Home / Industry

Newly Registered Domains Database Shows Threat Actors Exploit the Need for N95 Masks amid the Pandem

As the coronavirus infection toll continues to rise, many countries are scrambling to get their hands on medical-grade N95 face masks. A commodity that once only served a purpose in specialized sectors such as healthcare has become a premium product demanded by the public. Unfortunately, reliable sellers are not the only ones hoping to fill the void. We detected an increasing number of newly registered domains in our Typosquatting Data Feed files, and many of the registrants behind are likely to have dubious intentions.

Increased Interest in N95 Mask Sources Fuel New Domain Registrations

Since news of the pandemic hit the mainstream, the search for said respiratory protective equipment skyrocketed. Based on a Google Trends analysis, the interest in N95 face masks hit a high in early January 2020; around the same time we detected a rise in new domain registrations related to the coronavirus.

Apart from a rise in coronavirus-themed domains, we observed a similar trend for N95 mask-related domains starting in January 2020. While some of these newly registered domains (NRDs) may belong to legitimate vendors, others could be a means to gain visitors to fraudulent sites.

As early as January 29, we found potential typosquatting domains containing “n95,” “coronavirus,” and “mask,” such as coronavirusn95mask[.]com. Although it’s not surprising to see an increase in the number of N95-related domain registrations due to the high demand for the products amid a dwindling supply, not all of the sites that sell them should be considered trustworthy.

We observed commonalities in the bulk-registered domains as well:

1. Some feature calls to action to encourage buyers to visit them, such as:

  • buyn95masks[.]com
  • buyn95coronavirusmask[.]com
  • getn95mask[.]com
  • buykn95facemasks[.]net
  • buykn95mask[.]net
  • buyn95mask[.]co[.]uk
  • getn95masks[.]net

2. A few used search terms that consumers would likely type into their browsers, such as:

  • wheretobuyn95mask[.]net
  • wheretobuyn95masksnearme[.]com
  • howtogetn95masks[.]com

3. Several used more general and straightforward descriptions sporting different top-level domain (TLD) extensions, such as:

  • affordablen95masks[.]biz
  • affordablen95masks[.]info
  • affordablen95masks[.]mobi
  • affordablen95masks[.]net
  • affordablen95masks[.]world
  • kn-95mask[.]com
  • kn-95mask[.]info
  • kn-95mask[.]org
  • kn-95masks[.]com
  • kn-95masks[.]info
  • kn-95masks[.]org

Note that there are other reasons to monitor bulk domain registrations besides cybersecurity.

Not All Domains Can Be Trusted

We already know that even an ongoing health crisis would not stop scammers from taking advantage. Apart from mimicking the domains of famous brands, cybercriminals also often jump on what’s most in-demand to further their illicit schemes. The need for personal protective equipment (PPE) like N95 masks is particularly ripe for the picking in that wearing them is supported by the Centers for Disease Control and Prevention (CDC) as a COVID-19 countermeasure.

We subjected several of the domains to Threat Intelligence Platform (TIP) queries. And true enough, a number were found to have associations with malware and phishing tactics, redirects, name server (NS) misconfigurations, and several Secure Sockets Layer (SSL) vulnerabilities.

Of the 772 new domain registrations that contain “N95,” “coronavirus,” and “masks,” users need to be especially wary of the following domains cited for connections to suspicious activities:

  • coronan95masks[.]com
  • coronavirusn95mask[.]com
  • buyn95coronavirusmask[.]com
  • 3plyn95allsurgicalequipments[.]com
  • buyn95maskcoronavirus[.]com
  • coronavirusn95facemask[.]com
  • coronan95masks[.]store
  • coronavirusn95facemasks[.]com
  • coronavirusn95ppe[.]com
  • n-95virusmask[.]com
  • n-95facemasks[.]com
  • coronavirusmasksn95s[.]com
  • coronavirusn95facialmasks[.]com
  • kn95coronavirus[.]com
  • kn95forcoronavirus[.]com
  • covid19kn95masks[.]com
  • kn95maskcoronavirus[.]com
  • kn95salecoronavirus[.]com
  • kn95covid[.]com
  • kn95covidmasks[.]com

While we can’t be sure how these sites explicitly carry out malicious schemes, it is best to be cautious. A lot of the domains may be at some point hosting fake e-commerce sites riding on the massive demand for N95 masks.

As the need for PPE, including N95 masks, is expected to continue in the coming days or months, cybersecurity experts should continue to take a proactive stance in filtering related domains that may be banking on consumer interest to lure in victims. Solutions like Typosquatting Data Feed and TIP can serve as additional sources of threat intelligence in these unprecedented times.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix


Sponsored byDNIB.com

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC