Hundreds of “George Floyd” and “Black Lives Matter” Domain Names Appear in the DNS (original) (raw)

Trending news and global events impact domain registration behaviors. We observed a slew of coronavirus-themed domain name registrations, for example, as early as January. George Floyd’s death, which sparked several Black Lives Matter movements, is no different.

Three days after George Floyd died, our data feed started detecting George Floyd-themed domain names. On 28 May, these included:

• georgefloyd[.]black
• georgefloyd[.]info
• georgepfloyd[.]com
• georgefloyd[.]net

The Data: Domain Names Connected to George Floyd and Black Lives Matter

Black Lives Matter is a global movement and is not new. However, in less than two weeks, there has been a trend in registered domain names inspired by George Floyd and Black Lives Matter. We retrieved all domain names that contain the strings “eorge,” and “lackliv” from 28 May to 7 June and found 402.

Newly detected domains containing string “eorge” or “lackliv” or either string

Examples of domain names that contain the string “lackliv” are:

• blacklivesmatter[.]site
• blacklivesmatter[.]directory
• blacklives-matter[.]com
• blacklives-matter[.]store
• blacklivesmatter[.]miami
• blacklivesmatter2[.]com
• blacktieforblacklives[.]org
• blacktie4blacklives[.]com
• blacktie4blacklives[.]org
• blacktieforblacklives[.]com
• makeblacklivesmatter2[.]com
• makeblacklivesmatter2[.]org
• makeblacklivesmatter2[.]info

Looking at the Domains’ WHOIS Details

We wanted to see the domain infrastructure of the domains. So we ran a bulk analysis of the 402 domain names. Here is what we found:

• Registrant name: All except seven domains used privacy protection services.
• Registrant organization: A total of 20 domain names didn’t hide their organization names. We saw two law offices and several nonprofit organizations.
• Registrant countries: About 55% or 221 of the domains had the U.S. as their registrant country. Canada and Panama came in second and third, with 56 and 34 registrations, respectively. Netherlands and China also tallied 11 and 5 domain names.

  Country	Number of Domain Name Registrations
  United States	232
  Canada	56
  Panama	34
  Netherlands	11
  China	5
  Australia	3
  Redacted for Privacy	3
  Spain	2
  Turkey	2
  Ukraine	2
  Algeria	1
  Brazil	1
  Cayman Islands	1
  Italy	1
  Lithuania	1
  Poland	1
  Singapore	1
  Switzerland	1

Possible Repercussions of the Surge in Typosquatting Domain Names

The themed domain name registration peaked on 5 June (so far) for the word strings above when a total of 69 new domains were seen. On the same day, Michael Jordan announced that he and the Jordan Brand were donating US$100 million to organizations dedicated to upholding racial equality.

It could be a coincidence, but it’s a known fact that typosquatting domains can be used in business email compromise (BEC) scams and phishing campaigns. Therefore, the following scenarios are not farfetched:

• Someone within organizations could receive an email from one of these domains, asking for donations, for example.
• A website using any of the typosquatting domains could ask for sensitive information under the guise of collecting signatures for the Black Lives Matter campaign.

A Glimpse into the Domains’ Contents

We ran some of these “George Floyd” and “Black Lives Matter” domains on a screenshot lookup tool. That way, we could see their contents without actually visiting them. Here are our findings:

• Some domains don’t have a web server: This could also mean that they no longer exist.
• Web pages are still under construction: Domains like georgefloyd[.]world and georgefloyd[.]buzz promise that their websites are coming soon.
  
• Some are parked domains: As expected, a lot of domains are also parked, including those that are for sale.
• Some domains redirect to other sites: An example is georgefloyd20[.]org, which redirects to The Gambia Times.
  
  Screenshot of the georgefloyd20.org website
• Some domains host blogs and e-commerce sites: There are also domains such as georgefloydd[.]com that sells “I Can’t Breathe” shirts. As with other e-commerce sites, it’s best to make sure that your credit card or bank details are safe when making purchases on these domains.

While some domains inspired by George Floyd and the Black Lives Matter movement are certainly used legitimately, we can’t discount the possibility that several could be used to take advantage of the situation. As such, these domains deserve our attention from a cybersecurity standpoint.