Authors: Janos Szurdi, Zhanhao Chen, Oleksii Starov, Adrian McCabe, Ruian Duan
Executive Summary
With the spread of the coronavirus worldwide, interest is high in related topics.
Accordingly, Unit
42 researchers found an immense increase in Coronavirus-related Google searches and
URLs viewed since the beginning of February. Cybercriminals are looking to profit from
such trending topics, disregarding ethical concerns, and in this particular case preying on
the misfortunes of billions.
To protect customers of Palo Alto Networks, Unit 42 researchers monitor user interest in
trending topics and newly registered domain names related to these topics, as miscreants
often leverage them for malicious campaigns. Using Google Trends and our traffic logs, we
observed a steep increase in user interest of topics related to Coronavirus, with prominent
peaks at the end of January, the end of February, and the middle of March 2020.
Accompanying the growth in user interest, we observed a 656% increase in the average
daily Coronavirus-related domain name registrations from February to March. In this
timeframe, we witness a 569% growth in malicious registrations, including malware and
phishing; and a 788% growth in “high-risk” registrations, including scams, unauthorized
coin mining, and domains that have evidence of association with malicious URLs within the
domain or utilization of bulletproof hosting. As of the end of March, we identified 116,357
Coronavirus-related newly registered domain names. Out
of these, 2,022 are malicious and 40,261 are “high-risk”.
We analyze these domains by clustering them based on their Whois information, DNS
records and screenshots (collected by our automated crawlers) to detect registration
campaigns. We found that while many domains are registered to be resold for a profit, a
significant fraction of them are used for both well-known malicious activities as well as for
fraudulent shops selling items in short supply. The traditional malice abusing Coronavirus trends includes domains hosting malware, phishing sites, fraudulent sites, malvertising,
cryptomining, and Black Hat Search Engine Optimization (SEO) for improving search
rankings of unethical websites. Interestingly, although many webshops that use newly
registered domains try to scam users, we detected an especially unethical cluster of
domains capitalizing on users’ fear of Coronavirus to further frighten them into buying their
products. Moreover, we discovered a group of
Coronavirus-themed domains, which now serve parked pages with high-risk JavaScript that
may at anytime start redirecting users to malicious content.
Using Google Trends and our traffic logs, we observed a steep increase in user interest of
topics related to Coronavirus. In Figure 1, we can see how interested users are in
Coronavirus-related keywords based on Google Trends. In particular, we see three
prominent peaks at the end of January, the end of February, and the middle of March 2020.
The first peak aligns with the virus outbreak in China, the second peak signifies the first US
case of unknown
origin, and the third peak is at the same time as the virus outbreak in the US. One
interesting exception in Figure 1 is alcohol, as users have an interest in it all year round,
with a peak at Christmas. Intuitively, the year round interest in alcohol is for drinking it,
however the peaks aligned with Coronavirus are for medical alcohol.
Figure 2. Trend of users visiting coronavirus related URLs
Matching our observations about user interest from Google Trends, we see in Figure 2 a near ten-fold increase in the number of unique Coronavirus-related URLs visited by our customers comparing early February to late March.
The increased user interest in Coronavirus presents a lucrative opportunity for cybercriminals to profit from this pandemic. A common method for crooks to benefit from
trending topics is to register domain names that include related keywords such as
“Coronavirus” or “COVID”. These domain names often host legitimate-looking content and
are used for a wide variety of malicious activities, including tricking users into downloading
malicious files, phishing, scams, malvertisement and cryptocurrency mining.
To combat criminals employing Coronavirus-related domain names, we obtain keywords
from trending topics. First, we automatically extract keywords using the Google Trends
API. Then we manually select the keywords most relevant to Coronavirus. Finally, using our
set of keywords, we closely monitor newly registered Coronavirus-related domain names.