Phishing campaigns related to COVID-19 are becoming more targeted and difficult to identify as the pandemic progresses, a new report from privacy advocacy group ProPrivacy suggests. The project, conducted in partnership with VirusTotal (Alphabet) and WHOIS XML, analyzed more than 600,000 domains to accurately track malicious activity throughout the pandemic. It found that the number of phishing domains being registered peaked in late March, but activity remains high with as many as 1,200 domains still being registered each day. To date, the project has identified more than 125,000 domains labeled as malicious, the vast majority of which are used for phishing activity.
  • As many as 1,200 COVID-related domains are still registered each day
  • ‘Mask’ has been the most common keyword theme amongst sites, with ‘Testing’ and ‘Zoom’ also featuring prominently
  • Threat intelligence vendors and registrars will struggle to detect new vectors
  • GoDaddy is the most abused web hosting provider for COVID-related campaigns. Having hosted over 30,000 potentially harmful domains, amounting to 37% of our database
  • Amateur scammers benefit from the ability to purchase ‘phishing for beginners’ software on the dark web
The researchers noticed that as the pandemic progresses, phishing campaigns are becoming more targeted and potent, taking advantage of specific fears and concerns held by the public. For example, while there has been a marked decrease in the number of domains related to terms like ‘covid’ and ‘mask’, there has been a sharp increase in domain registrations related to unemployment, welfare benefits, and the US stimulus package. Domain registrars have been proactive and effective in identifying generic domains related to the virus, but ProPrivacy’s research suggests that bad actors are now adopting a more nuanced approach. These focused campaigns are not only more likely to succeed, but they are becoming increasingly difficult for the threat intelligence community to identify using conventional broad stroke methods. The full report and data can be accessed here: