Keeping a close watch on coronavirus domains

26th March 2020


Eleanor Bradley

Eleanor Bradley
MD Registry Solutions and Public Benefit

Cyber criminals are always looking for a new way to take advantage of people online and they’ve just been handed a new opportunity: Covid-19. This global pandemic is causing great uncertainty and fear. News and official advice are developing rapidly, and with most of us now isolated in our homes, the internet is an essential place to find information. Unfortunately, this leaves us more vulnerable to phishing attacks, poised to click on a link that promises answers or solutions.

The National Cyber Security Centre (NCSC) has already published a warning that cyber criminals are using the coronavirus outbreak as a means of luring internet users to their sites or to open malicious links via phishing activity. The National Crime Agency (NCA) has also warned of organised crime groups exploiting the crisis and targeting the UK. Since the start of the year there has been evidence globally of phishing attacks based on the virus, often promising advice by clicking on a link which leads to the device being infected.

The World Health Organisation (WHO) is one of many organisations which has warned of fraudulent emails being sent by criminals posing as them. The US Centre for Disease Control (CDC) has also experienced mimicry, with criminals creating domain names with a similar address to the official CDC site. This makes it easier to lure the unsuspecting as senders and links can look authentic to the cursory glance.

As a responsible registry, Nominet is always monitoring the new domain names being registered alongside those already in existence in the .UK namespace for any evidence of fraudulent or malicious usage. This is part of our ongoing work to reduce criminality in the national namespace, but the past few weeks have given us some new key words to search for, such as ‘coronavirus’ or ‘covid19’. Unsurprisingly, we have witnessed a rapid upswing in domain name registrations containing these virus-related terms.

Many of these are being picked up by our Domain Watch initiative, a blend of manual and automated checking processes that helps us to identify, at the point of registration, which new domains are likely to be used for phishing. Those that look suspicious – based on our algorithm and then a manual check – are suspended until we see evidence of good intentions from the registrants.

So far, we have suspended over 180 domains while we conduct this extra due diligence. A small proportion responded to our satisfaction and had their domain names reactivated. It’s highly likely that those who did not respond were intending to use their domains to manipulate a public in need of information. Preventing these from entering the registry is a priority to ensure users of our national namespace are kept as safe as possible.

But that isn’t to say that all ‘coronavirus’ or ‘covid19’ domains are being registered for malicious purposes. Some of the legitimate reasons for these registrations include pharmaceutical trials, topical blogs or community groups offering support. As our lives suddenly become dependent on connecting digitally, we also want to avoid disrupting essential activity for health and social communication unnecessarily. Fortunately, the feedback we have received so far from those registrants has shown that people understood our due diligence and praised the efficient process to reinstate their domains once checks had been completed.

While Domain Watch catches domains at the point of registration, we are also always working collaboratively with UK law enforcement to ensure they can monitor domains that have already been registered for any criminal activity. In this way, we have identified a list of over 300 domains that are using the terms ‘covid-19’ or ‘coronavirus’ in their website address which we, as is usual practice, have shared with the appropriate regulatory authority for guidance. It should be noted that some of these will be innocent, as ‘corona’ appears in other words such as coronation – or Corona beer – and so we will inevitably collect some unrelated websites in our searches, which will not be acted upon.

The Medicines and Healthcare Products Regulatory Agency (MHRA) are working hard to review any domains of concern. This due diligence process is crucial because Nominet is not the expert on all the different areas in which a domain can be used for criminal activity. In the case of this pandemic, we must be guided by the experts on what is acceptable and what needs disrupting. We have received one request for suspension through this process, coronavirusmedication.co.uk, which was misleading those concerned for their wellbeing.

And it’s not all doom and gloom in these difficult times, and not all virus-related registrations are for illicit purposes. For the many now self-isolating, a new domain is a chance to be creative or connect with others. We have seen coronafriend.co.uk and coronakitchen.co.uk being registered – watch this space for how those sites are used. One site already active is coronaloner.co.uk, a light-hearted blog from a woman who worked as a creative in an advertising agency and is now working from home. A new website or blog can be a great way to create industry when many things have stopped or are stalling.

That said, some will still see this pandemic as an opportunity to exploit, but we have confidence that our usual activity of monitoring the registry will keep criminal activity to the low level it has always been in the .UK domain. If users do see any phishing attempts – and there will always be those who get through the net – we would encourage you to report these to Action Fraud. This will alert the right authorities and hopefully protect others from falling prey.

We can all do our bit by being mindful online and reviewing unsolicited emails with suspicion. During these days of uncertainty and the anxiety it breeds, be extra-cautious about clicking on anything you don’t recognise. It is best to stick to official websites when seeking information, such as the NHS, and we were pleased to be part of the collaboration that has enabled the free access to NHS online services to ensure even those without credit or data on their phones can get onto key healthcare sites via their mobile devices.

We need to work together to take care of ourselves during these months – physically, mentally and digitally. At Nominet, we’ll continue to play our part to keep .UK as safe and secure as possible for we all continue our lives as best we can in these digitally-critical days.

Like this? Try these...