Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/22/2020
08:15 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Domain Registrars Under Pressure to Combat COVID-19-Related Scams

A huge increase in malicious website registrations has prompted concern from US lawmakers.

Providers of domain name registration services are under pressure to ensure they are doing all they can to prevent scammers from setting up fake websites to prey on people looking for information related to the COVID-19 pandemic.

Last week a trio of three US lawmakers — Sens. Mazie Hirono (D-Hawaii), Maggie Hassan (D-N.H.), and Cory Booker (D-N.J.) — sent a letter to the heads of eight domain name registrars and hosting services seeking information on what they were doing to combat COVID-19-related scams. The organizations contacted were GoDaddy, Dynadot, Donuts Inc., Namecheap Inc., Web.com, Endurance International Group, InMotion Hosting, and DreamHost.

The letter expressed alarm at the huge number of domains that have been registered in recent months with names that reference the pandemic or technologies that are used for distance learning and telework, such as Zoom, Microsoft Teams, and Google Classroom. Quoting a report from RiskIQ, the lawmakers noted that by mid-March, more than 10,000 new coronavirus-related domains were being registered daily — including 35,000 on March 16 alone.

The lawmakers wanted to know what the domain name registrars were doing or had done to ensure the legitimacy of entities seeking to register domains — especially since the onset of the pandemic.

They also sought answers on any steps the registrars might have taken to verify whether those registering domains containing words such as "coronavirus," "covid," "pandemic," and "vaccine" were malicious or not. They had similar questions about site registrations referencing COVID-19-related drugs, such as "remdesivir," "chloroquine," and "hyrdroxychloroquine." In addition, the lawmakers wanted domain registrars to clarify what processes they had in place for detecting and penalizing domains and domain owners who were using their websites for illegal purposes.

"Scammers and cybercriminals are preying on the public's increasing need for real-time, verifiable information as COVID-19 spreads across the country," the lawmakers said. "It is imperative that domain name registrars not turn a blind eye to such illicit activity but, rather, act to protect the Internet-using public."  

Dark Reading contacted GoDaddy, Endurance International, and DreamHost for comment on the letter from the senators. In an emailed statement, Brett Dunst, vice president of corporate communications at DreamHost, said his company shared lawmakers' concerns about cybercriminals and other bad actors online.

"While COVID-19 represents a new opportunity for online criminals, the tactics they employ are remarkably consistent over time," he said.

DreamHost is prepared to meet the challenge of keeping criminals offline through a combination of rapid responses to incoming complaints, regular cooperation with law enforcement, and internal systems and processes that proactively identify illegal content, Dunst added.

"We were happy to answer the senators' questions and hope they found our reply to be useful," he said.

GoDaddy and Endurance International did not respond. Others, like Namecheap, have reportedly stopped automated registration of sites containing names that include "coronavirus," "COVID," and "vaccine."

Vendors such as Knowbe4 and others have noted an explosion in phishing emails purporting to contain information on COVID-19 and related matters, such as teleworking, revisions to vacation and health polices because of the pandemic, and messages from HR teams. The phishing emails and other scams have targeted consumers and workers at business and enterprise organizations.

Growing Concerns
One trend that has security researchers especially worried is the high number of people falling for these scams. According to Menlo Security, COVID-19–based phishing lures have been far more successful than other bait in terms of getting people to open malicious attachments or follow links to malicious sites.

Between Feb. 25 and March 25, Menlo Security counted a 25-fold increase in the number of people clicking on URLs to malicious websites with domain names referencing COVID-19 or the coronavirus. People trying to stay current with the latest developments around the deadly pandemic have been less cautious than usual in handling phishing emails and other online scams, Menlo Security and others have noted.

Paul Vixie, CEO of Farsight Security and a designer of several DNS protocol extensions, says what the lawmakers are attempting to do is laudable. But the sheer scale at which the domain industry operates makes quality control hard to achieve.  

At a manual level, quality control can be achieved by asking questions like: "What does this domain sound like if spoken?" or "What does it look like if written?" Or humans can assess whether a domain contains a profanity, or the name of a Fortune 500 company, or a recent headline event such as a school shooting.

"[But] rejection of domain creation based on rules isn't practical," Vixie says. "I've proposed several times in recent years that all new domains be given a 24-hour public-notice period before they go live, including complete WHOIS information, so that complaints or other defenses can have a head start," he notes. "This proposal is anathema to the commercial interests in the domain name industry because lack of accountability is a primary attraction of a domain product."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "How Can I Help My Users Spot Disinformation?"

 

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4035
PUBLISHED: 2020-06-03
In WatermelonDB (NPM package "@nozbe/watermelondb") before versions 0.15.1 and 0.16.2, a maliciously crafted record ID can exploit a SQL Injection vulnerability in iOS adapter implementation and cause the app to delete all or selected records from the database, generally causing the app to...
CVE-2020-13783
PUBLISHED: 2020-06-03
D-Link DIR-865L Ax 1.20B01 Beta devices have Cleartext Storage of Sensitive Information.
CVE-2020-13784
PUBLISHED: 2020-06-03
D-Link DIR-865L Ax 1.20B01 Beta devices have a predictable seed in a Pseudo-Random Number Generator.
CVE-2020-13785
PUBLISHED: 2020-06-03
D-Link DIR-865L Ax 1.20B01 Beta devices have Inadequate Encryption Strength.
CVE-2020-13786
PUBLISHED: 2020-06-03
D-Link DIR-865L Ax 1.20B01 Beta devices allow CSRF.