Using Google Trends and traffic logs, Palo Alto Networks observed a steep increase in user interest of topics related to coronavirus, with prominent peaks at the end of January, the end of February, and the middle of March 2020.

To protect customers of Palo Alto Networks’ global threat intelligence team, Unit 42, monitor user interest in trending topics and newly registered domain names related to these topics, as miscreants often leverage them for malicious campaigns.

Accompanying the growth in user interest, the cybersecurity firm observed a 656% increase in the average daily coronavirus-related domain name registrations from February to March. In this timeframe, the company witnesses a 569% growth in malicious registrations, including malware and phishing; and a 788% growth in “high-risk” registrations, including scams, unauthorized coin mining, and domains that have evidence of association with malicious URLs within the domain or utilization of bulletproof hosting.

Unit 42 Report: 98% of IoT device traffic is unencrypted

Unit 42: Organizations struggle with public cloud platforms challenges

As of the end of March, the company identified 116,357 Coronavirus-related newly registered domain names. Out of these, 2,022 are malicious and 40,261 are “high-risk.”

DNS records

The company analyzes these domains by clustering them based on their Whois information, DNS records and screenshots (collected by automated crawlers) to detect registration campaigns. The company found that while many domains are registered to be resold for a profit, a significant fraction of them are used for both well-known malicious activities as well as for fraudulent shops selling items in short supply.

The traditional malice abusing Coronavirus trends includes domains hosting malware, phishing sites, fraudulent sites, malvertising, cryptomining, and Black Hat Search Engine Optimization (SEO) for improving search rankings of unethical websites. Interestingly, although many webshops that use newly registered domains try to scam users, the researchers detected an especially unethical cluster of domains capitalizing on users’ fear of Coronavirus to further frighten them into buying their products. Moreover, the company discovered a group of Coronavirus-themed domains, which now serve parked pages with high-risk JavaScript that may at any time start redirecting users to malicious content.

Newly registered websites

People should be highly skeptical of any emails or newly registered websites with COVID-19 themes, whether they claim to have information, a testing kit, or a cure. Special care should be taken to examine domain names for legitimacy and security, such as ensuring it is the legitimate domain (google[.]com vs g00gle[.]com), and that there is a lock icon to the left-hand side of the browser’s URL bar, ensuring a valid HTTPS connection.

Similar care should be taken with any COVID-19 themed emails – a look at the sender’s email address often reveals the content is likely not legitimate, as it’s either unknown to the recipient, misspelled, or suspiciously long with random-seeming characters.