21 Feb Explosion Of COVID-19 Vaccine Related Unsafe Domain Names
Typosquatting persists in 2021
– Jonathan Zhang, CEO at Whois XML API
Walnut, Calif. – Jan. 21, 2021
The topic of COVID-19 vaccines has been much talked about ever since the pandemic began, and it naturally continues to drive a lot of attention from people around the world. That attention has also tended to convert into spikes in domain registration activity.
For example, back in August 2020, when the Sputnik vaccine started making waves, the Typosquatting Data Feed picked up dozens of Sputnik-related domain names only a day after Russia’s announcement. What’s more, when vaccination campaigns in various countries started in late 2020, registrations for domains containing the word “vaccine” also peaked. The chart below reflects the said trend.
Figure 1: Registration trend for domains containing the string “vaccine”
Given this sizable activity in domain registration, we decided to take a closer look at the domains and summarized our findings in this post.
Analysis of the Vaccine-Related Domains
Between January 1, 2020, and January 7, 2021, our Newly Registered Domains (NRD) Database detected 12,436 domain names that contain the string “vaccine,” with an allowance for one typographical error to include possible misspellings.
Other Terms Used in the Domains
In a majority of the domain names, the word “vaccine” appeared alongside other text strings. Among the most commonly seen terms are technical in nature, such as:
- vaccination
- vaccinate
- covid
- coronavirus
- freezer
- clinic
- trial
- tracker
- certificate
However, words that express skepticism were also observed. Some examples of these terms are “don’t” and “stop.”
Top-Level Domain Distribution
About 64 percent of the vaccine-related domains fall under the .com top-level domain (TLD), while the rest are distributed among 29 other TLDs.
Figure 2: Number of registered vaccine-related domains for the top 10 TLDs
It is also worth noting that the most prominent TLDs are old, such as .org, .net, and .info. There are also country-code TLDs (ccTLDs) like .uk, .se, and .ru.
Domains Registered in Bulk
Around 16.37 percent of the domains were registered in bulk and look very similar to each other. As such, they were detected by our Typosquatting Data Feed. For example, the domains 2019ncovvaccine[.]com, 2019-ncovvaccine[.]com, and 2019ncovvaccines[.]com all made it into the Domain Name System (DNS) on January 25, 2020. They used the same TLD and were different variations of the string “2019 NCOV vaccine.”
Moreover, we saw domain groups that use different TLDs with the same text strings, such as the following, which appeared in the DNS on January 28, 2020:
- veganvaccinations[.]com
- veganvaccinations[.]net
- veganvaccination[.]com
- veganvaccination[.]info
- veganvaccinations[.]info
The largest typosquatting group comprised 26 domains that were bulk-registered on January 1, 2021. They were variations of the text string “browardcovidvaccine,” which alludes to the vaccination campaign in Broward County in Florida, where the website for its online vaccination registrations (browardcovidvaccine[.]com) went offline on December 31, 2020, and was fixed three days later.
Source: https://twitter.com/FLHealthBroward/status/1344420090394107904
Source: https://twitter.com/FLHealthBroward/status/1345691750610984961
Not All Domains Are Safe to Interact With
It’s always best to investigate domain names that seem to ride on newsworthy events or topics. While some of them could be benign and part of large-scale domaining activity, vaccine-related domains could also be weaponized for phishing and other attacks.
In fact, some of the vaccine-related typosquatting domains have already been reported on VirusTotal for phishing and other suspicious activities. One example is the following group of domains, which were bulk-registered on August 1, 2020:
- covid19vaccinedistributors[.]com
- covid19vaccinedistributor[.]com
- covid19vaccinedistribution[.]com
Regarding the Broward County vaccination registration website, none of the typosquatting domains were reported for suspicious or malicious activity. However, it should be noted that only two of the typosquatting domains share the same WHOIS privacy protection service and registrar as the official Broward County website. The 24 other domains have the same registrar and domain protection service.
As scientists were busy formulating coronavirus vaccines and governments were developing vaccination programs, the domain name world has been quite active, too. Over 12,000 domains related to the COVID-19 vaccine were registered within one year, most of which need to be treated with caution.
Are you a security officer, researcher, or product developer interested in expanding your domain intelligence sources? Contact us for research partnerships and more information on the vaccine-related domains mentioned in this post.
– Jonathan Zhang is the founder and CEO of Threat Intelligence Platform (TIP)—a data, tool, and API provider that specializes in automated threat detection, security analysis, and threat intelligence solutions for Fortune 1000 and cybersecurity companies. TIP is part of the WhoisXML API Inc. family, a trusted intelligence vendor by over 50,000 clients.
Sponsored by Whois XML API
Precise and exhaustive data is vital for cyber-security professionals to analyze and prevent cyber crime. Whois XML API offers a comprehensive collection of domain, WHOIS, DNS and threat intelligence data feeds that are essential to their work. It’s an exhaustive Cyber-security package that offers a maximum coverage of both real-time and historic data, complete with instruments for threat hunting, threat defense, cyber forensic analysis, fraud detection, brand protection, data intelligence enrichment across variety of SIEM, Orchestration, Automation and Threat Intelligence Platforms.