As the coronavirus infection toll continues to rise, many countries are scrambling to get their hands on medical-grade N95 face masks. A commodity that once only served a purpose in specialized sectors such as healthcare has become a premium product demanded by the public. Unfortunately, reliable sellers are not the only ones hoping to fill the void. We detected an increasing number of newly registered domains in our Typosquatting Data Feed files, and many of the registrants behind are likely to have dubious intentions.

Increased Interest in N95 Mask Sources Fuel New Domain Registrations

Since news of the pandemic hit the mainstream, the search for said respiratory protective equipment skyrocketed. Based on a Google Trends analysis, the interest in N95 face masks hit a high in early January 2020; around the same time we detected a rise in new domain registrations related to the coronavirus.

Apart from a rise in coronavirus-themed domains, we observed a similar trend for N95 mask-related domains starting in January 2020. While some of these newly registered domains (NRDs) may belong to legitimate vendors, others could be a means to gain visitors to fraudulent sites.

As early as January 29, we found potential typosquatting domains containing “n95,” “coronavirus,” and “mask,” such as coronavirusn95mask[.]com. Although it’s not surprising to see an increase in the number of N95-related domain registrations due to the high demand for the products amid a dwindling supply, not all of the sites that sell them should be considered trustworthy.

We observed commonalities in the bulk-registered domains as well:

1. Some feature calls to action to encourage buyers to visit them, such as:

• buyn95masks[.]com
• buyn95coronavirusmask[.]com
• getn95mask[.]com
• buykn95facemasks[.]net
• buykn95mask[.]net
• buyn95mask[.]co[.]uk
• getn95masks[.]net

2. A few used search terms that consumers would likely type into their browsers, such as:

• wheretobuyn95mask[.]net
• wheretobuyn95masksnearme[.]com
• howtogetn95masks[.]com

3. Several used more general and straightforward descriptions sporting different top-level domain (TLD) extensions, such as:

• affordablen95masks[.]biz
• affordablen95masks[.]info
• affordablen95masks[.]mobi
• affordablen95masks[.]net
• affordablen95masks[.]world
• kn-95mask[.]com
• kn-95mask[.]info
• kn-95mask[.]org
• kn-95masks[.]com
• kn-95masks[.]info
• kn-95masks[.]org

Note that there are other reasons to monitor bulk domain registrations besides cybersecurity.

Not All Domains Can Be Trusted

We already know that even an ongoing health crisis would not stop scammers from taking advantage. Apart from mimicking the domains of famous brands, cybercriminals also often jump on what’s most in-demand to further their illicit schemes. The need for personal protective equipment (PPE) like N95 masks is particularly ripe for the picking in that wearing them is supported by the Centers for Disease Control and Prevention (CDC) as a COVID-19 countermeasure.

We subjected several of the domains to Threat Intelligence Platform (TIP) queries. And true enough, a number were found to have associations with malware and phishing tactics, redirects, name server (NS) misconfigurations, and several Secure Sockets Layer (SSL) vulnerabilities.

Of the 772 new domain registrations that contain “N95,” “coronavirus,” and “masks,” users need to be especially wary of the following domains cited for connections to suspicious activities:

• coronan95masks[.]com
• coronavirusn95mask[.]com
• buyn95coronavirusmask[.]com
• 3plyn95allsurgicalequipments[.]com
• buyn95maskcoronavirus[.]com
• coronavirusn95facemask[.]com
• coronan95masks[.]store
• coronavirusn95facemasks[.]com
• coronavirusn95ppe[.]com
• n-95virusmask[.]com
• n-95facemasks[.]com
• coronavirusmasksn95s[.]com
• coronavirusn95facialmasks[.]com
• kn95coronavirus[.]com
• kn95forcoronavirus[.]com
• covid19kn95masks[.]com
• kn95maskcoronavirus[.]com
• kn95salecoronavirus[.]com
• kn95covid[.]com
• kn95covidmasks[.]com

While we can’t be sure how these sites explicitly carry out malicious schemes, it is best to be cautious. A lot of the domains may be at some point hosting fake e-commerce sites riding on the massive demand for N95 masks.

As the need for PPE, including N95 masks, is expected to continue in the coming days or months, cybersecurity experts should continue to take a proactive stance in filtering related domains that may be banking on consumer interest to lure in victims. Solutions like Typosquatting Data Feed and TIP can serve as additional sources of threat intelligence in these unprecedented times.