21 Feb Explosion Of COVID-19 Vaccine Related Unsafe Domain Names

Typosquatting persists in 2021

– Jonathan Zhang, CEO at Whois XML API

Walnut, Calif. – Jan. 21, 2021

The topic of COVID-19 vaccines has been much talked about ever since the pandemic began, and it naturally continues to drive a lot of attention from people around the world. That attention has also tended to convert into spikes in domain registration activity.

For example, back in August 2020, when the Sputnik vaccine started making waves, the Typosquatting Data Feed picked up dozens of Sputnik-related domain names only a day after Russia’s announcement. What’s more, when vaccination campaigns in various countries started in late 2020, registrations for domains containing the word “vaccine” also peaked. The chart below reflects the said trend.

Figure 1: Registration trend for domains containing the string “vaccine”

Given this sizable activity in domain registration, we decided to take a closer look at the domains and summarized our findings in this post.

Analysis of the Vaccine-Related Domains

Between January 1, 2020, and January 7, 2021, our Newly Registered Domains (NRD) Database detected 12,436 domain names that contain the string “vaccine,” with an allowance for one typographical error to include possible misspellings.

Other Terms Used in the Domains

In a majority of the domain names, the word “vaccine” appeared alongside other text strings. Among the most commonly seen terms are technical in nature, such as:

• vaccination
• vaccinate
• covid
• coronavirus
• freezer
• clinic
• trial
• tracker
• certificate

However, words that express skepticism were also observed. Some examples of these terms are “don’t” and “stop.”

Top-Level Domain Distribution

About 64 percent of the vaccine-related domains fall under the .com top-level domain (TLD), while the rest are distributed among 29 other TLDs.

Figure 2: Number of registered vaccine-related domains for the top 10 TLDs

It is also worth noting that the most prominent TLDs are old, such as .org, .net, and .info. There are also country-code TLDs (ccTLDs) like .uk, .se, and .ru.

Domains Registered in Bulk

Around 16.37 percent of the domains were registered in bulk and look very similar to each other. As such, they were detected by our Typosquatting Data Feed. For example, the domains 2019ncovvaccine[.]com, 2019-ncovvaccine[.]com, and 2019ncovvaccines[.]com all made it into the Domain Name System (DNS) on January 25, 2020. They used the same TLD and were different variations of the string “2019 NCOV vaccine.”

Moreover, we saw domain groups that use different TLDs with the same text strings, such as the following, which appeared in the DNS on January 28, 2020:

• veganvaccinations[.]com
• veganvaccinations[.]net
• veganvaccination[.]com
• veganvaccination[.]info
• veganvaccinations[.]info

The largest typosquatting group comprised 26 domains that were bulk-registered on January 1, 2021. They were variations of the text string “browardcovidvaccine,” which alludes to the vaccination campaign in Broward County in Florida, where the website for its online vaccination registrations (browardcovidvaccine[.]com) went offline on December 31, 2020, and was fixed three days later.

Source: https://twitter.com/FLHealthBroward/status/1344420090394107904

Source: https://twitter.com/FLHealthBroward/status/1345691750610984961

Not All Domains Are Safe to Interact With

It’s always best to investigate domain names that seem to ride on newsworthy events or topics. While some of them could be benign and part of large-scale domaining activity, vaccine-related domains could also be weaponized for phishing and other attacks.

In fact, some of the vaccine-related typosquatting domains have already been reported on VirusTotal for phishing and other suspicious activities. One example is the following group of domains, which were bulk-registered on August 1, 2020:

• covid19vaccinedistributors[.]com
• covid19vaccinedistributor[.]com
• covid19vaccinedistribution[.]com

Regarding the Broward County vaccination registration website, none of the typosquatting domains were reported for suspicious or malicious activity. However, it should be noted that only two of the typosquatting domains share the same WHOIS privacy protection service and registrar as the official Broward County website. The 24 other domains have the same registrar and domain protection service.

As scientists were busy formulating coronavirus vaccines and governments were developing vaccination programs, the domain name world has been quite active, too. Over 12,000 domains related to the COVID-19 vaccine were registered within one year, most of which need to be treated with caution.

Are you a security officer, researcher, or product developer interested in expanding your domain intelligence sources? Contact us for research partnerships and more information on the vaccine-related domains mentioned in this post.