A bulk whois lookup of domain names similar to the official website of the Florida Statewide Medicaid Managed Care (SMMC) Program—www[.]flmedicaidmanagedcare[.]com—indicates that a typosquatting event, or a cybersquatting one at the very least, might be at play.

Typosquatting Data Feed detected 45 domain names registered in bulk on 21 June 2020. With more than 4 million program enrollees as of 31 May, such domain registration behavior may require investigation.

Florida SMMC Typosquatting Domains

Typosquatting Data Feed flags domain names that appear on the Domain Name System (DNS) the same day that similar ones do. As such, it can help detect bulk domain registration.

Below are the 45 potential typosquatting domain names found.

It is possible that the owner of the legitimate domain flmedicaidmanagedcare[.]com registered the lookalike domains as part of a typosquatting protection strategy. Hence, it may be helpful to compare the WHOIS record of the official domain with those of the lookalikes.

A Bulk WHOIS Lookup Shows Discrepancies with the Legitimate Domain

With the help of Bulk WHOIS Lookup, we looked at the lookalike domains’ ownership details and found that:

• The registrar of all the likely typosquatting domains is Alibaba Cloud Computing (Beijing) Co., Ltd.
• All of the registrants’ names, email addresses, and organizations were redacted for privacy.
• The registrant address of each domain is Jiangsu, China.

These details quite differ from the WHOIS registration details of flmedicaidmanagedcare[.]com. WHOIS Lookup revealed that the legitimate domain’s registrar is Wild West Domains, LLC. Its registrant details are not hidden. Its registrant organization, Automated Health Systems, located in Pennsylvania, U.S., is indicated as well.

Possible Reason for Bulk Registering Lookalike Domains

While Automated Health Systems may have registered the domains as part of its typosquatting protection strategy, we can’t discount the possibility that these could also be part of a typosquatting campaign. And so we dug deeper.

The Florida SMMC Program Online Portal

The Florida SMMC Program is an enhancement to the Florida Medicaid Program, which comprises three components:

• Florida Long-term Care Managed Care Program
• Florida Managed Medical Assistance Program
• Dental Program

Like the Florida Medicaid Program, it has an online portal where members can check their eligibility and enrollment status, enroll and update their medical plans, update their addresses, and request assistance. Members can log in using their username, email address, or phone number and nominated password.

The members’ online accounts contain their medical records and other sensitive data that may be worth a significant amount when sold on the Dark Web. Getting hold of the members’ usernames and passwords can also give threat actors access to the members’ other online accounts.

What is interesting about the bulk registration timing is that the Florida SMMC Program is (coincidentally or not) launching a new member portal on 13 July 2020.

The notification banner lets members know that a new portal is in the works. They do not have to do anything come 13 July, but they won’t realize this unless they click the link that says, “Click here to learn more.”

If cybercriminals indeed registered the 45 lookalike domains, several members could fall victim to phishing. Threat actors could send time-sensitive emails that say something along the lines of “Your SMMC online account has been disabled” or “Click here to activate your new SMMC online account.”

We cannot exclude that Automated Health Systems registered these Florida SMMC lookalike domains detected by Typosquatting Data Feed despite the differences in WHOIS registration details. If that is not the case, however, detecting typosquatting domains as early as possible is crucial, especially in the healthcare industry.