Security Staff Acquisition & Development, Threat Management, Risk Assessments/Management

COVID-19 news fuels rise in domain-related cybercrime, preying on fear factor

A COVID-19 testing location in Brooklyn on Jan. 10, 2022, in New York City. The GSA awarded another $100 million in cybersecurity investments for the federal government, including upgrading the Department of Homeland Security’s Information Sharing Network that was used heavily during the COVID-19 pandemic to share sensitive but unclassified d...

Recent CSC research highlights a continued rise in domain name registration activity over the last two years in correlation with ongoing COVID-19 themes. Data confirms that hackers leveraged the global pandemic for financial gain, a particular risk to healthcare entities given brand abuse and patient privacy or misinformation risk.

Threat actors have long-preyed on ongoing news cycles and vulnerable periods to further their cybercrime efforts. But while fraudulent domain registrations are likely a nuisance to other sectors, healthcare entities should be on the alert for these instances, as it could lead to phishing, brand abuse, consumer privacy risks, and other nefarious activities.

In 2020 and 2021, CSC extensively explored how the pandemic impacted online content, with a focus on domain name registration activity through its software-as-a-service (SaaS) cybersecurity platform. 

Over 478,000 domain names directly referencing key terms tied to the global pandemic were found by the researchers, “as bad actors took advantage of increased levels of COVID-related searches.”

Researchers confirmed a direct pattern of peaks and valleys of domain registrations every time there was a COVID-19 news event. Domain-related cybercrime continues to rise, impacting brand owners, consumers, and the organization itself with ransomware and supply-chain vulnerabilities.

These fraudulent sites were designed to harvest personal information, sell fraudulent products, launch phishing attacks, or distribute malware through email attachments or malicious mobile apps. Many of these trends were first examined by CSC in a 2021 report.

Among the key trends most pressing to healthcare entities, COVID-19-related domain names containing Moderna, Pfizer, Centers for Disease Control, and other similar names. Researchers note for this dataset, they saw “trends with those commonly used by malicious third parties in conjunction with more egregious types of activity.”

This is due to many branded domain names using the same infrastructure, such as domain registrars and DNS hosting providers, “as other previously identified harmful websites.” According to the report, “Bad actors use tactics such as domain parking and pay-per-click to disguise and then launch their attacks.” 

CSC previously identified an ongoing trend of fake domains targeting well known global brands through “brand variants in the form of homoglyphs.” For the COVID-19-specific data, the researchers identified over 350 domain names registered in the last two years that contained pandemic-related phrases, including the top three vaccine manufacturers or health entities. 

And more than 80% of those domains were registered to third parties, meaning not owned by the parties named in the domain. Of these domains, half were deemed dormant, the other half used for pay-per-click or advertising related schemes.

The activity is a potential red flag as it doesn’t reflect how the domains may have already been used, nor how they’ll be used in the future. Researchers noted the concern is heightened as one-third of the domains have active MX records configured, presenting a “launch pad for future malicious attacks.” 

“These observations shine a light on the risks faced by organizations in terms of the incorporation of their brands in infringing domain names,” researchers explained. It’s also a potential risk for patient privacy and misinformation concerns, as “brand names lend credibility to the domain name, creating an illusion of safety to a user interacting with web content.”

These models were used across multiple threat avenues, including social media content, phishing attacks, and fraudulent marketplace offerings.

Healthcare entities that own the brand names used in fraudulent campaigns should consider directly requesting the content referencing their brand to be removed, researchers warned. It’s not only a marketing concern, but an intellectual property issue, and “social media sites are generally expected to be compliant with requests for the removal of such content.”

“The need for better standards and regulation would go a long way toward protecting companies and their cyber security posture, as well as their online brand presence and consumers’ safety,” researchers concluded.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.