As many around the world struggle to come to terms with the full impact that the Coronavirus will have on each of our families and communities, people are desperate for both information and hope. Threat actors exploit vulnerabilities, and many see the uncertainty of our circumstances as an opportunity. They are capitalizing on the need for news, guidance, supplies, and treatments by targeting businesses and individuals who need this information with a barrage of COVID-19-related attacks and scams.
Organizations and individuals are faced with critical decisions about what and whom to trust for useful information on the world’s rapidly changing circumstances. At DomainTools, we recognize many other organizations and individuals are working hard to ensure anxiety around the pandemic doesn’t result in cybercriminals cashing in on fear and uncertainty during this difficult time. We feel we can give back to our community by taking on the challenge of providing useful information on infrastructure delivering potential threats. It can be difficult to strike a balance between a strong security posture and potentially blocking sites with critical information—especially as communities and support organizations launch new digital infrastructure in response to this epidemic.
While preying on uncertainty and weakness is something expected of threat actors, those of us in the security community have a duty to step in to protect those who are vulnerable and under attack—especially when we have the ability to help. For this reason, DomainTools is releasing a free, publicly-available COVID-19 Threat List to help organizations and individuals make better decisions about the risk posed by domains related to the Coronavirus threat. Unlike a simple keyword-search-based list, the DomainTools COVID-19 Threat List includes only domains that DomainTools considers to be high-risk, displaying domain names in context with their create date and a Domain Risk Score, so that you or your organization can make better decisions about which sites are likely to be threats.
In the COVID-19 Threat List, you can find:
- Domains Names – A selected list of domains with names containing core terms related to the COVID-19 pandemic, as well as common or misleading permutations of those terms. We are monitoring for more than 60 relevant terms, including the following examples:
- Covid, and permutations like c0vid or c0v1d
- Corona, and permutations like carona or corrona
- Create Date – Date the domains were first registered, or in the absence of available registration data, the date the domain was first detected by DomainTools. This can be used to identify brand new domains and determine which domains are the newest ones added to the list. In general, newer domains tend to be riskier, so use extra caution in interacting with very young domains.
- Domain Risk Score of 70 or Greater – The highest Domain Risk Score attributed to a domain by any of DomainTools’ Risk Scoring mechanisms. For all scoring types, DomainTools considers scores of 70 or above to be highly indicative of existent or forthcoming threats. As such, the COVID-19 Threat List will include those domains with a risk score of 70 or greater, indicating the highest risk score that a domain received from any of our scoring mechanisms.
Drawing upon data points from over 330 million current Internet domains, DomainTools Risk Score predicts how likely a domain is to be malicious, often before it is weaponized. The score comes from two distinct algorithms: Proximity and Threat Profile. Proximity evaluates the likelihood a domain may be part of an attack campaign by analyzing how closely connected it is to other known-bad domains. Threat Profile leverages machine learning to model how closely the domain’s intrinsic properties resemble those of others used for spam, phishing, or malware. The strongest signal from either of those algorithms becomes the combined Domain Risk Score.
Domains with scores below 70 will not be included in the COVID-19 Threat List, as we want to ensure that list recipients can use this list with high confidence that the domains included therein are likely to be threats. However, please be aware that just because a domain is not on the list, it does not mean that it is entirely risk-free or trustworthy. All sites disseminating information associated with the Coronavirus pandemic should be treated with caution, and the information they deliver should be evaluated critically in the context of local, state, federal, and international authorities and health organizations. Remember not to click on any link from a source you don’t recognize, and, before you interact with any link, examine the full URL of the link destination to ensure that the actual portion of the domain before the TLD (e.g., .com, .org, etc.) is the site you expect to visit.
We’ve seen the list grow dramatically, especially within the last month—rising from only 3,000 domains on March 1st to more than 57,000 domains by March 22nd. To keep the community as informed as possible, domains on this list will be rescored daily, meaning that each domain will be reassessed in light of available data each day. The list will also be regenerated and a new version will be posted daily, delivering all domains that meet the above criteria with creation dates of January 1, 2020 or later. The new version of the list will be made available as a CSV download for free to any and all organizations or individuals who believe this data will protect their employees, customers, or communities during this time of need.
How you can use the COVID-19 Threat List
- Integrate the domains into your organization’s internal or consumer-facing products to proactively block access to high risk domains
- Identify and provide information about emerging threats to your organization or consumers to support community awareness and consumer protection
- Aid intelligence researchers in their COVID-19-related investigations by highlighting high-risk domains
- Protect your users or infrastructure based on a targeted list of relevant threats that can easily fit into memory for firewall or DNS block rules for active blocking
- Track activity associated with domains on the list to observe behavior and determine objectives
- Analyze historical logs against the domains on the COVID-19 Threat List to see if any interactions occurred (detect past compromise)
- Create rule-driven action by integrating with in-house platforms, so that, if a domain that’s detected appears on the COVID-19 Threat List, a system can action that domain according to pre-established rules in an integrated system (e.g., Splunk, QRadar)
- The COVID-19 Threat List is available for download as a gzipped text file, updated daily
- Each row of the file is tab-delimited with the following fields:
- domain_name, create_date, risk_score
- The file is sorted by risk_score and create_date such that the most risky (the “99’s”) and youngest domains are at the top
- All domains on the list have a create date of 1 Jan 2020 or newer
- All domains on the list have a Risk Score of 70 or above
Please fill out the form in Domain Tools official site to access the COVID-19 Threat List:
They are only gating this as a security measure so threat actors cannot overwhelm our S3 Bucket. Additionally, once you fill out the form, you’ll have access to the direct link for the most up-to-date info in perpetuity, and can automate access to that link, if needed.
Official DomainTools Form: HERE
For DomainTools Iris Customers
For our DomainTools customers, we are also providing an Iris Investigation Hash. This Hash can be imported into Iris to allow you to view, explore, and pivot around the domains in the COVID-19 Threat List.
This hash represents the Advanced Search used to generate the COVID-19 Threat List, and as such the results in Iris will be updated in real-time as new domains are discovered. If the criteria for the Advanced Search changes, so will this Hash.
To import this Investigation Hash into Iris, select “Search” and then “Export”. Copy the Hash into the “Import a new Search” textbox as shown in the screenshot.
COVID-19 Threat List Iris Investigation Hash