WASHINGTON – U.S. Senator Maggie Hassan (D-NH) joined Senators Mazie Hirono (D-HI) and Cory Booker (D-NJ) in calling on the leaders of eight domain name registrars and hosting sites, including GoDaddy and Namecheap Inc., to explain the steps that their companies are taking to combat misinformation about the COVID-19 pandemic.
Scammers and cybercriminals are preying on the public’s increasing need for real-time, verifiable information as COVID-19 spreads across the country. In their letters, the Senators cited a dramatic increase in fake websites that reference COVID-19 or other online platforms used for telework and distance learning, including Zoom, Google Classroom, and Microsoft Teams.
“As cybercriminals and other malevolent actors seek to take advantage of the coronavirus pandemic, it is critical that domain name registrars like yours (1) exercise diligence and ensure that only legitimate organizations can register coronavirus-related domain names and domain names referencing online communications platforms; (2) act quickly to suspend, cancel, or terminate registrations for domains that are involved in unlawful or harmful activity; and (3) cooperate with law enforcement to help bring to justice cybercriminals profiting from the coronavirus pandemic,” the Senators wrote.
The Senators sent letters to the executives of GoDaddy, Dynadot, Donuts Inc., Namecheap Inc., Web.com, Endurance International Group, InMotion Hosting, and DreamHost. One of the letters, addressed to GoDaddy Chief Executive Officer Amanpal S. Bhutani, can be found here and below. The other letters raise the same concerns and ask for information from the seven other domain name registrars and hosting sites.
Dear Mr. Bhutani:
We write regarding recent reports that cybercriminals are registering domain names that include references to the coronavirus or online communications platforms in widespread use at this time of social distancing—such as Zoom, Google Classroom, and Microsoft Teams—to conduct “phishing” schemes, install malware, spread misinformation about the virus, or otherwise take advantage of Internet users. As people the world over turn increasingly to the Internet for information about the coronavirus and use online applications to work, learn, and keep in contact with friends and family, it is imperative that domain name registrars not turn a blind eye to such illicit activity but, rather, act to protect the Internet-using public.
While the coronavirus was first detected in late-2019, it did not start to enter the public consciousness until January 2020 when the disease began to take hold in nations outside China. Prior to this time, registrations for domain names containing coronavirus-related terms were negligible to non-existent.
As the disease—and awareness of it—spread, it is not surprising that governments, health authorities, and legitimate businesses would register domain names containing terms like “coronavirus” and “covid” in order to inform the public and provide essential goods and services. For example, the United States government registered and maintains a website at coronavirus.gov that provides Americans with the latest information on the coronavirus, including how to protect themselves and what to do if they get sick. The World Health Organization similarly registered coronavirus.com.
However, the exponential growth in registrations containing “coronavirus,” “covid,” and similar terms since late-January suggests that cybercriminals and other malevolent actors are attempting to take advantage of the pandemic. An analysis by intelligence firm Recorded Future found that coronavirus-related domain names drastically increased after January 19, 2020 with over 1,000 new such domain names registered daily by the end of February. A separate analysis by threat intelligence firm RiskIQ found more than 10,000 new coronavirus-related domains daily by mid-March, including 35,000 such domains on March 16 alone.
A review of the websites found at these domain names confirms what the sheer number of registrations made obvious: cybercriminals and malevolent actors are exploiting the coronavirus pandemic to take advantage of Internet users. Journalists for business technology website ZDNet reviewed a random sample of such websites and discovered that “in nine out of ten cases” the sites were “scam[s] . . . peddling fake cures” or “private sites, most likely used for malware distribution.” Security firm Check Point found that coronavirus-related domains were 50% more likely to be malicious than other domains registered between January and early-March 2020. And, cyber risk scorecard provider NormShield identified at least 362 domains registered in 2020 with names that reference drugs touted as potential treatments for the coronavirus (e.g., remdesivir, chloroquine) that are likely phishing sites.
This illicit activity has now spread as bad actors have begun to register domain names that reference online communications platforms in widespread use during this time of social distancing. A recent analysis by Check Point uncovered more than 1,700 domain names registered since the start of 2020 containing a reference to videoconferencing platform “Zoom”—25% of which were registered in just the last full week of March. Of these domains, Check Point found that 4% contain suspicious characteristics. The firm found additional phishing websites impersonating other online communication platforms, including Google Classroom and Microsoft Teams.
As cybercriminals and other malevolent actors seek to take advantage of the coronavirus pandemic, it is critical that domain name registrars like yours (1) exercise diligence and ensure that only legitimate organizations can register coronavirus-related domain names and domain names referencing online communications platforms; (2) act quickly to suspend, cancel, or terminate registrations for domains that are involved in unlawful or harmful activity; and (3) cooperate with law enforcement to help bring to justice cybercriminals profiting from the coronavirus pandemic.
To better understand if your company is meeting these expectations, we request answers to the following questions by April 20, 2020:
Thank you in advance for your attention to this critical matter. Due to the closure of many Senate offices during the coronavirus outbreak, physical signatures are unavailable. The listed senators have asked to be signatories to this letter.
###