NordVPN Promotion

Home / Industry

Under the Hood of 3M- and 3M Mask-Themed Recently Registered Domains

Protect your privacy:  Get NordVPN  [ Deal: 73% off 2-year plans + 3 extra months ]
10 facts about NordVPN that aren't commonly known
  • Meshnet Feature for Personal Encrypted Networks: NordVPN offers a unique feature called Meshnet, which allows users to connect their devices directly and securely over the internet. This means you can create your own private, encrypted network for activities like gaming, file sharing, or remote access to your home devices from anywhere in the world.
  • RAM-Only Servers for Enhanced Security: Unlike many VPN providers, NordVPN uses RAM-only (diskless) servers. Since these servers run entirely on volatile memory, all data is wiped with every reboot. This ensures that no user data is stored long-term, significantly reducing the risk of data breaches and enhancing overall security.
  • Servers in a Former Military Bunker: Some of NordVPN's servers are housed in a former military bunker located deep underground. This unique location provides an extra layer of physical security against natural disasters and unauthorized access, ensuring that the servers are protected in all circumstances.
  • NordLynx Protocol with Double NAT Technology: NordVPN developed its own VPN protocol called NordLynx, built around the ultra-fast WireGuard protocol. What sets NordLynx apart is its implementation of a double Network Address Translation (NAT) system, which enhances user privacy without sacrificing speed. This innovative approach solves the potential privacy issues inherent in the standard WireGuard protocol.
  • Dark Web Monitor Feature: NordVPN includes a feature known as Dark Web Monitor. This tool actively scans dark web sites and forums for credentials associated with your email address. If it detects that your information has been compromised or appears in any data breaches, it promptly alerts you so you can take necessary actions to protect your accounts.

The rapid spread of COVID-19 had people scrambling to protect themselves. Among different means of protection, besides imposed community quarantines and social-distancing measures, it has been widely recommended to purchase reliable surgical masks and respirators. Mass demand for such products quickly led to a shortage in different parts of the world.

Considering this a business need, one may not be surprised to see many vendors trooping online to meet the growing demand for personal protective equipment (PPE). Big brands like 3M also stood up to the challenge to produce millions of face masks per month.

In parallel, we picked up an increasing number of 3M- and 3M mask-themed domain name registrations via our Typosquatting Data Feed. We decided to take a closer look at these recently registered domains to assess their possible nature and overall legitimacy.

What Do 3M and 3M Mask-Themed Recently Registered Domains Look Like?

Looking for domain names containing the exact brand name “3M” for various TLDs, we found 28 newly registered domains (NRDs) between October 2019 and April 2020, 11 of which emerged in March and April:

  • 3m[.]beer
  • 3m[.]help
  • 3m[.]marketing
  • 3m[.]capital
  • 3m[.]gmbh
  • 3m[.]group
  • 3m[.]sale
  • 3m[.]yoga
  • 3m[.]healthcare
  • 3m[.]compare
  • 3m[.]select

We also found 43 NRDs for the search term “3M mask.” Some of them are:

  • masksby3m[.]com
  • 3mn95masks[.]online
  • 3mmasksupply[.]com
  • 3mdmasks[.]com
  • 3m-n95masks[.]com
  • 3mkn95mask[.]com
  • 3mn95masksdirectshipping[.]com

We looked at these names using several of our domain intelligence tools and documented two instances of interest in the next sections.

A Recently Registered Domain with a Shady Past

Among the 3M-themed NRDs we found in the typosquatting data feeds was 3m[.]group. Note that the only change with 3M’s official website 3m[.]com was the TLD “.group” extension. In these dangerous times, one should be wary that such a domain name could be used to mislead legitimate 3M customers or suppliers to fraudulent sites.

A Threat Intelligence Platform (TIP) analysis indeed revealed that the said domain is suspected of ties to malicious activity.

Interestingly, we dug deeper and ran the domain on WHOIS History Search and found that 3m[.]group was first registered on 17 April 2017 by a company known as “Nexperian Holding Limited.” For more information on WHOIS history check this post.

A search on the World Intellectual Property Organization (WIPO) database for the organization name turned up connections to several typosquatting complaints lodged by well-known brands that include:

We then subjected the company name to a reverse WHOIS lookup and discovered that it is associated with thousands of other domains.

While we can’t be sure of the nature (malicious or non-malicious) of all these domains, we found that the organization has had ties to several fraudulent websites disguised as legitimate e-commerce sites. Reports reveal that these sites sold fake goods.

To date, 3m[.]group is even up for sale. Here’s what the site currently looks like, as obtained by Screenshot Lookup, which can be used to screen websites without having to access them in a browser.

An NRD Selling Masks to Healthcare Professionals

Many of the domain names in the above NRD list containing the term “3M mask” aren’t currently in use. 3mdmasks[.]com, however, currently hosts a site. A Screenshot Lookup preview shows this page:

While we have not seen evidence of the website’s dishonesty (it doesn’t appear on blacklists) at the time of writing, we did notice that its WHOIS record has been redacted. Its contact page didn’t contain any physical address either—a potentially questionable choice for a provider of medical equipment seeking to establish itself.

One may also question the owner’s choice of domain name “3mdmasks.” It could be deemed a cybersquatting entity for being confusingly similar to 3M’s registered trademark. The American corporation has been rather protective of its brand in the past, notably winning its case against 3N a couple of years back and receiving around US$500,000 in damages.


Recently registered domains, while not automatically malicious, are worth a decent amount of scrutiny. With that in mind, different types of cybersecurity organizations and enterprises in general can integrate Typosquatting Data Feed, Newly Registered & Just Expired Domains, and Screenshot Lookup into existing solutions and systems as additional sources of threat intelligence.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

DNS

Sponsored byDNIB.com

Cybersecurity

Sponsored byVerisign

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign

NordVPN Promotion