George Floyd passing away while being arrested in Minneapolis, Minnesota, sparked several Black Lives Matter (BLM) protests worldwide. The protests started on 26 May, a day after Floyd’s death, spanning states and even countries within a few days.

The Domain Name System (DNS) also witnessed a rise in the number of related domain registrations worldwide. Our Typosquatting Data Feed started detecting newly registered domains (NRDs) that contained keywords including “protest,” “all lives matter,” and “BLM” beginning 1 June.

Emerging Trend: Domains Related to “All Lives Matter,” “BLM,” and “Protest”

From 1–11 June, a total of 138 new domain names that contain the keyword “protest” were registered. The registrations peaked on 3 June, when 43 domains became part of the DNS. Among the first ones registered were:

• georgefloydprotest[.]org
• georgefloydprotesters[.]com
• georgefloydprotester[.]com
• weprotestdifferent[.]info
• weprotestdifferent[.]org
• weprotestdifferent[.]net
• weprotestdifferent[.]com

Some domain names seemed to promote peaceful means of protests such as:

• peacefulprotesting[.]org
• peaceful-protesting[.]com
• peacefulprotesting[.]com
• prayerspraiseprotest[.]com
• prayerspraiseprotests[.]com
• praypraiseprotest[.]com
• prayerpraiseprotest[.]com
• praypraiseprotest[.]org
• prayerpraiseprotest[.]org
• prayerspraiseprotests[.]org
• prayerspraiseprotest[.]org
• Others, meanwhile, hint at trouble:
• protestsmayhem[.]com
• protestormayhem[.]com
• protestermayhem[.]com
• protestmayhem[.]com

The appearance of protest-themed domain names is unusual because no such domains were usually detected before 1 June. The same thing is true for domain names that appeared to be BLM- and All Lives Matter-inspired. Most did not appear in the DNS until 3 June. But by 11 June, 88 BLM-themed domains and 51 All Lives Matter-themed ones were seen.

The chart below shows the number of domain registrations that contain the keywords “protest,” “BLM,” and “all lives matter” within the 10-day period.

What These Domain Registrations Could Mean

While some real-life protesters espouse peaceful demonstrations, others were seen rioting and looting stores. We can’t help but expect something similar in the online realm. Some of the domains could be used to support legitimate agendas, but others are likely to figure in shady activities.

Since the movement is quite popular on social media, people should be wary about links to articles and donation portals online. Some of these could lead to malware infection while other pages may be there to execute various scams.

At present, threat actors are already riding on the Black Lives Matter movement to spread malware. An email asking people to vote about the issue has been circulating, although its purpose seems to be injecting malware into the voter’s computer.

Sending similar malicious emails using more believable domain names like those detected by the Typosquatting Data Feed could lure more people into voting and consequently downloading the malware.

Location-Based Domain Names

As the protests spread, we saw many location-based domains such as seattleprotests[.]com, too. It was registered together with similar domains that include:

• seattleprotest[.]com
• seattleprotests[.]org
• seattleprotest[.]org

More domains like these can be seen in the following days or weeks since protests are also being held in Canada, the U.K., Germany, and other countries. Again, caution should be taken when links to domains require users to divulge personal information or ask for donations.

We propose a two-step process to learn more about the domain names. These are:

1. Check the domain’s WHOIS record with the help of WHOIS Lookup. The Seattle protest domains, for instance, were all registered via a privacy-protected service in Canada. As such, we cannot clearly establish the registrant’s location in the U.S. and it might be a cause for concern.

   

2. See what the web page looks like using Screenshot API. The tool allows users to see the site’s content without having to visit it. The Seattle domains, in this case, were all under construction.

   

We have seen threat actors capitalize on the coronavirus pandemic to spread malware, obtain user credentials, and steal money from victims. The Black Lives Matter and All Lives Matter movements and related protests may also serve for these purposes. With the slew of NRDs riding on global and trending events, online users are advised to remain vigilant.