Home / Blogs

Measuring Abuse: How Much COVID-Related Abuse Is There, Really?

Like measuring COVID’s impact, so too measuring the impact of COVID-related abuse on the Internet is difficult, there are those that would foolishly dismiss the danger entirely, others over-state the problem, perhaps to prompt sales of tools and services.

Battling Metrics

Using a petite sample of 6,100 registrations at 12 European ccTLDs Peter Van Roste, the General Manager of CENTR, concluded that ” ... the COVID-19 pandemic has had no significant impact on the DNS, either in terms of registrations or in levels of abuse detected.”

DomainTools, on the other hand, has a COVID-19 Threat List —domains that are scoring 70 or higher using their risk assessment. The list has over 150,000 entries.

Microsoft said that they have only seen 66,000 COVID-related URLs, but give no indication as to time period or if these were unique URLs or a total.

Google noted that Gmail and G-Suite see 240 million COVID-related spam and phish emails daily.

One thing is certain: The amount and type of abuse varies from network to network, and to declare everything is fine based on one world-view you believe to be ubiquitous, or that the sky is falling based upon another, extrapolated to ‘everybody else’ is simply poor analysis.

Extraordinary Times

Several registrars have taken proactive action to manually review COVID-related registrations. Apparently they are concerned enough to review new entries in the DNS.

However, and this is an important caveat, determining what is abusive is actually quite difficult. Geo-specific content, protective measures such as the IP ranges of registrars, hosting providers and security firms are regularly denied access by even unsophisticated phishing kits, abusive content buried several directories deep, referrer URLs required to see the nasty content ... seemingly innocuous sites can be drive-by malware infection points: All of these measures may give the wrong impression to a reviewer.

Numerous Slack workspaces have sprung up—the COVID19 Cyber Threat Coalition has 3,600+ members , the COVID-19 CTI League 1,750 participants.

Interpol is concerned enough to issue an alert.

The FBI has seen a spike in COVID-related cyber attack reports

Size Doesn’t Matter

Let’s cede that the amount of abuse hasn’t risen significantly, with the new veneer of COVID-19, but the tenor certainly has changed. The impact of abuse is far more severe than normal.

Medical infrastructure is being hit with DDoS attacks, ransomware campaigns. That takes abuse to a level rarely seen before.

Spam touting diet pills, penis enlargement potions that do not work is bad, but a victim’s pocketbook is only a little lighter. Oh well.

COVID-related spam is far further down the path to perdition, the highway to hell: selling PPE that doesn’t work exposes the user to a potentially deadly disease. Selling someone shoddy PPE, or a false cure or a fake preventative measure risks health and even life itself.

COVID-related phishing is particularly pernicious. People’s financial status is, to say the least, precipitous, and to take what money someone has at this point in time, particularly cold-hearted.

By way of example, there are hundreds installations of a phishing exploit of Canada’s Emergency Relief Fund.

These funds are for people in dire need, and having that interfered with is one step beyond.

The German government may have been victim to a phishing scheme using COVID-related methodology.

Attacks on hospital infrastructure is at the best of times sociopathic. Now, such actions are unspeakably evil.

All in all, yes, measurements will vary wildly. What will not vary is that COVID-related Internet abuse is inherently more destructive, more pernicious than what has gone on before. Let’s not dismiss this as ‘nothing to see here.’ There certainly is a lot to see and take protective action upon.

By Neil Schwartzman, Executive Director, The Coalition Against unsolicited Commercial Email - CAUCE

Filed Under


Spot on Neil. You can only measure Derek  –  May 1, 2020 4:03 PM

Spot on Neil. You can only measure what you understand.

From the trenches of non-delivery advance fee fraud: A company who pays for an order of masks to a bogus mask company, suddenly finds the courier contacting them because even more fees are due, all a sham, domain two or three years old where registrar experts ignored reports, certainly illustrates the point.

Sexiness does not always meet realities. Existing infrastructure is simply redeployed in new ways. Bogus commodity non-delivery fraudsters that have been ignored are still doing what they do, perhaps launch a new ...facemask… domain, but for each one, there are more where victims are diverted to.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix


Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign