Scammers flood GoDaddy with COVID-19 phishing campaigns

Read time 3min 00sec

GoDaddy is the most abused Web hosting provider for COVID-19-related phishing campaigns.

This is according to a new report by digital freedom advocacy firm ProPrivacy, which discovered that phishing campaigns related to COVID-19 are becoming more targeted and difficult to identify as the pandemic progresses.

The study, conducted in partnership with Google unit VirusTotal and WhoisXML, analysed more than 600 000 domains to accurately track malicious activity throughout the pandemic.

It found that the number of phishing domains being registered peaked in late March, but activity remains high, with as many as 1 200 domains still being registered each day.

To date, the project has identified more than 125 000 domains labelled as malicious, the vast majority of which are used for phishing activity.

“While pandemics are nothing new, the novel coronavirus is the first truly global pandemic to ever take place against a digital backdrop and the implications are proving profound,” says Sean McGrath, lead researcher on the project.

The study found GoDaddy was the most abused Web host, hosting a disproportionately high number of domains used for phishing activity.

The US-based company is the largest hosting provider in the world, hosting an estimated 15% of all Web sites.

However, 37% of the 80 470 IP addresses analysed belonged to GoDaddy, with 3 285 resolving to the same IP address.

Asked for comment, GoDaddy told ITWeb it does not comment on phishing attacks.

GoDaddy officially launched in South Africa in March last year, targeting the small and medium enterprise market.

The ProPrivacy researchers noticed that as the pandemic progresses, phishing campaigns are becoming more targeted and potent, taking advantage of specific fears and concerns held by the public.

For example, while there has been a marked decrease in the number of domains related to terms like “COVID” and “mask”, there has been a sharp increase in domain registrations related to unemployment, welfare benefits and the US stimulus package.

According to ProPrivacy, domain registrars have been proactive and effective in identifying generic domains related to the virus, but the research suggests that bad actors are now adopting a more nuanced approach.

It notes these focused campaigns are not only more likely to succeed, but are becoming increasingly difficult for the threat intelligence community to identify using conventional broad stroke methods.

According to a WhoisXML API researcher: “We see a lot of niche registrations in our typosquatting (URL hijacking) data feed files. Registrants seem to target vulnerable groups. We suspect that these domains could serve as social engineering baits and trigger emotional responses.”

ProPrivacy tracked all domain registrations from 1 January, and each domain was checked against VirusTotal’s aggregated database of more than 60 threat intelligence partners.

The team documented every domain labelled malicious and used a range of techniques to identify new themes that emerged throughout the pandemic.

“It would be easy to look at the overall trend and conclude that phishing activity related to the pandemic has simply fizzled out, but that’s not an accurate assessment,” says McGrath.

“These malicious campaigns have moved underground and are now addressing our most intimate concerns. ‘When will my children return to school?’ ‘Will I lose my job?’ It is these – truly human – questions that will fuel the ‘second peak’ of malicious activity. This is the next battlefront in the digital pandemic.”

Login with