Top Whois, DNS, IP and threat intelligence data provider. We provide APIs, databases, and tools.
Since the virus’s emergence in early January 2020, COVID-19 has been widely used in various malicious campaigns online. Several disposable email domains using the term “coronavirus” and its variations have appeared since then.
While not all these COVID-19-related disposable email domains may have been created with malicious intent, some still could have been used for nefarious purposes. With that in mind, companies may want to consider detecting and possibly blocking communications coming from related disposable email domains to avoid cyber threats as well as possible freemium service abuses.
Detecting disposable email domains is doable with the help of tools like disposable email domain data feeds. We used one such tool to analyze these feeds and present our findings in this post.
The coronavirus is proving to be not just a physical but also a virtual threat. Apart from avoiding the disease, people the world over also need to be on the lookout for COVID-19-related security threats every time they go online, given statistics like:
We looked at the disposable email domain data feeds from March 2020 to March 2021. The data revealed an increase in COVID-19-themed disposable email domains over time, especially between May and June 2020.
Chart 1: The number of coronavirus-themed disposable email domains shows an increase over time.
Of the four strings tracked—“corona,” “covid,” “vaccine,” and “pandemic”—“corona” was the most commonly used term for disposable email domains. Domains containing “covid” followed, then those with “vaccine” and “pandemic.”
Chart 2: A majority of the disposable email domains obtained from the feeds contained the string “corona.”
That finding isn’t surprising, as a similar trend is reflected by the interest in the search terms over the past 12 months, according to Google Trends.
Examples of the disposable email domains obtained from the data feeds include corona-virus-live[.]ru, applyforcovid19relief[.]com, plantbasedvaccine[.]com, and pandemic[.]cloud.
Further checks on VirusTotal showed that corona-virus-live[.]ru, for instance, was flagged for phishing, not to mention tagged “suspicious” by several vendors. Applyforcovid19relief[.]com is another example of a domain that was reported as malicious as well.
With this in mind, it may be a good idea to track email domains that contain the four strings using a disposable email domain data feed, conduct further analysis, and block these, if needed. The examples above are just a few that could be included in organizations’ blocklists.
Moreover, an analysis of the top-level domain (TLD) extensions used revealed that a vast majority (i.e., more than a third of the total number) fell under .com.
Chart 3: The most popular TLDs among the disposable email domains were .com, .online, and .xyz.
It isn’t surprising to see most of the disposable email domains use .com, as this remains the most popular TLD worldwide as of October 2020. The TLD lends an email address more credibility since most companies still prefer .com when creating their own websites. It’s also worth noting that among the new generic TLDs (gTLDs), .online and .xyz top the most commonly used list. Alphabet (i.e., Google’s parent company), for instance, uses the domain abc[.]xyz.
Organizations that wish to stay safe from coronavirus-themed threats may want to be especially cautious of disposable email domains that use the TLDs in Chart 4. They can configure their email security software to flag emails using temporary addresses containing the four strings mentioned earlier, especially those sporting the TLDs above.
As this post showed, the usage trend for COVID-19-related disposable email domains is consistent with the volume of coronavirus-themed threats. It may be worth monitoring and consequently filtering out disposable email domains using the strings featured here as an additional precautionary measure. Since their owners can’t easily be determined, they may figure in malicious campaigns.