixie, CEO of Farsight Security and a designer of several DNS protocol extensions, says what the lawmakers are attempting to do is laudable. But the sheer scale at which the domain industry operates makes quality control hard to achieve.  

At a manual level, quality control can be achieved by asking questions like: "What does this domain sound like if spoken?" or "What does it look like if written?" Or humans can assess whether a domain contains a profanity, or the name of a Fortune 500 company, or a recent headline event such as a school shooting.

"[But] rejection of domain creation based on rules isn't practical," Vixie says. "I've proposed several times in recent years that all new domains be given a 24-hour public-notice period before they go live, including complete WHOIS information, so that complaints or other defenses can have a head start," he notes. "This proposal is anathema to the commercial interests in the domain name industry because lack of accountability is a primary attraction of a domain product."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "How Can I Help My Users Spot Disinformation?"

 

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Botnet Infects Hundreds of Thousands of Websites
Robert Lemos, Contributing Writer,  10/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8260
PUBLISHED: 2020-10-28
A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction.
CVE-2020-8261
PUBLISHED: 2020-10-28
A vulnerability in the Pulse Connect Secure / Pulse Policy Secure < 9.1R9 is vulnerable to arbitrary cookie injection.
CVE-2020-8262
PUBLISHED: 2020-10-28
A vulnerability in the Pulse Connect Secure / Pulse Policy Secure below 9.1R9 could allow attackers to conduct Cross-Site Scripting (XSS) and Open Redirection for authenticated user web interface.
CVE-2020-8263
PUBLISHED: 2020-10-28
A vulnerability in the authenticated user web interface of Pulse Connect Secure < 9.1R9 could allow attackers to conduct Cross-Site Scripting (XSS) through the CGI file.
CVE-2020-8239
PUBLISHED: 2020-10-28
A vulnerability in the Pulse Secure Desktop Client < 9.1R9 is vulnerable to the client registry privilege escalation attack. This fix also requires Server Side Upgrade due to Standalone Host Checker Client (Windows) and Windows PDC.