Coronavirus Online Threats Going Viral, Part 1: Domain Names


Dr. David Barnett
subject matter expert – brand monitoring
Share this post

As news of the spread of the coronavirus (COVID-19) continues to emerge, CSC has undertaken the first in a series of studies looking at how the development of the crisis has affected online content. This first article looks at the numbers of registered domains with names containing coronavirus-related strings—“coronavirus” or “covid(-)19” (optional hyphen)—and analyzes the types of content present on the associated websites.

In our investigation, we found 6,341 domains containing the string ‘covid(-)19’, and 11,552 domains containing ‘coronavirus’[1]. Many of these registered domain names include other terms, implying that the associated websites feature neutral or informational content. However, significant numbers incorporate particular keywords suggesting that they could have been registered to take advantage of people’s fears surrounding coronavirus to attract web traffic. These domains may be used to create websites associated with scams, or with the intention of generating revenue.

Table 1: Total number of coronavirus-related domains containing keywords of particular interest.

Keyword No. coronavirus-related domains containing keyword1
Treatment-related keywords:  
  anti (excl. “quarantine”) 187
  Beat 40
  treatment 80
  Cure 197
  surviv- 283
  vaccin- 227
   
Tracking and testing-related keywords:  
  Detect 15
  Track 90
  Test 801
   
eCommerce-related keywords:  
  Buy 38
  Mask 415
  Kit 316
  suppl- (for “supply,” “supplies,” or “supplier”) 130
   
Health organization keywords:  
  CDC 19
  WHO 19
   
Total no. domains with keywords (excl. duplicates) 2,646

We further analysed this set of domains to determine[2] when the domains were registered. This analysis shows that of the 2,000 plus domains for which creation dates were identifiable, only 17 domains (0.8%) were registered before 2020, and 68% (1,400+ domains) were registered since the start of March—that’s just two weeks prior to the date of analysis.

Figure 1: Daily numbers of registrations of coronavirus-related domains featuring keywords of relevance.

N.B. We truncated the graph at three days prior to the date of analysis, as there can typically be a delay of around two to three days between the date of domain registration and its inclusion and detection in the published zone file. Accordingly, the numbers of registrations shown for (at least) the two or three days prior to analysis are likely to be underestimates.

– – –

These figures provide a striking illustration of how escalating real-world issues can produce a flurry of corresponding activity online, with an enormous increase in registrations as countries began to announce lockdown measures throughout March. We can also see spikes in the domain-registration graph associated with specific events:

  • The first announcements of the emergence of coronavirus outside China in late January
  • The WHO announcement of COVID-19 as the specific strain on February 11
  • The start of Italy’s lockdown in late February[3]

What’s in a domain name?

Nearly 75% of the 2,646 domains with keywords of interest produced a live webpage response[4]. Around three-quarters of these currently don’t point to an active site, i.e., no page title, or a title suggesting that only a holding page is present. That said, even these may have been registered with a goal of monetizing the domain name, either through pay-per-click links on the site or explicitly offering the domain name for sale.

Setting aside inactive domains still leaves around 500 coronavirus-related domains featuring relevant keywords and appearing to host active websites. Thirty-two of that 500 achieve significant web traffic, attracting over 8,000 internet users daily between them. The websites resolve to a range of content, although just over a third resolve to active eCommerce sites offering face masks for sale. Others include eCommerce sites selling coronavirus testing kits or other healthcare products; sites linking to online pharmacies; sites offering global coronavirus tracking functions; and a range of other informational sites.

Table 2: Description of content for the top 10 coronavirus-related domains by daily traffic featuring relevant keywords.

Page title Site content Daily visitors
Covid-19 FaceMask – Anti Corona Mask eCommerce site: face masks 1,800
Mask Machine eCommerce site: face masks 1,200
Treatment for Coronavirus – Latest Information on Corona Causes, Symptoms & Treatment Site promoting an online pharmacy 990
2019 Coronavirus Tracker – About Informational blog site 600
COVID-19 Tracker Site offering a case-tracking service 600
Corona Virus Mask | Corona Virus Mask eCommerce site: face masks 330
Corona Virus Masks – Corona Virus Masks eCommerce site: face masks (partially-constructed) 300
Coronavirus COVID-19 Masks for Sale and Masks In Stock 3M N95 eCommerce site: face masks 300
CoronaVirusFacemask eCommerce site: face masks 240
Coronavirus Mask Source: In stock N95 Masks eCommerce site: face masks 180

N.B. (i) Sites that do not currently include active website content are shown in italics.

(ii) Domain names are not shown, and any company names have been redacted.

– – –

Figure 2: Example screenshots of high-traffic eCommerce sites offering the sale of face masks, and coronavirus testing kits; coronavirus tracking sites; and online pharmacies.

Why does it matter to brands?

Registering a domain and creating an associated website is quick, simple, and essentially unregulated. This provides a range of opportunities for any would-be infringer and, as our findings have shown, can pose a variety of risks for internet users. Where physical products are being sold, the items could be manufactured using sub-standard materials, or without rigorous quality checks. Consumers run the risk that products may not just be ineffective, but actually harmful. Many of the identified eCommerce sites offered products using known and trusted brand names. The risk of these being counterfeit is one reason why brand owners should pay close attention to the developing landscape, and take appropriate enforcement action to protect their customers and their reputation.

The social risks of misinformation

Where unofficial sites use the name or branding of a legitimate health organisation (e.g., CDC or WHO) to appear official or lend credibility to its content, the public is at risk of incorrect safety information or a phishing attack. Stay tuned for a post from us on COVID-19 phishing attack opportunities.

Figure 3: An example of a site infringing on CDC and WHO branding. The domain has been registered using a privacy-protection service to hide the contact details of the owner.

Other identified websites offer coronavirus tracking mobile apps—a risk to the public in light of reports that some coronavirus tracking apps actually host malicious content or ransomware. Look for our upcoming post on COVID-19 and fake mobile apps.

Recommendations for brand owners

As the coronavirus story continues to develop, it is advisable to monitor for third-party domain names—and material in other online areas—that may be using a brand name to lend credibility to site content or offer the sale of counterfeits. CSC’s monitoring technology is able to search for brand-related appearances across a range of internet content types, and prioritize findings by the number and prominence of brand mentions, and their proximity to keywords or key phrases of particular relevance or concern. Following identification of infringing content, a rapid process of enforcement for the removal of damaging content can help to protect customers, company reputation, and revenue. Above all, throughout this developing crisis, it’s most important to take all necessary precautions—both online and offline—to be safe and stay well.

If you’d like to find out more about our brand monitoring solutions – including domain name, internet, social media and mobile app monitoring – please click here, or fill out our online form to be contacted by one of our team.

Share this post


[1] Numbers correct as of 03/18/2020

[2] Wherever this information is available via an automated look-up

[3] edition.cnn.com/2020/02/06/health/wuhan-coronavirus-timeline-fast-facts/index.html

[4] Excluding those that return no HTTP response, or generate an error code.