Nominet, the UK’s domain name registry, is cracking down on fraudulent and malicious .uk domain name registrations relating to the Covid-19 coronavirus pandemic and says it has blocked or stopped the registration of more than 1,000 problematic domain names in the past few weeks.
In more normal times, Nominet looks out for scammers targeting banks, or HM Revenue & Customs, but according to CEO Russell Haworth, a major shift has taken place in overall phishing activity as cyber criminals retool their arsenal to take advantage of the pandemic.
“There is definitely an upswing in related registrations,” Haworth told Computer Weekly. “What we’re trying to do is capture and validate authentic registrations that have either a Covid-related or coronavirus-related term.
“We have blocked, or rather stopped from registering, 1,700 related domains that have been put on hold pending due diligence, and a small proportion of those, around 450,” have responded to our satisfaction.
“But ultimately that means there are over 1,000 registrations that were potentially problematic and we are working through how we validate those potential domains, so that before they get out into the wild, they pass various criteria and we are keen to make sure we continue that.”
Haworth said Nominet’s work was clearly not intended to be a full-service solution to guard against malicious websites, but rather a helpful addition to stem the flow of cyber criminal activity exploiting the .uk domain space.
Nominet’s main means of addressing malicious actors trying to capitalise on the .uk domain space is its Domain Watch service, which was launched in 2018 and identifies and holds new domain registration attempts that are obvious phishing attempts using a combination of proprietary technical algorithms and human oversight.
Nominet managing director of registry and public benefit, Ellie Bradley said: “What we try to do is be smart about the terms that we’re looking for and this will constantly evolve, but obviously anything involving Covid-19 or coronavirus and things associated that with that would flag.
“Of course, there is a balance all the time to strike because there are lots of legitimate reasons why people would want to register a domain name that involves one of those terms. We’ve seen support group websites, we’ve seen people blogging about their experience in isolation, we’ve seen legitimate activity come out of universities.”
“We want to strike the balance whereby we are catching names that could potentially be used for phishing or have a criminal use, but also not preventing people who have a legitimate use getting access to a name and being able to use that.”
Bradley added: “We work very quickly with registrants to establish their intent, make sure we’re clear on exactly who’s registering the name, and then obviously if it’s a legitimate use, then make sure that it is delegated and can be up and running really quickly. We feel, as a responsible registry, that it’s reasonable to put that small delay in.”
But Nominet’s work does not end when a proposed domain name is either held or cleared for registration. The organisation leans on established relationships with multiple law enforcement agencies and other regulatory bodies, including the National Crime Agency (NCA), Trading Standards, and the UK government’s Medical and Healthcare Products Regulatory Agency (MHRA).
The relationship with MHRA is proving particularly invaluable during the current crisis when it comes to catching malicious websites that have, for whatever reason, slipped through Domain Watch’s net, said Bradley.
“We are working with the MHRA so that if a [domain] name where it’s not explicit that it’s related to Covid-19, but perhaps the content is, they come to us to take action if that site is criminal,” she said.
“We’ve had to act in relation to websites purporting to have treatments for coronavirus, or test kits and things that are not yet available in the UK. It’s very clear that law enforcement agencies want to address things that could cause harm to the public.”
Meanwhile, researchers at Wandera, a supplier of cloud security services to mobile workforces, have conducted their own analysis of connections to malicious domains during the pandemic. Like Nominet, they found multitudes of domains relating to free cures or free tests, financial support initiatives from national governments, and safety information from the World Health Organization.
The research team examined connections into sites hosting phishing campaigns, donation scams and malware that are using coronavirus-related keywords and domain names. They found a huge uptick in connections beginning at the end of January and lasting through February.
However, the Wandera data shows that malicious actors seemed to gain some serious momentum at the end of March.
“We found the number of visits to known bad sites was 22 times higher at the end of March than it was at the beginning of the year,” said the research team in a disclosure notice. “Comparatively, the number of visits to safe sites has only increased 6.5 times in the same period of time. This indicates that the volume of traffic to bad sites is currently growing much faster than traffic to safe sites.”
Wandera said the spike could be attributed to the development of more effective and convincing campaigns and phishing lures.
“Based on the trends we see here, we expect the volume of traffic to known bad Covid-19-related sites will continue climbing as bad actors tap into new waves of interest in various news angles, such as the effects on the job market or information on financial support programmes,” the researchers said.
“With so many implications to discuss and so many concerned citizens looking for information, bad actors will get crafty in order to continue attracting information-seekers to their malicious sites.”