In our April 17 post we reviewed the deluge of Covid-19 newly registered domains (NRDs) and introduced NLP (natural language processing) methods for characterizing domain names based on common words or strings (lexemes). There’s no shortage of excellent reporting on Covid-19 domains, including this April 16 post from krebsonsecurity.com. With so much coverage, the Covid-19 NRD phenomena has also caught the attention of state and federal government authorities. In this post, we’ll take a look at two of these inquiries and provide analytical perspective based on data from LookingGlass Cyber Solutions (full disclosure – LookingGlass is my employer) and the DomainTools Covid-19 Threat List.
NY Attorney General: On 20-March, the NY Attorney General (NYAG) sent letters of inquiry to six leading Domain Registrars asking them to strengthen their methods and policies to guard against the registration of Coronavirus-themed domain names that may be involved in cybercrime. Registrars receiving these inquiries include: GoDaddy.com, Dynadot.com, Name.com, Namecheap.com, Registrar.com, and Endurance International Group subsidiaries.
While acknowledging legitimate uses for Covid-19 related terms, the NYAG notes the need to protect citizens from scams using Covid-19 domains in campaigns involving fraud, false cures, deceptive advertising, phishing and malware dissemination. The legal basis includes potential violations of General Business Law § 349, Executive Law § 63(12), and the Computer Fraud and Abuse Act (CFAA), as well as terms of service for domain registrars. Noting that the current environment demands the highest vigilance, the NYAG seeks dialogue on measures for preventing bad actors from exploiting the current crisis, including: automated and human review of domain name registration and traffic patterns to identify fraud; revising terms of service; and in general implementing more rigorous registration requirements that prevent rapid registration of coronavirus-related domains.
In response to the NYAG, Namecheap said it would remove terms such as coronavirus, COVID, and vaccine from the company’s domain availability search tool, and would work with authorities to proactively prevent and take down any fraudulent or abusive domains or websites related to COVID19 or the Coronavirus. GoDaddy cited commitment to its human review process and continued vigilance. Tucows said it is flagging all covid and corona domains for manual review and was particularly focused on sites peddling fake COVID-19 cures or tests.
To get a sense of the extent of the issue, we de-duped and graphed data provided by LookingGlass Cyber Solutions(Figure 1). This graph measures Covid-19 related domain registrations for five of the registrars targeted by NYAG for the week of April 5-11.
With this data we can drill down by registrar and evaluate registrar claims and effectiveness. In Figure 2, we see an example of the results page from the Namecheap domain name recommendation engine as of 22-April. In this example, we are searching for the domain – vaccine-covid-19.online – which happens to be registered using Namecheap. The recommendation engine tells us that the name is taken but suggests alternatives, including premium upsell alternatives. In spot testing we could see similar examples in all registrars. In this particular case, we can see that reality appears to contradict Namecheap’s stated claims on Covid-19 domain name policy.
US Senators: On April 14, US Senators Mazie K. Hirono (D-Hawaii), Cory Booker (D-N.J.), and Maggie Hassan (D-N.H.) sent letters to eight domain registrars and hosting providers (the same five as NYAG plus Web.com, InMotion Hosting, DreamHost) seeking information on the companies efforts to combat misinformation about the coronavirus pandemic. The senators requested information by April 20 that would help them assess what the registrars were doing in three areas: (1) ensuring that only legitimate organizations can register coronavirus-related domain names; (2) expeditious terminations of registrations for domains that involved in unlawful or harmful activity; and (3) cooperation with law enforcement on prosecution of cybercriminals profiting from the coronavirus pandemic.
In particular, the senators requested information on the number of registrations and suspensions of domains with the following terms, broken out by month: coronavirus, covid, pandemic, virus, or vaccine. The senators also provided a list of terms for “reference drugs touted as potential treatments”.
With thanks to DomainTools for sharing their Covid-19 Threat List, it’s possible to answer some of the questions and get a sense of the situation. As of April 20, the DomainTools list includes 132,727 domains related to the terms ‘Covid-19’ and ‘Coronavirus’ (and permutations of these terms) that were registered after 1-Jan-2020 and have DomainTools assigned risk score of 70-99.
In Table 1 we summarize most of the key terms (excluding Covid, Coronavirus, virus).
In Table 2, we show results from drilling down on one of these terms, remdesivir. From Wikipedia we see that Remdesivir is an antiviral medication developed by the American biopharmaceutical company Gilead Sciences that is being studied as a possible post-infection treatment for COVID-19. The first three columns in the table are provided directly from the DomainTools data. For our analysis we’ve added Status and Registrar columns.
Ten of the domains do not resolve in DNS as shown under Status. And the last domain, covid19remdesivir.org redirects to CDC.gov. We can ignore these for now even though they may become ‘interesting’ when/if they go live. But as seen in the status column some of these domains are concerning in the context of the Senators inquiry and a reflection on the policies of the registrar.
Two of the domains – covid-19remdesivir.com and covid19remdesivir.com are clear examples of Domain Squatting, a common and even promoted practice in the domain registration business that in some cases can be a violation of US Law including the U.S. Anti-cybersquatting Consumer Protection Act (ACPA) of 1999 and the Lanham (Trademark) Act (15 U.S.C.). As shown in Figure 3, these domains have been registered by BYRON CORP Investments with the stated intent to auction or resell. It may be reasonable to assume that that Gilead Sciences would be an interested party with deep pockets. Figure 3 shows a partial list of forty-five Covid-19 related domains controlled by the reseller. Other examples target foundations and protective equipment, e.g., CoronavirusFoundation.org and CoronavirusGear.com. To be clear, while this practice does not appear to violate registrations policies or laws, it is fair to ask whether they serve the public good or satisfy the request for vigilance sought in these inquiries.
In Figure 4, we see a different type of domain redirection with covid-remdesivir.com. Here, the domain redirects to a commerce site selling gothic-biker jewelry, skull-headz.com. In this case, the jewelry site is trying to profit on interest in Covid treatments.
The domains – coronaremdesivir.site and coronaremdesivir.online – are registered to GoDaddy and are examples of the common practice of domain parking. In this case, the domains resolve to a GoDaddy parked page that offers to recommend related domains. (similar to Figure 2) This is an example of registrars attempting to profit from the registration of Covid-19 domains.
Direction: While we don’t know where the NYAG and the Senators inquiry will lead, it is another reminder that weak Internet Governance is major source of Internet insecurity. Reform of domain registrars policies and practices, as well as ICANN, is long past due, as is using data sources as described here to monitor the performance or registrars and hosting companies. It will take sustained government and industry pressure to bring about meaningful reform.