Home / Blogs

COVID-19, WHOIS, and the Pressing Need for Help With Domain Name System Abuse

As widely reported, and not surprising, the internet is swimming in COVID-19 online scams. Criminals, accustomed to rapidly grabbing online territory during times of crisis and profiting from public fear, are working overtime in the face of the coronavirus. Unfortunately, ICANN’s failure to enforce its minimal WHOIS and DNS abuse requirements has resulted in delayed mitigation efforts at a time when swift responses are needed to protect the public from COVID-19 scams.

For years, ICANN Org has been challenged to proactively address DNS abuse—with calls to action intensifying over the course of the past two ICANN meetings. The problem, already acute, is now even more visible due to the pandemic and is exacerbating this tragic public health crisis. ICANN Org has the tools, via enforcement of its contracts with registrars and registries, to do something about this—but it’s not. The COVID crisis calls for an immediate response from the ICANN Board to ensure that ICANN’s contracts are enforced, timely WHOIS access is granted, and ICANN’s operations actively support DNS abuse mitigation efforts, to the greatest extent possible.

Here’s the proof: In the domain name sector, over the course of the last several weeks, security researchers have documented a spike in the number of coronavirus-related domains—more than 100,000 registered in March alone—with attacks sourced from those registrations growing in conjunction with the disease’s spread. An estimated half (and probably more by now) were identified as sources of malware or other harms. It’s bad enough that even as her state is reeling from the medical crisis, New York’s attorney general had to ask registrars what they’re doing to protect the online public from cybercriminals.

What started as a few registrations a day earlier this year are now thousands of new domains popping up daily, containing terms like coronavirus, COVID, pandemic, virus, or vaccine. Few, if any, of these registrations are for domain names meant to be authentic, authoritative sources of information about the ongoing public health crisis. Case in point: CoronaVirusApp.site is a documented ransomware site that distributes malware by holding targeted systems hostage. Registrants like these seek to capitalize on the public’s fear to, at best, propagate misinformation or, at worst, spread their own versions of harm. Some are even claiming to provide vaccines against the virus. Just as the world is facing a pandemic, so is the online world facing a spreading case of domain name system abuse.

Unfortunately, if one wanted to stop the harm even after these types of domains go into use, no one can look up ownership and other relevant WHOIS data details for these parasitic names, thanks to ICANN’s overly restrictive WHOIS policy, widespread non-compliance by registrars and registries, and ICANN’s refusal to implement its own privacy/proxy policy. Compounding the problem is the fact that it’s highly unlikely registrars bothered to validate the information provided by these registrants because ICANN has refused to require even the simplest steps to validate information at the point of registration. As a result, the WHOIS system—the number one instrument available to know who’s behind a domain name and to track scammers (a legitimate and legal investigatory use of WHOIS to mitigate abuse, even under GDPR)—has been rendered useless.

For several years, a majority of the stakeholder groups in ICANN (even many of the world’s governments) have pleaded with ICANN’s Board, staff, and community to do something about DNS abuse—at least, ramp up WHOIS compliance efforts. So far, however, the response has been underwhelming. While a recent voluntary effort by some registrars against COVID-related domains is a positive step, it’s clear that those still harboring the bad guys don’t care about frameworks—and that this cohort of registrars won’t ever take part in voluntary work to address DNS abuse. Still, while ICANN abrogates its responsibilities and tries to defend its limited and largely ineffectual actions, the problem continues to grow unabated and unchecked.

When queried during ICANN67 about its anemic response to such a growing problem, ICANN executives could have said, “You’re right, we’re in a unique position to do more about this—not only can we, we’re obligated to, so let’s get to work together.” Instead, we heard meandering replies, again pointing to community voluntary initiatives aimed at curtailing abuse. Voluntary statements targeting political hot-button abuses of domains with no accountability mechanisms is not a substitute for fixing WHOIS, ensuring compliance with ICANN’s contracts, and improving DNS abuse mitigation.

It’s abundantly clear that it’s time for ICANN to stop toying with the abuse concept and actually do something meaningful. The recently published findings of the security research-focused Interisle Consulting Group following its review of WHOIS practices among registrars highlights the severity of the problem. As documented in the report, Interisle found that registrars failed basic inquiries regarding WHOIS accessibility and compliance 40% of the time, and that there were notable usability issues in an additional 16% of cases. A significant percentage of registrars do not fully comply with ICANN’s Temporary Specification that was adopted in 2018 to address GDPR concerns. This widespread non-compliance with ICANN’s contractual policies involving both large and small registrars is alarming, and points to failures in ICANN’s compliance procedures. This study illustrated clear “failures to provide the access, predictability, and reliability that ICANN exists to deliver, and that registrars are obligated to provide.” In the face of these statistics, it’s hard to argue otherwise.

Worse yet, these failures created significant obstacles for those responding the COVID-19 scams. As noted by Interisle, “[t]he pandemic has led to an explosion of cybercrime, preying upon a population desperate for safety and reassurance, and that ‘legal authorities are currently struggling with this wave of domain-based crime.’”

There’s a way out of this mess. ICANN Org can:

  • enforce its contracts and, where needed, strengthen the contracts it finds toothless—contracts that are currently under negotiation—in order to target industry players that don’t participate in DNS abuse mitigation efforts;
  • issue advisories or guidance to contracted parties regarding options available for mitigation of DNS abuse; and
  • take action on overdue matters, such as the unanimously-supported privacy/proxy accreditation policy, approved years ago but never implemented, and the cross-field validation requirement set in 2013 but also never implemented.

What ICANN cannot do is continue to stand idly by, opening and resolving a few single, low-level complaint tickets, while the real problem persists in greater and greater magnitude and is perpetrated by known bad actors. Nor can ICANN Org, including its Board, continue to point to voluntary industry best practice “frameworks” as a replacement for its own responsibilities and contracts with registrars, registries and privacy/proxy service providers.

Patience is growing thin by those watching damage occur to the world’s online identifier system in the midst of the COVID-19 crisis. This includes the registrars and registries who today expend great efforts and resources to combat abuse, only to be painted with broad brush alongside these bad actors. ICANN is overdue to respond in a meaningful and impactful way to the DNS abuse problem.

By Mason Cole, Internet Governance Advisor at Perkins Coie

Filed Under


I see a lot of numbers without Theo Geurts  –  Apr 8, 2020 1:34 PM

I see a lot of numbers without context here stated as facts

The majority is registered by registrants who own domain names for many years. But yes due to WHOIS redaction this is not publicly visible. Our research shows this percentage is around 62% but I expect this is around 72% as not every registrar or reseller on our platform re-uses the same registrant ID.

When I look at the current attacks I notice that attackers are leveraging many attack patterns we’ve seen before, but have rebranded to take advantage of the COVID-19 crisis.
Was a few months ago BEC fraud the talk of the day, now we see BEC fraud again with a COVID twist.

When I look at the Spam statistics from Talos Intelligence, spam was down 4% in March and not even close to observed volumes from October 2019.

My biggest issue are those APT crews who takeover hospitals with ransomware during this crisis. Not to mention DDOS attacks on hospitals, these are sad things. Shame we cannot solve that within ICANN.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byVerisign

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global