NordVPN Promotion

Home / Blogs

Hundreds of “George Floyd” and “Black Lives Matter” Domain Names Appear in the DNS

BLACK FRIDAY DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]

Trending news and global events impact domain registration behaviors. We observed a slew of coronavirus-themed domain name registrations, for example, as early as January. George Floyd’s death, which sparked several Black Lives Matter movements, is no different.

Three days after George Floyd died, our data feed started detecting George Floyd-themed domain names. On 28 May, these included:

  • georgefloyd[.]black
  • georgefloyd[.]info
  • georgepfloyd[.]com
  • georgefloyd[.]net

The Data: Domain Names Connected to George Floyd and Black Lives Matter

Black Lives Matter is a global movement and is not new. However, in less than two weeks, there has been a trend in registered domain names inspired by George Floyd and Black Lives Matter. We retrieved all domain names that contain the strings “eorge,” and “lackliv” from 28 May to 7 June and found 402.

Newly detected domains containing string “eorge” or “lackliv” or either string

Examples of domain names that contain the string “lackliv” are:

  • blacklivesmatter[.]site
  • blacklivesmatter[.]directory
  • blacklives-matter[.]com
  • blacklives-matter[.]store
  • blacklivesmatter[.]miami
  • blacklivesmatter2[.]com
  • blacktieforblacklives[.]org
  • blacktie4blacklives[.]com
  • blacktie4blacklives[.]org
  • blacktieforblacklives[.]com
  • makeblacklivesmatter2[.]com
  • makeblacklivesmatter2[.]org
  • makeblacklivesmatter2[.]info
Looking at the Domains’ WHOIS Details

We wanted to see the domain infrastructure of the domains. So we ran a bulk analysis of the 402 domain names. Here is what we found:

  • Registrant name: All except seven domains used privacy protection services.
  • Registrant organization: A total of 20 domain names didn’t hide their organization names. We saw two law offices and several nonprofit organizations.
  • Registrant countries: About 55% or 221 of the domains had the U.S. as their registrant country. Canada and Panama came in second and third, with 56 and 34 registrations, respectively. Netherlands and China also tallied 11 and 5 domain names.
    CountryNumber of Domain Name Registrations
    United States232
    Canada56
    Panama34
    Netherlands11
    China5
    Australia3
    Redacted for Privacy3
    Spain2
    Turkey2
    Ukraine2
    Algeria1
    Brazil1
    Cayman Islands1
    Italy1
    Lithuania1
    Poland1
    Singapore1
    Switzerland1

Possible Repercussions of the Surge in Typosquatting Domain Names

The themed domain name registration peaked on 5 June (so far) for the word strings above when a total of 69 new domains were seen. On the same day, Michael Jordan announced that he and the Jordan Brand were donating US$100 million to organizations dedicated to upholding racial equality.

It could be a coincidence, but it’s a known fact that typosquatting domains can be used in business email compromise (BEC) scams and phishing campaigns. Therefore, the following scenarios are not farfetched:

  • Someone within organizations could receive an email from one of these domains, asking for donations, for example.
  • A website using any of the typosquatting domains could ask for sensitive information under the guise of collecting signatures for the Black Lives Matter campaign.

A Glimpse into the Domains’ Contents

We ran some of these “George Floyd” and “Black Lives Matter” domains on a screenshot lookup tool. That way, we could see their contents without actually visiting them. Here are our findings:

  • Some domains don’t have a web server: This could also mean that they no longer exist.
  • Web pages are still under construction: Domains like georgefloyd[.]world and georgefloyd[.]buzz promise that their websites are coming soon.
  • Some are parked domains: As expected, a lot of domains are also parked, including those that are for sale.
  • Some domains redirect to other sites: An example is georgefloyd20[.]org, which redirects to The Gambia Times.

    Screenshot of the georgefloyd20.org website
  • Some domains host blogs and e-commerce sites: There are also domains such as georgefloydd[.]com that sells “I Can’t Breathe” shirts. As with other e-commerce sites, it’s best to make sure that your credit card or bank details are safe when making purchases on these domains.

While some domains inspired by George Floyd and the Black Lives Matter movement are certainly used legitimately, we can’t discount the possibility that several could be used to take advantage of the situation. As such, these domains deserve our attention from a cybersecurity standpoint.

By Jonathan Zhang, Founder and CEO of WhoisXMLAPI & ThreatIntelligencePlatform.com

Filed Under

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix

Cybersecurity

Sponsored byVerisign

DNS

Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API

NordVPN Promotion