Providers of domain name registration services are under pressure to ensure they are doing all they can to prevent scammers from setting up fake websites to prey on people looking for information related to the COVID-19 pandemic.
Last week a trio of three US lawmakers — Sens. Mazie Hirono (D-Hawaii), Maggie Hassan (D-N.H.), and Cory Booker (D-N.J.) — sent a letter to the heads of eight domain name registrars and hosting services seeking information on what they were doing to combat COVID-19-related scams. The organizations contacted were GoDaddy, Dynadot, Donuts Inc., Namecheap Inc., Web.com, Endurance International Group, InMotion Hosting, and DreamHost.
The letter expressed alarm at the huge number of domains that have been registered in recent months with names that reference the pandemic or technologies that are used for distance learning and telework, such as Zoom, Microsoft Teams, and Google Classroom. Quoting a report from RiskIQ, the lawmakers noted that by mid-March, more than 10,000 new coronavirus-related domains were being registered daily — including 35,000 on March 16 alone.
The lawmakers wanted to know what the domain name registrars were doing or had done to ensure the legitimacy of entities seeking to register domains — especially since the onset of the pandemic.
They also sought answers on any steps the registrars might have taken to verify whether those registering domains containing words such as "coronavirus," "covid," "pandemic," and "vaccine" were malicious or not. They had similar questions about site registrations referencing COVID-19-related drugs, such as "remdesivir," "chloroquine," and "hyrdroxychloroquine." In addition, the lawmakers wanted domain registrars to clarify what processes they had in place for detecting and penalizing domains and domain owners who were using their websites for illegal purposes.
"Scammers and cybercriminals are preying on the public's increasing need for real-time, verifiable information as COVID-19 spreads across the country," the lawmakers said. "It is imperative that domain name registrars not turn a blind eye to such illicit activity but, rather, act to protect the Internet-using public."
Dark Reading contacted GoDaddy, Endurance International, and DreamHost for comment on the letter from the senators. In an emailed statement, Brett Dunst, vice president of corporate communications at DreamHost, said his company shared lawmakers' concerns about cybercriminals and other bad actors online.
"While COVID-19 represents a new opportunity for online criminals, the tactics they employ are remarkably consistent over time," he said.
DreamHost is prepared to meet the challenge of keeping criminals offline through a combination of rapid responses to incoming complaints, regular cooperation with law enforcement, and internal systems and processes that proactively identify illegal content, Dunst added.
"We were happy to answer the senators' questions and hope they found our reply to be useful," he said.
GoDaddy and Endurance International did not respond. Others, like Namecheap, have reportedly stopped automated registration of sites containing names that include "coronavirus," "COVID," and "vaccine."
Vendors such as Knowbe4 and others have noted an explosion in phishing emails purporting to contain information on COVID-19 and related matters, such as teleworking, revisions to vacation and health polices because of the pandemic, and messages from HR teams. The phishing emails and other scams have targeted consumers and workers at business and enterprise organizations.
One trend that has security researchers especially worried is the high number of people falling for these scams. According to Menlo Security, COVID-19–based phishing lures have been far more successful than other bait in terms of getting people to open malicious attachments or follow links to malicious sites.
Between Feb. 25 and March 25, Menlo Security counted a 25-fold increase in the number of people clicking on URLs to malicious websites with domain names referencing COVID-19 or the coronavirus. People trying to stay current with the latest developments around the deadly pandemic have been less cautious than usual in handling phishing emails and other online scams, Menlo Security and others have noted.
Paul Vixie, CEO of Farsight Security and a designer of several DNS protocol extensions, says what the lawmakers are attempting to do is laudable. But the sheer scale at which the domain industry operates makes quality control hard to achieve.
At a manual level, quality control can be achieved by asking questions like: "What does this domain sound like if spoken?" or "What does it look like if written?" Or humans can assess whether a domain contains a profanity, or the name of a Fortune 500 company, or a recent headline event such as a school shooting.
"[But] rejection of domain creation based on rules isn't practical," Vixie says. "I've proposed several times in recent years that all new domains be given a 24-hour public-notice period before they go live, including complete WHOIS information, so that complaints or other defenses can have a head start," he notes. "This proposal is anathema to the commercial interests in the domain name industry because lack of accountability is a primary attraction of a domain product."
A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19.