New research says domain registration fraud surging in post-pandemic era

Feb. 21, 2022
Additional malicious domains are connected with sites that are currently dormant but are primed to host potentially harmful content in the future

In the pandemic era, people have grown anxious. And when people grow anxious, they seek out information. In this case, they’ve looked for information about daily COVID case numbers, new variants, vaccinations and health recommendations. Inevitably, they’ve gone to the internet – often daily – to find answers.

Unfortunately, cybercriminals view this as not so much of a crisis, but an opportunity. The massive surge in online activity coupled with the widespread adoption of work from home (WFH) arrangements has allowed these criminals to plant “hooks” in the form of deceptive, suspicious domain registrations, resulting in the launching of phishing and fraud attack campaigns.

To learn more, we conducted a two-year analysis to explore how the outbreak has affected online content, focusing on domain name registrations during this period. Here is what we found:

  • There was a clear correlation between the occurrences of “real world” events and increases in suspicious domain registrations. Within our two-year research time frame, more than 478,000 domain names have referenced key terms associated with the coronavirus, including “covid,” “covid19,” “coronavirus,” and “vaccine.” The spike in registrations has resulted in a larger pool of suspicious and malicious incidents, posing threats to brands and consumers due to registration patterns and behaviors.
  • We looked closely at data related to Omicron domain registrations and found that, at the start of January 2022, more than 2,300 domains existed with names containing the term “omicron.” Of the 1,194 domains registered in 2021, 832 (70 percent) were registered in the two-week period between November 26 and December 9, immediately following the announcement of the name for the new COVID variant. A number of the suspicious domains cause traffic misdirection/redirection, taking users to fake websites of an insurance agency and even a relationship/life coach. But others appeared more troublesome and fraudulent, purporting to provide news about Omicron while soliciting donations or promoting cryptocurrency investments.
Additional malicious domains are connected with sites that are currently dormant but are primed to host potentially harmful content in the future – such as the posting of fake materials related to treatments, testing, or even “omicron hoax” information – to distribute malware payloads. Dormant sites are a popular tool for cybercriminals, who simply “turn them on” when they’re ready to launch an attack campaign. It’s worth noting that a great deal of the dormant malicious domains are registered through consumer-grade registrars, which are less secure than enterprise-class ones, and have been linked to trademark infringements, brand abuse,and fraud/phishing attacks.

-We evaluated registration patterns related to websites using the names of top brands, including Pfizer, Moderna, Johnson & Johnson, the Centers for Disease Control and Prevention (CDC), the U.S. Food and Drug Administration (FDA), and the World Health Organization (WHO). We discovered that 80% of the 350 domains containing the brand names were registered to third parties.

One-half of the domains posted no actual web content and, thus, were dormant. Of the dormant domains, nearly one-third are configured to send and receive email with active mail exchange (MX) records, which essentially give hackers a launchpad for malicious attacks. Many sites using the trusted brand names appear intended to harvest personal details, distribute malicious content via legitimate-looking emails, or directly solicit financial donations.

So, what should organizations do in light of the findings? We recommend the following four best practices:

1. Deploy a defense-in-depth approach for domain management. Assess your domain registrar’s security, technology and processes. Implement two-factor authentication and monitor Domain Name System (DNS) activity. Invest in enterprise-class registrars, which take advantage of advanced services such as …

  • Domain registry locks, which enable end-to-end domain name transaction security to avoid accidental or unauthorized modifications or deletions (i.e., domain hijacking)
  • Domain name system security extensions (DNSSECs), which authenticate communications between DNS servers, shielding brands from DNS cache poisoning
  • Certification authority authorization (CAA) records, which allow security teams to designate a specific certificate authority (CA) to serve as the sole issuer of certificates for their organization’s domains
  • Domain-based message authentication reporting and conformance (DMARC), which protects an email domain from spoofing, phishing and other cyber scams via email server reports identifying possible authentication issues and malicious activity
  • ·DNS hosting redundancy with a backup DNS to boost resiliency

2. Avoid consumer-grade registrars. These registrars generally do not offer the range of protection as described above with enterprise-class registrars. In addition, they are known to run marketplaces that auction and sell domain names with trademarks to the highest bidder while conducting “name spinning,” which promotes and encourages the registration of domain names with trademarks. They will monetize domain names containing trademarks through pay-per-click sites and are subject to frequent breaches.

3. Confirm that your domain registrar and DNS provider follow best-in-class control practices, with annual audits. Verify they are in comprehensive compliance with zero trust and other frameworks, and that they have in place an active corporate security policy, ongoing training programs for employees and contractors, password policies that include multi-factor authentication (MFA), a strong endpoint solution program, patch management, disaster recovery/business continuity capabilities, and vulnerability/penetration testing programs.

4. Continuously monitor the domain space. Identify spoofing tactics such as homoglyphs, which are confusingly similar “fuzzy” domains that hackers typically use for phishing attempts. Search for identity trademark and copyright abuse online and track all brand mentions on relevant social media, while monitoring major app stores and taking action against ads that result in traffic misdirection which damages your brand. In the case of fraud and intellectual property infringements, be prepared to enforce marketplace delistings, social media page suspensions, mobile app delistings, cease and desist letters, fraudulent content removal, and threat vector mitigation.

None of the activity on the part of cyber adversaries should surprise us, really. They targeted hospitals with ransomware from the earliest days of the pandemic, after all. They are, if anything, extremely resourceful and industrious (albeit, in a criminal manner), and domain registrations remain readily available for their schemes. That’s why the deployment of defense-in-depth, domain registrar/DNS provider vetting and continuous monitoring – along with the avoidance of extremely suspect consumer-grade registrars in favor of proactively protective enterprise-class registrars – will best position your organization to safeguard its users and customers. This will serve as the most effective response to the COVID-related anxiety that these crooks create.

About the Author: 

Ihab Shraim is the chief technology officer (CTO) with CSC DBS. He is responsible for the vision, innovation, and product revenue growth within the company’s cyber security, domain security, fraud protection, and brand protection lines of business.