Cybercriminals are known to adapt their scams to take advantage of the latest crisis and the Covid-19 coronavirus pandemic has been no different. Throughout the pandemic, criminals have peddled fake cures, hacked medical organisations and sent Covid-themed phishing emails. Now, scammers are pivoting again by creating malicious coronavirus domains using keywords related to economies reopening.

These website domains include keywords such as ‘Covid-free’, ‘Covid19 virus-free’, ‘Covid certificate’ and even ‘Covid-safe pub tables’.

The registering of these domains suggests scammers are seeking to target businesses and consumers as the economy reopens, with pubs, restaurants and hairdressers seeking to reassure consumers their venues are safe.

Skurio, a Belfast-based security firm that provides software to scan the dark web for firm’s compromised data, has tracked 169,000 dodgy domains that employ Covid themes.

This also included bogus coronavirus health certificates for employers, which some GPs have legitimately been offering for people to download themselves to save the time of overstretched health workers.

The domains observed by Skurio all had a risk score of 99 – the highest rating possible and means the website either has malware on it or was set up by someone with connections to illicit activities.

Skurio CEO Jeremy Hendy told Verdict that the attack methods vary widely between domains.

“A lot of them are just straightforward scams. They’re trying to get you to sign up for something or sell you something. There’s a lot of malicious domains out there and some of them its malware, some of them they’re trying to get you to register,” he said.

“But equally, they’re trying to sell you something related to Covid, whether that’s masks, hand sanitiser or certificates to get you off work or authorised travel, and it’s simply a scam. They’re just trying to get some money from you and you’ll never see anything from it or it’ll be a fake or counterfeit product. It’s the whole raft of cybercrime.”

Often when criminals set up the domain they are “benign” but then weaponised to take advantage of the latest crisis. Skurio has also noticed some domains set up to impersonate companies that have recently made layoffs because of the pandemic, such as ‘clydesdalesbank.com’, ‘e.asyjet.com’ and ‘vurginmoney.com’.

The findings, shared exclusively with Verdict, show various coronavirus themes among the malicious domains. They include:

  • 2,777 URLs containing ‘clean’ or ‘disinfect’
  • 400 URLs containing ‘certificate’ or similar
  • 8,500 URLs containing ‘test’ and other diagnosis checkers
  • 350 URLs containing ‘job’, ‘volunteer’ and ‘career’
  • 331 URLs relating to hydroxychloroquine
  • 123 URLs relating to remdesivir

Work from home heightens coronavirus domain risk

The risk from dodgy domains is further compounded by the number of people working from home in IT environments less secure than in the office.

Hendy advises that businesses create rules to block employees from accessing domains that have been registered in the last 30 days.

He also believes that hosting companies should do more to crack down on dodgy domains.

“It really isn’t difficult for hosting companies to monitor them proactively,” said Hendy.

Recently it emerged that Microsoft took legal action against a swathe of malicious domains used to send phishing messages relating to Covid-19.

Hendy also offered age-old advice to consumers online: “If it looks too good to be true, it probably is.”


Read more: Coronavirus hackers face the wrath of the cybersecurity community