People may not yet be keen on going to movie theaters due to COVID-19. As such, drive-in movie theaters have become more prominent as these help implement social distancing measures. In line with this, Walmart has announced that it is transforming 160 store parking lots into drive-in movie theaters.

Although the project won’t roll out until August, interest has peaked, with search terms such as “Walmart drive in locations” and “Walmart drive in movie locations” breaking out on Google. Specific searches for Walmart’s drive-in website (walmartdrive-in[.]com) and walmart drive-in[.]com) also increased by 5000%.

Domainers and possible threat actors seemingly started to take advantage of the trend by registering lookalike domain names. We took a closer look, notably through a DNS records lookup.

DNS Records Lookup of Walmart Drive-In Domain Lookalikes

We detected eight domain names inspired by Walmart’s drive-in theater announcement. They appeared on the Domain Name System (DNS) on 3 July, only two days after Walmart announced its plans. These are:

• walmardrive-in[.]com
• walmatdrive-in[.]com
• wamartdrive-in[.]com
• walmartdrive-im[.]com
• wallmartdrive-in[.]com
• walmartdrie-in[.]com
• walmartdriv-in[.]com
• walmartdrive-on[.]com

The eight potential typosquatting domains were bulk-registered and had the same WHOIS record. Note, though, that two of them had a different registrar. The registrant names and organizations of all domain names have been redacted for privacy, but their address “Chengdu, Sichuan, China” remained.

To get a better view of the domain names’ infrastructure, we used a DNS records lookup to see their IP address, nameserver, and mail server. We found that all of them use the same IP address and mail server. They also use either ns2[.]above[.]com or ns1[.]above[.]com as a nameserver.

The typosquatting domains’ infrastructure indicates that they use shared services. Running the nameservers on Reverse NS yielded hundreds of associated domain names.

The same held when we ran the mail server address park-mx[.]above[.]com on Reverse MX.

Why Are These Domain Lookalikes Suspicious?

The potential typosquatting domains could have been registered for investment or malicious purposes (unless Walmart registered them). But based on their WHOIS records and DNS infrastructure, we find these typosquatting domain names suspicious for three reasons:

They are associated with a malicious IP address.

Hundreds of domain names share the domain names’ IP address 103[.]224[.]182[.]242. And it’s important to note that this IP address was tagged “malicious” on VirusTotal. While this could mean that some of the associated domain names figured in nefarious activities in the past, the fact that the typosquatting domains we are investigating are connected to a suspicious IP address should already be a red flag.

Their WHOIS data differs from that of the official Walmart drive-in domain.

While the registrant name and organization of walmart[.]com was not disclosed, its WHOIS records indicate an address in Bentonville, Arizona, where Walmart’s headquarters is located. Furthermore, the official domain name is associated with private nameservers based on this DNS records lookup’s results.

Walmart is more likely to host a web page on its official website for its new drive-in movie theaters.

Lastly, Walmart provides several services—money transfer and bill payment, healthcare, gift registry, auto care, and auto buying services. And all of these are hosted within walmart[.]com. As such, the company is not likely to create a whole new website for its drive-in movie theaters.

Threat actors always search for newsworthy events that they can capitalize on. The growing interest surrounding Walmart’s drive-in movie theaters tells them that investing in domain name lookalikes could be lucrative.

A company as big as Walmart has a lot of things on its plate. Aside from staying afloat amid the ensuing pandemic, it should also keep pace with threat actors. Educating their consumers about the dangers of visiting typosquatting domains is one solution. Another could be enlisting the help of typosquatting protection and DNS records lookup tools so its infosec team can take immediate action.