Coronavirus-themed new registered domains showed how domain name registration behaviors can be linked back to the news.
In an earlier domain intelligence analysis covering January to March 2020, we detected no less than 50,000 domain names with terms hinting a connection to the pandemic.
The coronavirus caught everyone’s attention and resulted in a lot of information seeking. As a result, websites hosted on domains containing relevant pandemic search terms could make money by displaying ads on their pages. What made coronavirus-themed new registered domains ripe for phishing were achievable monetary gains, notably through the sale of personal protective equipment (PPE), refunds for canceled trips, lawsuits and settlements, and donations.
Somewhat similarly, we started detecting 1,000+ new registered domains this time related to the Black Lives Matter movement. As these events also gained a lot of public attention, this post considers possible malicious or misinformative angles that could be taken in the coming weeks using these domains.
Domains that contain the strings “eorge” and “loyd” appeared in the Domain Name System (DNS) recently. From 28 May to 15 June, some 356 variations of George Floyd’s name (most containing typos) were noticed. Below are a few examples:
We also tracked domain names that contain the following strings:
In total, 1,140 domain names related to George Floyd and Black Lives Matter were detected within 19 days of monitoring. The registrations peaked on 1 June, around the time that the Black Lives Matter movement drew global attention.
Studies show that 70% of new registered domains are malicious or suspicious, possibly figuring in phishing campaigns and malware attacks. Some of the George Floyd and Black Lives Matter domain names’ end goals could be similar. A few possible repercussions of these domain name registrations include:
1. Scams That Bank on Emotional Responses
Scammers are good at triggering reactions. Domain names such as georgefloydcharity[.]com, georgefloydcharityfoundations[.]org, blacklivesmatterfund[.]com, blacklives[.]support, and their variations, for instance, could convince sympathizers to extend monetary donations.
While some of these domains belong to legitimate charitable foundations, several could be operated by scammers. In fact, a fake Black Lives Matter Facebook page claimed to be raising money for activists and obtained around US$100,000 in donations. People looking to donate to the Black Lives Matter movement and Floyd’s family should thus exercise caution.
2. Phishers Masquerading as Legitimate Organizations
The Black Lives Matter movement is not new. Blacklivesmatter[.]com has been up since 2013. A look into WHOIS history supports this claim as it allowed retrieving the domain’s WHOIS record from October 2013.
But anyone can use the words “Black Lives Matter” in their domain names.
Hundreds of new registered domains were found in our analysis using different top-level domain (TLD) extensions or containing typos, a subset of which include:
Using a screenshot tool, we found that many of these domains are not hosting any consumable content—either because they are parked, have a site under construction, or are pending WHOIS verification. Some did host an e-commerce website, which may or may not be affiliated with official representatives of the BLM movement.
3. Disinformation Campaigns
Another way that these domains could be used is to spread disinformation about the Black Lives Matter advocacy in general. U.S. officials recently asked the National Intelligence Director to determine if foreign entities are using the Internet to take advantage of the country's social unrest by spreading disinformation. Based on historical behavior, some international actors have used the Black Lives Matter movement to spread discord via fake BLM social media accounts.
It may still be too early to say whether “Black Lives Matter” and related new registered domains will result in a subsequent wave of scams and disinformation campaigns. Monitoring telltale signs of phishing and fraud is nonetheless recommendable.