Skip to main content

Domain Name Security Threat Information Collection & Reporting (DNSTICR)

DNSTICR is an ongoing project of the ICANN Office of the Chief Technology Officer (OCTO) that looks at registrations related to the COVID-19 pandemic to find evidence of any activity related to malware or phishing. Where sufficient evidence of malicious activity is found, the ICANN organization sends a report to the responsible registry or registrar so that they can determine the appropriate action, such as suspending or deleting the domain name.

Interested in learning about Domain Name Security Threat Information Collection and Reporting (DNSTICR)? Click here to explore our easy-to-read brochure.

For a more information, read our latest blogs on this project:

An 18 Month Summary of ICANN's DNSTICR Project

Reporting Potential Pandemic-Related Domains

ICANN Org's Multifaceted Response to DNS Abuse

Frequently Asked Questions (FAQ)

What is the Background?

In response to reports of COVID-19-related Domain Name System (DNS) Security Threats, ICANN began to study COVID-19-related domain registrations and identify the most clear-cut cases where domains are being used for phishing or malware distribution. ICANN then produces reports for each identified domain name. Each report includes evidence of phishing or malware campaigns and other background information that can be helpful for a responsible party (primarily registrars or registries) to determine the appropriate course of action. These reports are then provided to the responsible parties for them to determine the correct course of action, for example suspending or deleting the domain name.

It is important to recognize that ICANN is using an evidence-based approach that identifies names that appear to have been used for malicious purposes and are related to the COVID-19 pandemic. Many of the reports in the popular press and elsewhere include names that contain COVID-19-related terms and are considered, therefore, to be a risk. As a result, these reports cite case numbers of domain name abuse that are significantly higher than those we have observed and include many names that may be in use for legitimate purposes. Some reports also list hundreds of thousands more cases than the few thousands for which ICANN found evidence of problems. The number of cases ICANN finds sufficient evidence to report a problem is usually in the low hundreds. In addition, DNSTICR focuses exclusively on phishing and malware distribution, whereas other reports include counts of domains used in spam, fraud, and other content-related matters. As a result, those reports will likely have higher numbers.

Why is This Topic/issue Important to ICANN?

DNS Security threats, such as phishing and malware distribution campaigns, have been identified as within ICANN's remit and area of interest. Projects such as DNSTICR not only allow for the mitigation of these issues, but also provide ICANN with evidence-based insights into the actualities of how and at what level these threats are taking place. ICANN believes that evidence-based data and study are critical to the policy development processes and to the reduction of harm caused by DNS Security Threats.

What Are Current Terms/Words That are Presently Being Monitored?

Currently, OCTO is monitoring new terms related to COVID, stimulus payments, lockdowns, suggested treatments, vaccines, and various pharmaceutical companies. Where appropriate, we have translated terms and included Internationalized Domain Names (IDN) forms. While we have added new terms as the situation has evolved, it is quite possible that we are missing some.

How Big is the Problem?

Since we started collecting consistent, timely data in May 2020 we have detected 210,939 domains that match one or more of our keywords. Most of these domains are benign or have a neutral reputation (e.g., they are not being used). One or more of our third-party sources contained evidence on 12,860 (6.1%) of these filtered domains, but this includes low-quality reports. Limiting to just high-confidence or multiple independent pieces of evidence we see 3,791 (1.8%) of the domains being flagged.

Who Can I Contact If I Have Additional Questions About This Effort?

Please contact the OCTO team at if you have any additional thoughts or comments about this effort.

Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."