New Study Indicates Domain Registration Fraud Is Rising in the Post-Pandemic Era

In the age of the pandemic, people have become anxious. And when people get anxious, they seek information. In this case, they looked for information on the daily number of COVID cases, new variants, vaccinations and health recommendations. Inevitably, they took to the internet – often daily – to find answers.

Unfortunately, cybercriminals see it less as a crisis than an opportunity. The massive increase in online activity coupled with the widespread adoption of work-from-home (WFH) arrangements has allowed these criminals to plant “hooks” in the form of deceptive and suspicious domain registrations, driving the launching phishing and fraud attack campaigns.

To find out more, we conducted a two-year analysis to explore how the outbreak affected online content, focusing on domain name registrations during this time. Here is what we found:

  • There was a clear correlation between the occurrences of “real world” events and the increase in suspicious domain registrations. During our two-year research period, more than 478,000 domain names referenced key terms associated with the coronavirus, including “covid”, “covid19”, “coronavirus” and “vaccine”. The surge in registrations has led to more suspicious and malicious incidents, posing threats to brands and consumers due to registration patterns and behaviors.
  • We took a close look at Omicron domain registration data and found that as of early January 2022, over 2,300 domains existed with names containing the term “omicron”. Of the 1,194 domains registered in 2021, 832 (70%) were registered during the two-week period between November 26 and December 9, immediately after the new COVID variant name was announced. A number of suspicious domains cause traffic to be misdirected/redirected, leading users to fake insurance agency and even relationship/life coach websites. But others seemed more troublesome and fraudulent, claiming to provide information about Omicron while soliciting donations or promoting cryptocurrency investments.

Other malicious domains are connected to sites that are currently inactive but are ready to host potentially dangerous content in the future – such as posting fake documents related to treatments, tests or even information about the ” omicron hoax” – to distribute malware payloads. Dormant sites are a popular tool for cybercriminals, who simply “activate” them when they are ready to launch an attack campaign. It should be noted that a large portion of dormant malicious domains are registered through consumer-grade registrars, which are less secure than enterprise-grade registrars, and have been linked to trademark infringement, abuse of brand and fraud/phishing attacks.

-We assessed website-related registration models using top brand names including Pfizer, Moderna, Johnson & Johnson, Centers for Disease Control and Prevention (CDC), Food and Drug Administration (FDA) of the United States and the World Health Organization. (WHO). We discovered that 80% of the 350 domains containing the brand names were registered with third parties.

Half of the domains displayed no real web content and therefore were inactive. Of the inactive domains, nearly a third are configured to send and receive email with active mail exchange (MX) records, essentially giving hackers a launching pad for malicious attacks. Many sites using the trustmark names appear to be aimed at collecting personal information, distributing malicious content through legitimate-looking emails, or directly soliciting financial donations.

So what should organizations do in light of the results? We recommend the following four best practices:

1. Deploy a defense-in-depth approach to domain management. Assess your domain registrar’s security, technology, and processes. Implement two-factor authentication and monitor Domain Name System (DNS) activity. Invest in enterprise-class registrars, which take advantage of advanced services like…

  • Domain registry locksthat enable end-to-end domain name transaction security to prevent accidental or unauthorized modification or deletion (i.e. domain hijacking)
  • Domain Name System Security Extensions (DNSSEC)that authenticate communications between DNS servers, protecting brands against DNS cache poisoning
  • Certificate Authority Authorization (CAA) recordsthat allow security teams to designate a specific Certificate Authority (CA) to serve as the sole certificate issuer for their organization’s domains
  • Domain-Based Message Authentication Reports and compliance (DMARC), which protects an email domain from spoofing, phishing and other cyber scams via email server reports identifying possible authentication issues and malicious activity
  • ·DNS hosting redundancy with backup DNS to boost resilience

2. Avoid mainstream registrars. These registrars generally do not offer the range of protection described above with enterprise-class registrars. Additionally, they are known to operate marketplaces that auction and sell domain names with trademarks to the highest bidder while conducting “name shooting”, which promotes and encourages domain name registration. domain with brands. They will monetize trademarked domain names through paid sites and are prone to frequent violations.

3. Confirm that your domain registrar and DNS provider follow best practices for monitoring, with annual audits. Verify that they are fully compliant with Zero Trust and other frameworks, and that they have an active corporate security policy in place, ongoing training programs for employees and contractors, password policies that include multi-factor authentication (MFA), a strong endpoint solution program, patch management, disaster recovery/business continuity capabilities, and vulnerability/penetration testing programs.

4. Continuously monitor domain space. Identify spoofing tactics such as homoglyphs, which are confusingly similar “fuzzy” domains that hackers typically use for phishing attempts. Research identity marks and copyright abuse online and track all brand mentions on relevant social media, while monitoring major app stores and taking action against ads that lead to poor direction of traffic that harms your brand. In the event of fraud and IP infringement, be prepared to apply marketplace delistings, social media page suspensions, mobile app delistings, cease and desist letters, removal of fraudulent content and mitigation of threat vectors.

None of the activities of cyber adversaries should really surprise us. They hospitals targeted with ransomware since the early days of the pandemic, after all. They are, instead, extremely resourceful and industrious (albeit criminally so), and domain registrations remain readily available for their projects. This is why the deployment of in-depth defense, verification and continuous monitoring of domain registrars/DNS providers – as well as the avoidance of extremely suspicious consumer level registrars in favor of class registrars proactive protection company – will best position your organization to protect its users and customers. This will be the most effective response to the COVID-related anxiety these scammers create.

About the Author:

Ihab Shraim is Chief Technology Officer (CTO) at CSC DBS. He is responsible for product vision, innovation and revenue growth within the company’s Cybersecurity, Domain Security, Fraud Protection and Privacy Protection lines of business. Mark.

Comments are closed.