Wine scams spiked during COVID-19 lockdown

The malicious wine-related activity "must be stopped at all costs."
An assistant advises a customer at the L'Intendant Grands Vins de Bordeaux wine shop on June 29, 2018 in Bordeaux, France. L'Intendant is considered one of the grandest wine shops in France with a staircase that spirals up five floors surrounded by cylindrical shelves holding as many as 15,000 bottles of regional wine at prices ranging from €7 to thousands of Euros. (Photo by David Silverman/Getty Images)

Absolute monsters.

Wine-themed domain registrations rose once COVID-19 lockdowns took hold, some of them malicious and used in phishing campaigns, Recorded Future and Area 1 Security said in a joint report out Wednesday.

“As the interest in virtual happy hours and get-togethers increased so did the increase in wine-themed domain registrations,” the report states.

Amid the COVID outbreak, alcohol has proven itself a target for hackers — but it hasn’t been clear before that scammers were trying to exploit people who were staying home and imbibing more. Alcohol delivery service Drizly, for instance, suffered a breach in July, while ransomware hit liquor and wine maker Brown-Forman around the same time.


Recorded Future observed a mild jump in wine domain registrations in March of 2020, from the usual 3,000 to 4,000 per month up to nearly 5,500. April saw a bigger leap, to almost 7,200, and the numbers took off in May to 12,400. They’ve stayed high ever since.

Domains that Recorded Future labeled as malicious followed a similar pattern. Researchers found 278 domains in April of 2020, followed by 668 in May. They began leveling off by fall, however.

“It appears that it took some time for cyber criminals to catch on to the idea of using wine in malicious activities,” the report says. “Tracking malicious wine-themed domains as a percentage of total wine domains registered shows that the peak as a percentage of total wine-themed domains was in June 2020 at 7%.”

That’s when Area 1 Security tagged in: It analyzed the above domains being used in email campaigns. The company determined the majority of the 25,000 emails were spam, but 13.5% contained suspicious or malicious links or files and 11.7% were business email compromise phishing emails.

“Overall, these results show that spam and phishing campaigns are aware of the growing interest in wine and are using that interest to push malicious activity,” the report reads.


Allan Liska, an analyst at Recorded Future, said that, as a wine lover, he subscribes to a lot of wine mailing lists and began to see some low-level spam messages, prompting him to investigate further.

He said he suspects that studying “happy hour”-themed registrations would turn up similar results.

“Scammers and attackers always jump on the latest trends, so part of this is just natural progression: they see increased interest in wine and they want to take advantage of the situation,” Liska said.

And he quipped: “I also take this increased malicious activity as a personal attack against me, one that must be stopped at all costs.”

Latest Podcasts