Home / Blogs

New Research from CSC on the Impact of COVID-19 on Internet Security and Safety

Hackers are using company domain names for malicious attacks more than ever before. Established research shows that phishing and related malware attacks most commonly occur from a compromised or hijacked legitimate domain name, a maliciously registered, confusingly similar domain name, or via email header spoofing.

Domain security intelligence is the first line of defense in preventing domain cyberattacks. More information extracted and shared with key decision-makers means less opportunity for cybercriminals to compromise a brand. In this digital economy, where bad actors can breach network credentials using phishing schemes, it’s essential to secure domains that run websites, email, applications, and more.

At the start of 2020, CSC began analyzing domain registrations. We identified surges in the activity of potentially malicious registrations that incorporated domain name variations, including a variety of homoglyphs—domain names that appear visually similar to those of official trusted websites. In late 2021, the onset of the COVID variant Omicron led us to conduct additional analysis. Nearly 500,000 COVID-related web domains registered since January 2020 were analyzed, with many posing threats to brands and consumers due to their registration patterns and behaviors.

Our new report, “Two Year Analysis: The Impact of COVID-19 on Internet Security and Safety,” serves as a real-world case study that calls attention to:

  1. The ongoing surge in suspicious or potentially malicious domain registrations whenever there are massive global events
  2. The resulting systemic risks with the domain name system—which lead to supply chain vulnerabilities, endless phishing, fraud (i.e., ransomware and business email compromise), brand abuse, counterfeiting, and consumer safety peril
  3. The need for broader domain security standards, as well as policy or regulations over the domain name system activity

The report’s findings are gathered using our newly launched DomainSecSM platform, which delivers a cloud-driven analysis of the global domain ecosystem to identify potential threats to major brands. Other key findings:

  • We identified a pattern of peaks and valleys (heuristics) with associated surges of domain registrations each time there was an important COVID-related news event. Most recently, the onset of Omicron saw additional disturbing behavior. While nearly 1,200 domains registered in 2021 included Omicron as a keyword, 832 were registered (70%) in a two-week timeframe between November 26 and December 9, with numerous domains causing traffic misdirection and redirection, soliciting donations, or promoting cryptocurrency investments.
  • We also evaluated domain registration behavior associated with websites using the Pfizer, Moderna, Johnson & Johnson, Centers for Disease Control and Prevention, U.S. Food and Drug Administration, and World Health Organization brand names and their permutations as they appear in the URL. We found that 80% of the 350 domains containing these names were registered to third parties. Half of the domains posted no web content and were deemed dormant. Cybercriminals are known to use dormant domains as a strategy, turning them on just when they’re ready to launch an attack campaign. Of the dormant domains, most concerning is that nearly 33% are configured to send and receive email with active MX records, which can provide bad actors a launchpad to conduct malicious attacks against brands and consumers through phishing and malware attacks.
  • The development of the COVID pandemic led to an explosion of infringements across the full suite of online channels. Bad actors took advantage of increased levels of COVID-related internet searches to drive traffic to their own web content, tricking users seeking information or support, or looking to make purchases. The range of online channels on which this content appears also highlights the importance of a holistic brand protection service covering as many of these channels as possible.

By Ihab Shraim, CTO at CSC

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix


Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC


Sponsored byDNIB.com