Thursday, 26 March 2020

Coronavirus: Online Threats Going Viral - Part 1: Domain Names

As news of the spread of the coronavirus (COVID-19) continues to emerge, CSC has undertaken the first in a series of studies looking at how the development of the crisis has affected online content. This first article looks at the numbers of registered domains with names containing coronavirus-related strings - 'coronavirus' or 'covid(-)19' (with an optional hyphen) - and analyses the types of content present on the associated websites.

In our investigation, we found 6,341 domains containing the string 'covid(-)19', and 11,552 domains containing 'coronavirus'[1]. Many of these registered domain names include other terms implying that the associated websites feature neutral or informational content. However, significant numbers incorporate particular keywords suggesting that they could have been registered to take advantage of people’s fears surrounding coronavirus to attract web traffic. These domains may be used to create websites associated with scams, or with the intention of generating revenue.

Table 1: Total number of coronavirus-related domains containing keywords of particular interest

We further analysed this set of domains to determine[2] when the domains were registered. This analysis shows that of the 2,000-plus domains for which creation dates were identifiable, only 17 domains (0.8%) were registered before 2020, and 68% (1,400+ domains) were registered since the start of March - i.e. just two weeks prior to the date of analysis.

Figure 1: Daily numbers of registrations of coronavirus-related domains featuring keywords of relevance

N.B. We truncated the graph at three days prior to the date of analysis, as there can typically be a delay of around two to three days between the date of domain registration and its inclusion and detection in the published zone file. Accordingly, the numbers of registrations shown for (at least) the two or three days prior to analysis are likely to be underestimates.

These figures provide a striking illustration of how escalating real-world issues can produce a flurry of corresponding activity online, with an enormous increase in registrations as countries began to announce lockdown measures throughout March. We can also see spikes in the domain-registration graph associated with specific events:

  • The first announcements of the emergence of coronavirus outside China in late January
  • The WHO announcement of COVID-19 as the specific strain on February 11
  • The start of Italy's lockdown in late February[3]

What's in a domain name?

Nearly 75% of the 2,646 domains with keywords of interest produced a live webpage response[4]. Around three-quarters of these currently do not point to an active site, i.e. no page title, or a title suggesting that only a holding page is present. That said, even these may have been registered with a goal of monetising the domain name, either through pay-per-click links on the site or explicitly offering the domain name for sale.

Setting aside inactive domains still leaves around 500 coronavirus-related domains featuring relevant keywords and appearing to host active websites. Thirty-two of those 500 achieve significant web traffic, attracting over 8,000 Internet users per day between them. The websites resolve to a range of content, although just over a third resolve to active e-commerce sites offering face masks for sale. Others include: e-commerce sites selling coronavirus testing kits or other healthcare products; sites linking to online pharmacies; sites offering global coronavirus tracking functions; and a range of other informational sites.

Table 2: Description of content for coronavirus-related domains featuring keywords of relevance and attracting significant levels of web traffic

N.B. (i) Sites that do not currently include active website content are shown in italics.
(ii) Domain names are not shown, and any company names have been redacted.





Figure 2: Example screenshots of (top to bottom) high-traffic e-commerce sites offering the sale of face masks, or coronavirus testing kits; a coronavirus tracking site; and a site promoting an online pharmacy

Why does it matter to brands?

Registering a domain and creating an associated website is quick, simple, and essentially unregulated. This provides a range of opportunities for any would-be infringer and, as our findings have shown, can pose a variety of risks for internet users. Where physical products are being sold, the items could be manufactured using sub-standard materials, or without rigorous quality checks. Consumers run the risk that products may not just be ineffective, but actually harmful. Many of the identified e-commerce sites offered products using known and trusted brand names. The risk of these being counterfeit is one reason why brand owners should pay close attention to the developing landscape, and take appropriate enforcement action to protect their customers and their reputation.

The social risks of misinformation

Where unofficial sites use the name or branding of a legitimate health organisation (e.g. CDC or WHO) to appear official or lend credibility to its content, the public is at risk of incorrect safety information or a phishing attack. 

Figure 3: An example of a site infringing on CDC and WHO branding. The domain has been registered using a privacy-protection service to hide the contact details of the owner

Other identified websites offer coronavirus tracking mobile apps - a risk to the public in light of reports that some coronavirus tracking apps actually host malicious content or ransomware.

Recommendations for brand owners

As the coronavirus story continues to develop, it is advisable to monitor for third-party domain names - and material in other online areas - that may be using a brand name to lend credibility to site content or offer the sale of counterfeits. CSC's monitoring technology is able to search for brand-related appearances across a range of internet content types, and prioritise findings by the number and prominence of brand mentions, and their proximity to keywords or key phrases of particular relevance or concern. Following identification of infringing content, a rapid process of enforcement for the removal of damaging content can help to protect customers, company reputation, and revenue. Above all, throughout this developing crisis, it's most important to take all necessary precautions - both online and offline - to be safe and stay well!

References

[1] Numbers correct as of 18/03/2020
[2] Wherever this information is available via an automated look-up
[3] https://edition.cnn.com/2020/02/06/health/wuhan-coronavirus-timeline-fast-facts/index.html
[4] Excluding those that return no HTTP response, or generate an error code

This article was first published on 26 March 2020 at:
https://www.cscdigitalbrand.services/blog/coronavirus-online-threats-part-1/

Also published at:
http://www.circleid.com/posts/20200409-coronavirus-online-threats-going-viral-part-1-domain-names/

No comments:

Post a Comment

Phishing trends 2024 - and a look at some new data for domain threat quantification

Overview This year's annual phishing report by Internet technology consultants Interisle [1] has provided a number of key insights into...