From Wandera – Analysis: Internet traffic related to coronavirus – the good and the bad

Scammers take advantage of Clorox buying frenzy

Analysis: Internet traffic related to coronavirus – the good and the bad

Wandera’s experts analyzed year-to-date queries from around the globe that were related to COVID-19 to see how traffic to both safe and malicious websites was trending.

Analysis: Internet traffic related to coronavirus – the good and the bad

While the world adjusts to COVID-19 and its deadly spread, malicious actors are mobilizing, attempting to capitalize on the collective attention that is currently focused on the virus. We recently analyzed traffic going to websites related to the Coronavirus, such as the online resources operated by the CDC and WHO as well as traffic to malicious websites that are masquerading as legitimate sources of information. Our analysis found that traffic to malicious sites skyrocketed — exceeding access to even the most trusted sources for COVID-19 information — as the pandemic sent the world into lockdown.

With so much change in the way the world operates – growth in remote work, more conference calls, increased online shopping – bad actors are getting crafty in order to continue attracting victims to their malicious sites. Wandera has identified a diverse set of sites posing as authentic during this time — from illegal products (e.g., prescription drugs posing as coronavirus antidotes) to phishing attacks (e.g., provide personal information for details on your tax credit) and downright scams (e.g., pay for a product and it never shows up).


Making dirty money off cleaning products


The latest scam site uncovered by our threat intelligence engine MI:RIAM is related to the sale of Clorox products. Clorox is a household brand known for cleaning and disinfecting products and reportedly saw demand surge by 500% in some of their product categories during Q1 2020, a direct link to consumer interest in cleaning as the coronavirus was starting its global outbreak. So it should come as no surprise that bad actors are trying to tap into this growth in consumer interest by launching a scam site.


MI:RIAM identified a site with the domain ‘adclorox[.]com’ while crawling the Internet. At the time of our investigation, an ad for this website was showing up in the second position of results when performing a Google search for ‘clorox’ (see below image taken on July 6, 2020).


The next red flag (after the questionable variation on the official Clorox brand domain name) was how strange it was for a fresh, nine-day-old website to be associated with such a storied brand like Clorox, which is owned by consumer goods giant Proctor & Gamble. Clorox has a legitimate domain, and while it looks similar, it has many substantial differences to the scam adclorox[.]com domain.


Key indicators of a scam


First of all, Clorox currently does not sell directly to consumers. As you can see in the below screenshots the legitimate site directs users to retailers’ physical locations and websites to help them buy the product selected. Meanwhile, the adclorox[.]com website displays a ‘limited-time sale’ promotion and mechanism to purchase the selected product using PayPal. Additionally, we traced the Internet traffic to servers hosted in China. No legitimate retailers of Clorox products can be associated with the questionable domain at the time of publication.


Scam site

Legitimate site


Wandera’s threat research team performed an analysis of the infrastructure that is used to host the websites for both the official Clorox product as well as the suspicious domain. Both domains resolve to a set of totally different IPs, as indicated in the table below.


host adclorox[.]com host

IPv6 address 2606:4700:3031::681b:986d

IPv6 address 2606:4700:3037::681b:996d

IPv6 address 2606:4700:3036::ac43:c772

mail is handled by 10

mail is handled by 10



Additionally, the websites do not share any similarities via certificates, the components that enable both websites to encrypt page content and ensure the viewer’s browser displays a “lock icon” indicating a protected webpage. The certificate issuer for adclorox[.]com is Cloudflare, while the issuer for is GlobalSign. Wandera research has indicated that attackers make regular use of encryption to trick users into believing the site is authentic.


Scam site

The most noteworthy indication of suspicion comes in the registration date. There is a huge difference in domain creation dates. The adclorox[.]com domain was registered nine days ago which is a really young domain for a company that has been around since 1913. The legitimate domain was registered 26 years ago.

There is an entry for adclorox[.]com on this scam database website, which contains comments by users who have clued onto the scam, including this one: “I contacted Clorox. This is not one of their sites. I need to notify PayPal because I ordered some items thinking it was a legitimate site.”

Due to domain owner information being obfuscated, we are not able to say with certainty who owns and operates the scam adclorox[.]com domain. It is not standard practice with legitimate companies of this scale to obfuscate their domain registration details.




Legitimate site



We encourage users to take extra precautions during this time as scammers are taking advantage of the heightened reliance on online services. Here are our top tips:

  • Always check the URL bar for suspicious domains
  • Use a credible DNS server that includes the blocking of malicious domains such as QUAD9 (or Wandera’s Secure Access Layer if your employer has deployed it on your device)
  • Don’t click on suspicious links that arrive via email and even messaging apps and social media
  • Only use trusted websites
  • Don’t download apps from unknown or third-party sources
  • Businesses should protect employees by deploying security services to work devices that detect and block suspicious and malicious websites and apps


Update: At the time of writing on July 7, 2020, it appears that Google may have removed the site from its index since it is no longer showing up for the same search. However, the site is still live, but loading much slower than it was during the initial investigation.