Addressing Domain Name System (DNS) abuse has been a priority of the Internet Corporation for Assigned Names and Numbers (ICANN), notably since March 2020. During its 70th conference, the organization’s members talked about creating a web page defining DNS abuse-related terms, which should be updated over time, to help users report cases.

Considering the ensuing pandemic and how it has led to cyber threats throughout 2020 and contributed to instances of DNS abuse, we looked at the COVID-19-related domain registration trends for nearly the past 18 months (1 October 2019—31 March 2021). We then determined how many of these had redacted/privacy-protected WHOIS records and were tagged “malicious.”

The Data

We collated daily lists of newly registered domains (NRDs) containing the strings “coronavirus,” “covid,” and “vaccine.” In the course of 18 months, a total of 184,744 COVID-19-related NRDs made their way into the DNS. An average of 338 domains were thus registered daily.

As shown in Chart 1, a majority of the NRDs (136,128 domains) contained the string “covid,” followed by those with “coronavirus” (33,392 domains), and finally by those with “vaccine” (15,224 domains).

Analysis and Findings

We took a closer look at the .com NRDs containing “covid” (limited to 1,000) between January and March 2020 (when the registrations peaked) to come up with some interesting findings regarding the trend presented earlier. The .com TLD was chosen because it remains the most popularly used domain name extension (52%), according to a 2021 study. We chose the “covid” string, meanwhile, as it sparked more interest over time on average, according to Google Trends. The string “vaccine,” on the other hand, may refer to domains that aren’t necessarily related to COVID-19.

Of the 1,000 .com NRDs, which we have looked at more closely, only 50 or 5% are publicly attributable via WHOIS records using either a personal or corporate administrative contact email address. Examples include 19covidiots[.]com, 2020coviddefence[.]com, and 4cornerscovid[.]com.

Hiding behind the veil of anonymous domain registration is not illegal, of course. And privacy protection and WHOIS record redaction are also not telltale signs of ties to malicious activity either. But it is also typical of cybercriminals to hide their identities no matter what, and one way of doing that is by taking advantage of anonymity services even if they are not necessarily covered by the General Data Privacy Regulation (GDPR) mandates (e.g., citizens of European Union [EU] member states or companies that operate in the region).

Given that, we subjected the non-attributable .com domains (e.g., with redacted, privacy-protected, or incomplete WHOIS records) to VirusTotal queries to determine how many were connected to malicious activity. Of the 950 domains in our list, 65% were malicious, 9% were suspicious (i.e., mostly had ties to spam campaigns), and 26% were nonmalicious. An overwhelming majority (74% or almost a third) may require blocking. A majority of the suspicious and malicious domains were cited for ties to phishing attacks.

Based on the data from the short study, we could safely conclude that a majority of the COVID-19-related NRDs are non-attributable to specific individuals or organizations and may be involved in suspicious or even malicious activity.

Organizations and individuals that do not want to be taken in by cyber attackers taking advantage of the ensuing pandemic may benefit from monitoring COVID-19-related NRDs even today. And even if travel restrictions and strict quarantines may have been lifted in several countries, caution remains advisable since interest in the disease remains high, still possibly leading to new types of phishing scams.

Security professionals who wish to maintain their organizations’ resilience to COVID-19-related threats may contact us for more information on subscribing to and using our NRD data feeds. We also recently launched the Typosquatting Community Feed, an apply-only feed reserved for the security community.