Cybercriminals are known to adapt their scams to take advantage of the latest crisis and the Covid-19 coronavirus pandemic has been no different. Throughout the pandemic, criminals have peddled fake cures, hacked medical organisations and sent Covid-themed phishing emails. Now, scammers are pivoting again by creating malicious coronavirus domains using keywords related to economies reopening.

These website domains include keywords such as ‘Covid-free’, ‘Covid19 virus-free’, ‘Covid certificate’ and even ‘Covid-safe pub tables’.

The registering of these domains suggests scammers are seeking to target businesses and consumers as the economy reopens, with pubs, restaurants and hairdressers seeking to reassure consumers their venues are safe.

Skurio, a Belfast-based security firm that provides software to scan the dark web for firm’s compromised data, has tracked 169,000 dodgy domains that employ Covid themes.

This also included bogus coronavirus health certificates for employers, which some GPs have legitimately been offering for people to download themselves to save the time of overstretched health workers.

The domains observed by Skurio all had a risk score of 99 – the highest rating possible and means the website either has malware on it or was set up by someone with connections to illicit activities.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Skurio CEO Jeremy Hendy told Verdict that the attack methods vary widely between domains.

“A lot of them are just straightforward scams. They’re trying to get you to sign up for something or sell you something. There’s a lot of malicious domains out there and some of them its malware, some of them they’re trying to get you to register,” he said.

“But equally, they’re trying to sell you something related to Covid, whether that’s masks, hand sanitiser or certificates to get you off work or authorised travel, and it’s simply a scam. They’re just trying to get some money from you and you’ll never see anything from it or it’ll be a fake or counterfeit product. It’s the whole raft of cybercrime.”

Often when criminals set up the domain they are “benign” but then weaponised to take advantage of the latest crisis. Skurio has also noticed some domains set up to impersonate companies that have recently made layoffs because of the pandemic, such as ‘’, ‘’ and ‘’.

The findings, shared exclusively with Verdict, show various coronavirus themes among the malicious domains. They include:

  • 2,777 URLs containing ‘clean’ or ‘disinfect’
  • 400 URLs containing ‘certificate’ or similar
  • 8,500 URLs containing ‘test’ and other diagnosis checkers
  • 350 URLs containing ‘job’, ‘volunteer’ and ‘career’
  • 331 URLs relating to hydroxychloroquine
  • 123 URLs relating to remdesivir

Work from home heightens coronavirus domain risk

The risk from dodgy domains is further compounded by the number of people working from home in IT environments less secure than in the office.

Hendy advises that businesses create rules to block employees from accessing domains that have been registered in the last 30 days.

He also believes that hosting companies should do more to crack down on dodgy domains.

“It really isn’t difficult for hosting companies to monitor them proactively,” said Hendy.

Recently it emerged that Microsoft took legal action against a swathe of malicious domains used to send phishing messages relating to Covid-19.

Hendy also offered age-old advice to consumers online: “If it looks too good to be true, it probably is.”

Read more: Coronavirus hackers face the wrath of the cybersecurity community