“COVID” and “coronavirus” domain registrations have surged
Europe’s .eu domain registry manager says it is rolling out tough new systems designed to “prevent the registration of suspicious domain names”.
EURid, which works with 700 registry managers globally to let EU residents or citizens register .eu, .ею or .ευ domains, is baking the checks into its Abuse Prevention and Early Warning System (APEWS) in a bid to fight fraud and cybercrime.
The move comes after security researchers identified over 6,000 COVID-19 or coronavirus-related domains being registered in a single week. (Digital Shadows told Computer Business Review this week that 11,309 domains had been registered using the words “coronavirus” or “covid” since early January).
EURid will search new registrations for those with a pandemic-related word. Those identified as having one will be “required to validate their data and to submit a statement confirming that their domain was registered in ‘good faith’”.
It was not immediately clear what EURid meant by “validate”.
Cyber Threat Intelligence Team Lead at Digital Shadows Dr Jamie Collier explained the action undertaken by EURid further:
“Threat actors have attempted to capitalise on the public interest and concern in COVID-19 by registering domain names that contain keywords related to the pandemic. These are then used to either host malicious websites or distribute pandemic-themed phishing emails.”
“The measures unveiled by EURid are an attempt to prevent enticing COVID-19 domains from ending up in the wrong hands. This has included the introduction of a more rigorous vetting process around the individuals and organisations registering COVID-19 themed domain names”.
These added checks will be applied to both existing registrations and newly registered domains, and will be implemented until the end of the second quarter of 2020 with the possibility of continuation, subject to a quarterly review by the European Commission.
Suspect online domains meanwhile will be suspended, and any services linked to it, such as a website or an email, will not function until it has been manually reviewed by the EURid. The registry manager will then request the registrant to confirm their application data and to submit evidence of their identity.
Other Registrars are Undertaking the Same Measures
UK domain registrar Nominet has suspended 600 suspicious coronavirus websites in 2020’s first quarter. This spike in malicious activity has led them to apply the same level of scrutiny to domains with coronavirus key words as EURid.
Nominet use algorithms to seek out the attempted registration of potentially malicious domains linked to Coronavirus, and then man power to evaluate the registrants, contacting them in person where necessary.
The Internet Corporation for Assigned Names and Numbers (ICANN) meanwhile has announced that it will be invoking the 2012 Registrar Accreditation Agreement for a second time, which allows registrars to keep their domain without renewing their registration, in light of the pandemic.
This will help the prevention of malicious domain registrations by keeping potentially attractive domains to threat actors off the market if they expire.
Dr Jamie Collier, Cyber Threat Intelligence Team Lead at Digital Shadows said: “Organisations remain largely responsible for detecting and blocking phishing emails targeting their network. This is typically done through a combination of security controls and phishing awareness campaigns.
“However, domain name registrars can still play an important role in complementing these organisation-led efforts. EURid’s refreshing approach will help limit the growth of the COVID-19 phishing ecosystem. The new measures introduced highlight how a variety of stakeholders can actively contribute to improving cyber security.”
