Using Google Trends and traffic logs, Palo Alto Networks observed a steep increase in user interest of topics related to coronavirus, with prominent peaks at the end of January, the end of February, and the middle of March 2020.
To protect customers of Palo Alto Networks’ global threat intelligence team, Unit 42, monitor user interest in trending topics and newly registered domain names related to these topics, as miscreants often leverage them for malicious campaigns.
Accompanying the growth in user interest, the cybersecurity firm observed a 656% increase in the average daily coronavirus-related domain name registrations from February to March. In this timeframe, the company witnesses a 569% growth in malicious registrations, including malware and phishing; and a 788% growth in “high-risk” registrations, including scams, unauthorized coin mining, and domains that have evidence of association with malicious URLs within the domain or utilization of bulletproof hosting.
As of the end of March, the company identified 116,357 Coronavirus-related newly registered domain names. Out of these, 2,022 are malicious and 40,261 are “high-risk.”
The company analyzes these domains by clustering them based on their Whois information, DNS records and screenshots (collected by automated crawlers) to detect registration campaigns. The company found that while many domains are registered to be resold for a profit, a significant fraction of them are used for both well-known malicious activities as well as for fraudulent shops selling items in short supply.
Newly registered websites
People should be highly skeptical of any emails or newly registered websites with COVID-19 themes, whether they claim to have information, a testing kit, or a cure. Special care should be taken to examine domain names for legitimacy and security, such as ensuring it is the legitimate domain (google[.]com vs g00gle[.]com), and that there is a lock icon to the left-hand side of the browser’s URL bar, ensuring a valid HTTPS connection.
Similar care should be taken with any COVID-19 themed emails – a look at the sender’s email address often reveals the content is likely not legitimate, as it’s either unknown to the recipient, misspelled, or suspiciously long with random-seeming characters.