A First Look at COVID-19 Domain Names: Origin and Implications

TL;DR

This study analyzes COVID-19 related domain names, revealing their registration patterns, purposes, and potential misuse, highlighting challenges in distinguishing legitimate from malicious domains during the pandemic.

Contribution

First large-scale measurement study of COVID-19 domain names, uncovering registration trends, purposes, and malicious use, providing insights into their implications.

Findings

COVID-19 domain registrations peaked before the pandemic

70% of active Cov19doms provided COVID-19 related information

Some Cov19doms were used for malicious activities

Abstract

This work takes a first look at domain names related to COVID-19 (Cov19doms in short), using a large-scale registered Internet domain name database, which accounts for 260M of distinct domain names registered for 1.6K of distinct top-level domains. We extracted 167K of Cov19doms that have been registered between the end of December 2019 and the end of September 2020. We attempt to answer the following research questions through our measurement study: RQ1: Is the number of Cov19doms registrations correlated with the COVID-19 outbreaks?, RQ2: For what purpose do people register Cov19doms? Our chief findings are as follows: (1) Similar to the global COVID-19 pandemic observed around April 2020, the number of Cov19doms registrations also experienced the drastic growth, which, interestingly, pre-ceded the COVID-19 pandemic by about a month, (2) 70 % of active Cov19doms websites with visible content provided useful information such as health, tools, or product sales related to COVID-19, and (3) non-negligible number of registered Cov19doms was used for malicious purposes. These findings imply that it has become more challenging to distinguish domain names registered for legitimate purposes from others and that it is crucial to pay close attention to how Cov19doms will be used/misused in the future.