Home / Blogs

Coronavirus Online Threats Going Viral, Part 1: Domain Names

As news of the spread of the coronavirus (COVID-19) continues to emerge, CSC has undertaken the first in a series of studies looking at how the development of the crisis has affected online content. This first article looks at the numbers of registered domains with names containing coronavirus-related strings—“coronavirus” or “covid(-)19” (optional hyphen)—and analyzes the types of content present on the associated websites.

In our investigation, we found 6,341 domains containing the string ‘covid(-)19’, and 11,552 domains containing ‘coronavirus’1. Many of these registered domain names include other terms, implying that the associated websites feature neutral or informational content. However, significant numbers incorporate particular keywords suggesting that they could have been registered to take advantage of people’s fears surrounding coronavirus to attract web traffic. These domains may be used to create websites associated with scams, or with the intention of generating revenue.

Table 1: Total number of coronavirus-related domains containing keywords of particular interest.
KeywordNo. coronavirus-related domains containing keyword1
Treatment-related keywords:
anti (excl.  “quarantine”)187
Tracking and testing-related keywords:
eCommerce-related keywords:
suppl- (for “supply,” “supplies,” or “supplier”)130
Health organization keywords:
Total no. domains with keywords (excl. duplicates)2,646

We further analysed this set of domains to determine2 when the domains were registered. This analysis shows that of the 2,000 plus domains for which creation dates were identifiable, only 17 domains (0.8%) were registered before 2020, and 68% (1,400+ domains) were registered since the start of March—that’s just two weeks prior to the date of analysis.

Figure 1: Daily numbers of registrations of coronavirus-related domains featuring keywords of relevance.

N.B. We truncated the graph at three days prior to the date of analysis, as there can typically be a delay of around two to three days between the date of domain registration and its inclusion and detection in the published zone file. Accordingly, the numbers of registrations shown for (at least) the two or three days prior to analysis are likely to be underestimates.

These figures provide a striking illustration of how escalating real-world issues can produce a flurry of corresponding activity online, with an enormous increase in registrations as countries began to announce lockdown measures throughout March. We can also see spikes in the domain-registration graph associated with specific events:

  • The first announcements of the emergence of coronavirus outside China in late January
  • The WHO announcement of COVID-19 as the specific strain on February 11
  • The start of Italy’s lockdown in late February3

What’s in a domain name?

Nearly 75% of the 2,646 domains with keywords of interest produced a live webpage response4. Around three-quarters of these currently don’t point to an active site, i.e., no page title, or a title suggesting that only a holding page is present. That said, even these may have been registered with a goal of monetizing the domain name, either through pay-per-click links on the site or explicitly offering the domain name for sale.

Setting aside inactive domains still leaves around 500 coronavirus-related domains featuring relevant keywords and appearing to host active websites. Thirty-two of that 500 achieve significant web traffic, attracting over 8,000 internet users daily between them. The websites resolve to a range of content, although just over a third resolve to active eCommerce sites offering face masks for sale. Others include eCommerce sites selling coronavirus testing kits or other healthcare products; sites linking to online pharmacies; sites offering global coronavirus tracking functions; and a range of other informational sites.

Table 2: Description of content for the top 10 coronavirus-related domains by daily traffic featuring relevant keywords. N.B. (i) Sites that do not currently include active website content are shown in italics; (ii) Domain names are not shown, and any company names have been redacted.
Page titleSite contentDaily visitors
Covid-19 FaceMask – Anti Corona MaskeCommerce site: face masks1,800
Mask MachineeCommerce site: face masks1,200
Treatment for Coronavirus – Latest Information on Corona Causes, Symptoms & TreatmentSite promoting an online pharmacy990
2019 Coronavirus Tracker – AboutInformational blog site600
COVID-19 TrackerSite offering a case-tracking service600
Corona Virus Mask | Corona Virus MaskeCommerce site: face masks330
Corona Virus Masks – Corona Virus MaskseCommerce site: face masks (partially-constructed)300
Coronavirus COVID-19 Masks for Sale and Masks In Stock 3M N95eCommerce site: face masks300
CoronaVirusFacemaskeCommerce site: face masks240
Coronavirus Mask Source: In stock N95 MaskseCommerce site: face masks180

Figure 2: Example screenshots of high-traffic eCommerce sites offering the sale of face masks, and coronavirus testing kits; coronavirus tracking sites; and online pharmacies.

Why does it matter to brands?

Registering a domain and creating an associated website is quick, simple, and essentially unregulated. This provides a range of opportunities for any would-be infringer and, as our findings have shown, can pose a variety of risks for internet users. Where physical products are being sold, the items could be manufactured using sub-standard materials, or without rigorous quality checks. Consumers run the risk that products may not just be ineffective, but actually harmful. Many of the identified eCommerce sites offered products using known and trusted brand names. The risk of these being counterfeit is one reason why brand owners should pay close attention to the developing landscape, and take appropriate enforcement action to protect their customers and their reputation.

The social risks of misinformation

Where unofficial sites use the name or branding of a legitimate health organisation (e.g., CDC or WHO) to appear official or lend credibility to its content, the public is at risk of incorrect safety information or a phishing attack. Stay tuned for a post from us on COVID-19 phishing attack opportunities.

Figure 3: An example of a site infringing on CDC and WHO branding. The domain has been registered using a privacy-protection service to hide the contact details of the owner.

Other identified websites offer coronavirus tracking mobile apps—a risk to the public in light of reports that some coronavirus tracking apps actually host malicious content or ransomware. Look for our upcoming post on COVID-19 and fake mobile apps.

Recommendations for brand owners

As the coronavirus story continues to develop, it is advisable to monitor for third-party domain names—and material in other online areas—that may be using a brand name to lend credibility to site content or offer the sale of counterfeits. Use monitoring technology to search for brand-related appearances across a range of internet content types, and prioritize findings by the number and prominence of brand mentions, and their proximity to keywords or key phrases of particular relevance or concern. Following identification of infringing content, a rapid process of enforcement for the removal of damaging content can help to protect customers, company reputation, and revenue. Above all, throughout this developing crisis, it’s most important to take all necessary precautions—both online and offline—to be safe and stay well.

By David Barnett, Brand Protection Strategist at Stobbs

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byVerisign

Brand Protection

Sponsored byCSC


Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API