Home / Industry

Threat Intelligence Feeds in the Fight against Insurance-Themed Cyber Attacks

Threat actors are seasoned posers. They often pose as bank employees, police officers, or court officials. A coronavirus-themed campaign even had them posing as the Director-General of the World Health Organization (WHO). Insurance companies are also increasingly targeted, which can be attributed to the ongoing global health crisis.

In one recent campaign, cybercriminals sent out Medicare spam emails that contain a fake invoice. The file attachment was labeled “Medicare,” and it carried Ursnif, a banking Trojan that steals victims’ sensitive information.

One way to lessen the risk of falling for similar attacks is to detect domains that imitate those of legitimate insurance programs and companies through cyber threat intelligence feeds. Here is an illustration.

Security Intelligence Feeds Detected Dozens of Medicare- Inspired Domain Names

Among security intelligence feeds are typosquatting domains and disposable email domains. We downloaded both sources for the second week of September (7-13 September 2020) and found 101 domain names related to Medicare. Some examples are:

  • medicarenation[.]expert
  • medicaredentaladv[.]xyz
  • myaarpm3dicare[.]com
  • kmyaarpmedicare[.]com
  • medicarecopay[.]online
  • welmarkmedicare[.]com
  • my7aarpmedicare[.]com
  • myaarpmedkicare[.]com
  • myaar4pmedicare[.]com
  • myaarpmedicware[.]com
  • myaarpmedijcare[.]com

We identified three main targets of these typosquatting domains. They are briefly discussed below.

My Medicare Online Portal Users

Medicare beneficiaries can log in to MyMedicare[.]gov to access their records, check the status of filed claims, and find instructions on filing claims. The online portal also allows members to apply for Supplemental Insurance and other benefits.

A majority of the domains we found on the cyber threat intelligence feeds closely resemble the legitimate domain of the insurance program’s online portal. Phishing emails that contain a link to any of the typosquatting domains could easily fool Medicare beneficiaries into thinking that they are about to log in to their account. Note that currently (at the time of writing) most of these domains are parked or not resolving.

AARP Members

In the U.S., Medicare is typically for people who are 65 years old and older. However, there are instances when those below 65 can qualify so long as they are members of the American Association of Retired Persons (AARP).

The security intelligence feeds we downloaded detected several of the domains targeting members of both AARP and Medicare. Four domains pertain to AARP Medicare Supplement Plans, which could trick AARP members who are looking into getting these insurance plans as well should they become malicious. These are:

  • aarpsupplementalhealthdocument[.]com
  • aarpsupplementalheathdocuments[.]com
  • aarpsuplementalhealthdocuments[.]com
  • arpsupplementalhealthdocuments[.]com

With more than 38 million members, AARP is a lucrative target for threat actors. Being able to plant a banking Trojan into the network of even a small percentage of AARP members could translate to a million-dollar gain.

Medicare Copay

In some cases, Medicare beneficiaries still need to pay for certain prescription drugs and medical services. This arrangement is called “copayment” or “copay,” which ranges from US$10 to over US$45, depending on the Medicare plan.

Copayment could still be confusing to some beneficiaries, especially in terms of the exact amount they have to take out of their own pockets, and the services and drugs that require copayment. Threat actors can take advantage of this situation as the threat intelligence feeds also picked up Medicare-themed domains that contain the word “copay,” such as:

  • medicarecopayer[.]online
  • medicarecopay[.]website
  • medicarecopay[.]site
  • medicarecopay[.]online
Other Insurance-Themed Domains

Aside from Medicare, we also saw typosquatting and disposable email domains that mimic those of popular insurance providers and agencies. Below are some of the insurance providers, along with the domains detected by the security intelligence feeds.

  • Cigna: cignainsurancecoversrehab[.]info
  • Avin & Avin Insurance Agency: avinsurance2018[.]top
  • USAA: gousaassistanceguide[.]com, myusaassistanceguide[.]com, and usaagents[.]com

Other malwares are spread through emails that supposedly come from insurance companies. Threat actors are likely to continue using this tactic, making early detection through cyber threat intelligence feeds important.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC


Sponsored byDNIB.com


Sponsored byVerisign

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global