How Nominet is using AI to stop fake COVID-19 sites
The coronavirus pandemic has created a unique landscape for the UK which is familiar to no-one.
The government has turned to texts and letters to communicate vital new rules on social distancing. Coverage of emergency funds and finances for people and businesses alike are among the major headlines.
Life is – at best – unsettled, which is the perfect backdrop for scammers to run coronavirus-related phishing scams.
Nominet, the official registry for domain names ending in ‘.uk’ such as gov.uk and nhs.uk, reports that at least 180 suspicious website registrations related to coronavirus have been caught by the company and are restricted from going online.
“We are capturing quite a lot at the moment, and we expect that that will continue for a while,” Nominet’s CEO Russell Haworth told BusinessCloud.
Through its system, Domain Watch, the firm is working with the government and law enforcement to identify fraudulent sites which are targeting people’s uncertainty about coronavirus.
It’s through a mixture of machine learning and due diligence that this latest batch of websites never gets online.
“The confusion and ambiguity gets thrown up by people trying to research topics. We’re hearing more and more about protective equipment, trying to get information on furloughing staff. There are lots of avenues to get defrauded unfortunately,” said Haworth.
The tech world at large is doing its part to stay one step ahead, said Haworth, including the likes of Google battling fake news and websites.
But arguably Nominet has more immediate power because it can stop the website from ever going live – preventing the majority of the damage caused by these websites which Haworth said is typically done in the first 24 hours.
“We don’t get involved in what’s actually on the website, that’s for the Internet Watch foundation and police and others, but what we can do is make sure that we are able to monitor the registration of websites and identify whether they are potentially problematic,” he said.
Nominet’s focus currently is safeguarding new websites addresses ending in .uk, which are related to coronavirus.
“If you’re trying to register coronavirusmedication.co.uk, we want to run it through our algorithms to make that there are substantiated checks to verify who you are and if you are using that domain for legitimate reasons,” he said.
Nominet has received 1,300 COVID-19 related domain registrations, which are caught by its Domain Watch platform, and put on hold to be reviewed before going live.
Nominet is asking those wishing to register a coronavirus-related website to provide a legitimate means of verification such as a photo ID.
So far, less than 300 have responded.
“Some of the people that have passed our checks range from parish councils to a website called Corona Loner, which is a blog from a former journalist working from home,” said Haworth.
Nominet’s CEO Russell Haworth
“It’s when you get into a website like nhscoronavirus.uk, which would be the type of site we’re trying to capture.
“There are legitimate reasons to set up these sites, but we do have thousands of registrations which we see as potentially problematic, where people have not responded.”
He said there were many vectors to solving this ongoing problem, but Nominet was an important part of that bottleneck.
While the .uk top level domain or ‘TLD’ is used by the likes of the UK government and the NHS, it available to anyone with very few restrictions.
But balancing the requirements of new, legitimate website creators and the checks needed to stop fraudulent sites slipping through the net requires the help of machine learning – alongside a staff of around 30 – which scans for keywords such as ‘coronavirus’ and ‘covid’ which seem suspicious.
“If [a website address] is being created for the first time, we’ll know whether it’s been flagged before as being malicious and whether there are patterns of behaviour which don’t look legitimate.
“We work very proactively with law enforcement agencies and the like to take down site that are identified by them as being illegal, and we do that quickly.”
The reasons fraudsters are turning to .uk domains is multi-faceted. Haworth said it could simply be because the name was available where its .co.uk or .com counterpart was not.
But he said it could also be because scam artists want a part of the trust which has been built through Nominet’s handling of .uk domain registrations.
“We want to make sure that we are one of the most vibrant but equally safest places to do business,” he said. With that comes an innate understanding from users that a .uk domain is trustworthy.
The Internet Corporation for Assigned Names and Numbers (ICANN) is multinational a not-for-profit partnership, based in the US, which oversees these website endings.
When someone registers a domain on the internet, it goes through a domain name registrar like Nominet, who pays a small fee to ICANN to register the domain as part of process.
ICANN reports that as of April there are over 1,500 potential website endings, or TLDs.
The number, which has seen a boom in recent years, includes everything from .americanfamily to .zuerich.
But Howarth said few have built the same trust and understating as .uk websites. “I’m in the industry and I don’t trust most of them!” he said.
“The UK public will trust a .uk over a .com website. There’s an innate recognition that it is run within the country by people with their best interests at heart.”
In March, Nominet announced new plans in addition to screening new website URLs. It would see the landing pages of domains suspended due to criminal activity replaced with a legitimate alternative.
Working initially in collaboration with the Medicines and Healthcare Products Regulatory Agency (MHRA) and the City of London’s Police Intellectual Property Crime Unit (PIPCU), Nominet plans to redirect web users to a secure site providing consumer advice and education for potential victims of sales of counterfeit medicines and other branded goods.
Landing pages are sometimes utilised by law enforcement globally but only in circumstances where the agency in question, for example the FBI, has seized control of a domain name.
This new registry-led initiative is the first to provide informative landing pages.
Asked if an exclusive subdomain could be offered to further differentiate the likes of the NHS and government from blogs, Haworth said while it was an elegant solution, in practice it could cause more confusion.
He said that .gb for instance, are reserved and could be used for this purpose, but in practice the trust build up in websites such as gov.uk and NHS.uk would need to be rebuilt.
“It’s a balance between open data and an uninhibited internet, versus some degree of security and scrutiny,” he said.
“I don’t know if we’ve got the right balance. If you take ICANN as a global community, the debate rages as to how much we should be going down the path of a democratised internet, versus some safety checks and balances.
“It will always be a tension that we’re juggling.”