Domain services

COVID-19 news fuels rise in domain-related cybercrime, report says

According to a new CSC study, healthcare entities are at risk of hackers leveraging the COVID-19 pandemic for financial gain. Pictured: A COVID-19 testing location in Brooklyn on January 10, 2022 in New York. (Photo by Scott Heins/Getty Images)

Recent research from CSC highlights a continued increase in domain name registration activity over the past two years in correlation with ongoing COVID-19 themes. The data confirms that hackers have exploited the global pandemic for financial gain, a particular risk for healthcare institutions given brand abuse and patient privacy or risk of misinformation.

Threat actors have long taken advantage of ongoing news cycles and vulnerable times to pursue their cybercrime efforts. But while fraudulent domain registrations are likely a nuisance for other industries, healthcare entities need to be vigilant in these cases, as it could lead to phishing, brand abuse, consumers and other harmful activities.

In 2020 and 2021, CSC thoroughly explored the impact of the pandemic on online content, with a focus on domain name registration activity through its software-as-a-service cybersecurity platform ( SaaS).

More than 478,000 domain names directly referencing key terms related to the global pandemic were found by searchers, “as bad actors took advantage of increased levels of COVID-related searches.”

The researchers confirmed a direct pattern of peaks and troughs of domain records whenever there was a COVID-19 news event. Domain-related cybercrime continues to rise, affecting brand owners, consumers, and the organization itself with ransomware and supply chain vulnerabilities.

These scam sites have been designed to collect personal information, sell fraudulent products, perform phishing attacks, or distribute malware via email attachments or malicious mobile apps. Many of these trends were first examined by CSC in a 2021 report.

Among the most pressing key trends for healthcare entities are COVID-19 related domain names containing Moderna, Pfizer, Centers for Disease Control and other similar names. The researchers note that for this dataset, they saw “patterns with those commonly used by malicious third parties in conjunction with more egregious types of activity.”

This is because many branded domain names use the same infrastructure, such as domain registrars and DNS hosting providers, “as other previously identified harmful websites”. According to the report, “bad actors use tactics such as domain parking and pay-per-click to disguise themselves and then launch their attacks.”

CSC has previously identified a continuing trend of fake domains targeting well-known global brands through “brand variants in the form of homoglyphs”. For data specific to COVID-19, researchers identified more than 350 domain names registered over the past two years that contained phrases related to the pandemic, including the top three vaccine makers or healthcare entities.

And more than 80% of these domains have been registered with third parties, which means that they do not belong to the parties named in the domain. Of these domains, half were found to be inactive, with the other half being used for pay-per-click or ad-related systems.

Activity is a potential red flag because it does not reflect how domains have been used in the past, or how they will be used in the future. The researchers noted that concern is heightened as a third of domains have active MX records set up, presenting a “launching pad for future malicious attacks”.

“These observations highlight the risks that organizations face in terms of incorporating their brands into counterfeit domain names,” the researchers explained. It’s also a potential risk to patient privacy and misinformation issues, because “brand names lend credibility to the domain name, creating an illusion of security for a user interacting with web content.”

These patterns have been used for multiple threats, including social media content, phishing attacks, and fraudulent marketplace offerings.

Healthcare entities that own the brand names used in fraudulent campaigns should consider directly requesting removal of content referencing their brand, the researchers warned. It’s not just a marketing issue, but an intellectual property issue, and “social media sites are generally expected to comply with requests to remove such content.”

“The need for better standards and regulations would go a long way to protecting companies and their cybersecurity posture, as well as their online brand presence and consumer safety,” the researchers concluded.