Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

08:15 AM
Connect Directly

Domain Registrars Under Pressure to Combat COVID-19-Related Scams

A huge increase in malicious website registrations has prompted concern from US lawmakers.

Providers of domain name registration services are under pressure to ensure they are doing all they can to prevent scammers from setting up fake websites to prey on people looking for information related to the COVID-19 pandemic.

Last week a trio of three US lawmakers — Sens. Mazie Hirono (D-Hawaii), Maggie Hassan (D-N.H.), and Cory Booker (D-N.J.) — sent a letter to the heads of eight domain name registrars and hosting services seeking information on what they were doing to combat COVID-19-related scams. The organizations contacted were GoDaddy, Dynadot, Donuts Inc., Namecheap Inc., Web.com, Endurance International Group, InMotion Hosting, and DreamHost.

The letter expressed alarm at the huge number of domains that have been registered in recent months with names that reference the pandemic or technologies that are used for distance learning and telework, such as Zoom, Microsoft Teams, and Google Classroom. Quoting a report from RiskIQ, the lawmakers noted that by mid-March, more than 10,000 new coronavirus-related domains were being registered daily — including 35,000 on March 16 alone.

The lawmakers wanted to know what the domain name registrars were doing or had done to ensure the legitimacy of entities seeking to register domains — especially since the onset of the pandemic.

They also sought answers on any steps the registrars might have taken to verify whether those registering domains containing words such as "coronavirus," "covid," "pandemic," and "vaccine" were malicious or not. They had similar questions about site registrations referencing COVID-19-related drugs, such as "remdesivir," "chloroquine," and "hyrdroxychloroquine." In addition, the lawmakers wanted domain registrars to clarify what processes they had in place for detecting and penalizing domains and domain owners who were using their websites for illegal purposes.

"Scammers and cybercriminals are preying on the public's increasing need for real-time, verifiable information as COVID-19 spreads across the country," the lawmakers said. "It is imperative that domain name registrars not turn a blind eye to such illicit activity but, rather, act to protect the Internet-using public."  

Dark Reading contacted GoDaddy, Endurance International, and DreamHost for comment on the letter from the senators. In an emailed statement, Brett Dunst, vice president of corporate communications at DreamHost, said his company shared lawmakers' concerns about cybercriminals and other bad actors online.

"While COVID-19 represents a new opportunity for online criminals, the tactics they employ are remarkably consistent over time," he said.

DreamHost is prepared to meet the challenge of keeping criminals offline through a combination of rapid responses to incoming complaints, regular cooperation with law enforcement, and internal systems and processes that proactively identify illegal content, Dunst added.

"We were happy to answer the senators' questions and hope they found our reply to be useful," he said.

GoDaddy and Endurance International did not respond. Others, like Namecheap, have reportedly stopped automated registration of sites containing names that include "coronavirus," "COVID," and "vaccine."

Vendors such as Knowbe4 and others have noted an explosion in phishing emails purporting to contain information on COVID-19 and related matters, such as teleworking, revisions to vacation and health polices because of the pandemic, and messages from HR teams. The phishing emails and other scams have targeted consumers and workers at business and enterprise organizations.

Growing Concerns
One trend that has security researchers especially worried is the high number of people falling for these scams. According to Menlo Security, COVID-19–based phishing lures have been far more successful than other bait in terms of getting people to open malicious attachments or follow links to malicious sites.

Between Feb. 25 and March 25, Menlo Security counted a 25-fold increase in the number of people clicking on URLs to malicious websites with domain names referencing COVID-19 or the coronavirus. People trying to stay current with the latest developments around the deadly pandemic have been less cautious than usual in handling phishing emails and other online scams, Menlo Security and others have noted.

Paul Vixie, CEO of Farsight Security and a designer of several DNS protocol extensions, says what the lawmakers are attempting to do is laudable. But the sheer scale at which the domain industry operates makes quality control hard to achieve.  

At a manual level, quality control can be achieved by asking questions like: "What does this domain sound like if spoken?" or "What does it look like if written?" Or humans can assess whether a domain contains a profanity, or the name of a Fortune 500 company, or a recent headline event such as a school shooting.

"[But] rejection of domain creation based on rules isn't practical," Vixie says. "I've proposed several times in recent years that all new domains be given a 24-hour public-notice period before they go live, including complete WHOIS information, so that complaints or other defenses can have a head start," he notes. "This proposal is anathema to the commercial interests in the domain name industry because lack of accountability is a primary attraction of a domain product."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "How Can I Help My Users Spot Disinformation?"


A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This is not what I meant by "I would like to share some desk space"
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-20
OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.6, there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to update product data to be able to store an executable file on the server ...
PUBLISHED: 2021-01-20
Weave Net is open source software which creates a virtual network that connects Docker containers across multiple hosts and enables their automatic discovery. Weave Net before version 2.8.0 has a vulnerability in which can allow an attacker to take over any host in the cluster. Weave Net is suppli...
PUBLISHED: 2021-01-20
A vulnerability in the CLI of Cisco SD-WAN vManage Software could allow an authenticated, local attacker to read sensitive database files on an affected system. The vulnerability is due to insufficient user authorization. An attacker could exploit this vulnerability by accessing the vshell of an af...
PUBLISHED: 2021-01-20
Multiple vulnerabilities in Cisco SD-WAN products could allow an unauthenticated, remote attacker to execute denial of service (DoS) attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
PUBLISHED: 2021-01-20
Multiple vulnerabilities in certain REST API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to execute arbitrary SQL commands on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.