Security News > 2020 > May > Nearly 2,000 malicious COVID-19-themed domains created every day
A new report from researchers with Palo Alto Networks' Unit 42 found that more than 86,600 domains of the 1.2 million newly registered domain names containing keywords related to the COVID-19 pandemic from March 9, 2020 to April 26, 2020 are classified as "Risky" or "Malicious." Unit 42's Jay Chen wrote a study analyzing all new domain names containing keywords related to the COVID-19 pandemic and found that the United States, Germany, Russia and Italy had the highest number of malicious coronavirus domains.
On average, Chen found that 1,767 malicious COVID-19-themed domains were created every day between March 9, 2020 to April 26, 2020, and of the 86,600-plus domains, 2,829 domains hosted in public clouds were found to be "Risky" or "Malicious." Nearly 80% were hosted on Amazon Web Services, about 15% on Google Cloud Platform, 6% on Azure and less than 1% on Alibaba.
The report is based on data collected by RiskIQ, which is tracking new domains that have the keywords "Coronav," "Covid," "Ncov," "Pandemic," "Vaccine," and "Virus." "It is interesting to see that only 5% of the NRDs are found malicious in public clouds, while 7.5% of NRDs are found malicious in the entire internet. The higher price and more rigorous screening/monitoring process is likely making malicious actors less willing to host malicious domains in public clouds," Chen wrote.
One particular Cloudflare IP, IP 23.227.38[.]64, is directly tied to 50 risky or malicious domains, the report says, adding that more than 2,000 other benign domains also resolve to the same IP. This design, which Chen calls "Many-to-many domain to IP mapping" is very hard for firewalls to block because a blacklisted IP "May fail to block the traffic to/from a malicious domain while unintentionally making many other benign domains unreachable."
"With COVID-19 driving a surge in cloud adoption, we see not only attacks targeting the cloud users but also threats originating from the cloud. With thousands of malicious domains coming online every day, it is imperative to protect every endpoint with continuous monitoring and automatic threat prevention tools," Chen wrote.