Spotting and blacklisting malicious COVID-19-themed sites

Since last December, over 136,000 new COVID-19-themed domains have popped up and, while many host legitimate websites, others have been set up to serve malware, phishing pages, or to scam visitors.

SpyCloud researchers have also discovered that existing community threat intelligence feeds such as Google Safe Browsing, OpenPhish or ThreatsHub flag only a small percent of the domains as malicious.

“One potential reason is that the feeds we used have a focus on threat intelligence specific to phishing and malware, not necessarily scam sites. In addition, these feeds are sometimes automatically ingested into security products, increasing the potential impact of false positives because they could cause service disruptions in corporate and private networks,” the researchers noted.

Other interesting findings

After gathering a list of of over 136,000 hostnames and fully qualified domain names with COVID-19 or coronavirus themes from a variety of open-source feeds (threat lists, datasets of SSL certificates, etc.), they “parsed, deduplicated, and enriched the data with HTTP, additional DNS analysis, and WHOIS data that was manually collected” and found that many of the domains have active web content, but some merely display “placeholder” content indicating they’ve been purchased and “parked” at the registrar.

They pointed out that not all the “parked” domains are likely to become malicious. “Domain scalping may account for some of these purchases; for example, someone might purchase domains related to COVID-19 cures or vaccines with the hope of eventually selling them to a pharmaceutical company.”

On the other hand, there are those that are undeniably (if not too obviously) malicious:

“Most likely, the threat actor was sending phishing messages ‘from’ Chase with some form of messaging about the bank’s COVID-19 response, making it seem plausible to users that their bank may have set up a dedicated page related to the virus,” they explained.

Other findings include:

• 78.4% of the COVID-19-themed domains use HTTP, the rest HTTPS
• GoDaddy, NameCheap, Google, Name.com, and Tucows are the most popular domain registrars used by registrants of COVID-19 themed sites.

Everybody can join the fight

Some domain registrars have pledged to step up their efforts to actively find and take down fraudulent sites and to prevent registrations with certain keywords.

SpyCloud researchers are urging the security community to contribute to public feeds such as that operated by the COVID-19 Cyber Threat Coalition or to activities of organizations such as the Cyber Volunteers (CV19) to make everyone a little bit safer.

They have also provided the dataset they compiled so other researchers can take advantage of it for their own research.

Finally, they pointed out, even individual users can help keep everybody safe by reporting suspicious messages to email providers and corporate IT.

“Though flagging a phishing message within your inbox may not feel like a big deal, that action helps providers identify malicious content and flag it for other users,” they concluded.