DNS Spoofing On The Rise During the Outbreak of COVID-19 

A DNS spoofing attack is that an attacker pretends to be a DNS domain name server in response to a domain name resolution request, and then replies to the user with a fake address. DNS spoofing attacks use security flaws in the design of the DNS protocol, because all DNS resolution services use the standard question-and-answer mode, and the IP address and port number of the DNS server are published. Most of the existing DNS servers on the Internet are set up with bind. The versions of bind used are mainly the versions prior to the bind 4.9.5 + P1 and the versions prior to the bind 8.2.2-P5.

All DNS servers have a common feature, which is to cache all the results that have been queried. In the process of domain name resolution request, DNS does not provide an authentication mechanism. DNS service essentially provides domain name resolution services through client/server methods, but it does not provide an authentication mechanism by itself, and the querier cannot confirm the authenticity of the response information when receiving the response, which can easily lead to deception. Similarly, each DNS server cannot know whether the host requesting the domain name service or other DNS server is legal or whether the address is stolen. 

With the global spread of the Coronavirus, topics related to the epidemic continue to receive high attention. Cybersecurity researchers have found that since early February, the number of Google searches and URL views associated with the Coronavirus has increased significantly. Cybercriminals also use these hot topics as bait to profit from them. It will worsen the lives of billions of people, especially at the moment of the current crisis. It is precisely because criminals often use these topics to conduct malicious activities, researchers closely monitor the customers ‘attention to hot topics and newly registered domain names related to these topics to protect users’ security. Through the use of Google trends tools and the traffic logs, researchers found that users’ interest in topics related to the coronavirus has exploded, and peaked at the end of January, February, and mid-March 2020.

At the same time, with the increase in user attention, from February to March, the number of domain name registrations related to the new crown virus increased by an average of 656% per day. During this period, maliciously registered domain names increased by 569%, including malware and phishing; “high-risk” domain name registrations increased by 788%, including fraud, illegal cryptocurrency mining, and links to malicious URLs or suspected use of bulletproof hosting domain name. As of the end of March, we have found 116,357 newly registered domain names related to the new coronavirus, including 2,022 malicious domain names and 40,261 “high risk” domain names. 

LIFARS Gap Assessment Solution is designed to ascertain your comprehensive information security, risk, and compliance status (current). Not only we determine your current state along with your risk appetite and tolerance, but we also provide you with an actionable roadmap to reach target maturity level including strategy, structure, governance, and operations management plan.