en

An 18 Month Summary of ICANN’s DNSTICR Project

2 September 2021

Siôn LloydSiôn Lloyd, Lead Security, Stability, and Resiliency Specialist

A year and a half ago the world was coming to understand that COVID-19 was a pandemic of global proportion. Sadly, bad actors who use newsworthy events to drive traffic to their malicious websites were also waking up to it. In response, ICANN's Office of the Chief Technology Officer (OCTO) developed the Domain Name Security Threat Information Collection and Reporting (DNSTICR) project to report COVID-19-related Domain Name System (DNS) security threats.

It is challenging to identify phishing or malware in generic strings, particularly those that may have localized language or context. OCTO's approach for the DNSTICR project entails searching for terms in new domain name registrations related to COVID-19, quantifying those domain names which are demonstrably malicious, and reporting them to their supporting registrars. The details of this work can be seen here.

On 4 April 2020 we saw the peak in new COVID-19 related domains with 5,543 new domains registered in one day. This fell sharply through May and June, and since then the curve has largely flattened.

Of the 210,939 pandemic-related domains seen from May 2020 to August 2021 the majority were benign or had no reputation. In total, 12,860 (6.1%) domains were the subject of reports from reputation providers. If we further limit this set of domains to those with high-confidence or multiple pieces of evidence we see 3,791 domains (1.8% of our pandemic-related registrations) being flagged.

This shows the difference between how many domains might be labelled "suspicious" versus how many have any evidence of misuse.

Trends

Within the data we are collecting we see other trends. For example, in the early stages the term "corona" was among the most commonly seen in registrations. However, as we move through April and onward, we see the term "covid" replacing it. Looking over the full 18 months, "covid" dominates, providing nearly 25% of the registrations we have examined.

Terms with smaller contributions also show variety over time. For example, "vaccine" contributes just 4% of our overall set; but we see the volume of matching registrations starting to grow in November 2020 and peaking in mid-January 2021.

These trends reflect what we see from other observations of how the language of the pandemic was changing over time, for example Google Trends shows similar patterns.

Summary

Over the past 18 months we have seen a surge, and fall, in new domain registrations that match a set of keywords related to the COVID-19 pandemic. While the majority of these domains have not been observed to be malicious in any way, a minority have been identified as harmful.

Upon observation, many of the malicious campaigns are predictable, offering incentives, often financial, or posing as a legitimate log-in page to steal credentials or deliver malware. The only difference is that in our set the "hook" used to lure victims in involves COVID-19 in some fashion.

DNSTICR is an ongoing project that continues to evolve to the everchanging COVID-19 global pandemic. OCTO will continue to provide updates on this project to the ICANN community, registrars or registries, security professionals, and internet users.

A more detailed report will be published in the near future.

Lead Security, Stability, and Resiliency Specialist

Siôn Lloyd

Read biographyRead biography