Skip to content
Naked Security Naked Security

ICANN asks registrars to crack down on scam coronavirus websites

It doesn't have regulatory authority, so it can't do much, but the hundreds of registrars it authorizes can and should.

When is ICANN going to do something about the explosion of scammy domains spawned by the COVID-19 pandemic?
We can’t, the overseers of the internet said last Tuesday (7 April), throwing its hands in the air and telling domain registrars that they can — and should.
On Wednesday, Agence France-Presse (AFP) reported that the internet domain-name overseers at ICANN – that’s the Internet Corporation for Assigned Names and Numbers – had taken the unusual step of sending a letter to the hundreds of domain name registrars around the globe that are accredited by ICANN to issue new website domain names.


The thing is, ICANN doesn’t have the authority to police website content. We know scammers are running wild, but we’re hamstrung when it comes to stopping them, ICANN chief executive Goran Marby said in the letter:

ICANN cannot, under our bylaw and practically speaking, involve itself in issues related to website content.
That does not mean we are unconcerned or unaware of how certain domain names are being misused in fraudulent activities during this global pandemic.

AFP referred to a recent report from the security research-focused Interisle Consulting Group (ICG) following its review of WHOIS practices among registrars. The report, which was prepared for ICANN, highlights the severity of pandemic scams, which all run on sites provided by registrars around the globe:

The pandemic has led to an explosion of cybercrime, preying upon a population desperate for safety and reassurance. These criminal activities require domain names, which are being used to run phishing, spam, and malware campaigns, and scam sites.

ICG found that last month alone, at least 100,000 new domain names were registered containing terms like “covid,” “corona,” and “virus”, as well as more domains registered to sell items such as medical masks, and yet more domains used to spam out ads for COVID-themed scams.

As of this writing, the number of confirmed malicious COVID-related domains is in the thousands.

The date on the report: 31 March. A few days before that, we saw an example when hijacked Twitter accounts were used to advertise face masks.
Also in late March, the US Department of Justice (DOJ) began prosecuting scam sites, starting with a domain that was hawking the phony-as-a-$3-bill “free coronavirus vaccine”, purportedly from the World Health Organization (WHO), for “only $4.95 to cover shipping costs”.
Who does that? A whole lot of low-lifes, that’s who, as ICANN security chief John Crain told AFP:

COVID-19 is unique in that it is truly global. And the cyber bad guys haven’t drifted toward it – they have rushed toward it like a barrel off Niagara Falls. This is a new low, preying on people at a time like this.

Crain noted that ICANN isn’t a regulator, and it has no enforcement authority per se. The letter lacked regulatory weight; rather, it was meant to remind registrars that “this is not about business as usual,” he said.

Some ARE trying to stop the bad domains

ICANN is throwing its hands in the air, but those hands are, admittedly, tied. But while all it can manage is a “C’mon, guys”, there are people actually taking real, practical action to stem the flow of these scumbag domains.
One such is the COVID-19 Cyber Threat Coalition (CTC): a global volunteer community of individuals and companies that’s come together in the last few weeks to combat cyber threats that are exploiting the pandemic. Sophos is a sponsor.
One of the things the group does is to produce blocklists of known, bad coronavirus-related URLs, domains and IP addresses. It also offers threat advisories, research and mitigation strategies.
As Naked Security’s Mark Stockley points out, it’s not a replacement for what ICANN is trying to do. The group is just another part of the effort to keep us from drowning in pandemic profiteering and misdirection:

ICANN is trying to plug the leak while the COVID-19 CTC is trying to bail out the boat.

Here’s another resource when it comes to fighting the scam spewers: Sophos News is maintaining an ongoing, live report about COVID-19 threats that it’s continuously updating with new information as it becomes available.
Stay safe, be well, and by all means, throw your hat in the ring if you have threat intelligence you can contribute to the CTC. Here’s how.


Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

4 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!