The accidental leak of Volkswagen’s new name that turned out to be an April Fool’s prank made headlines. Some were relieved that it was just a marketing stunt, while others cried foul. But those in the field of cybersecurity became more curious. What did the cyber world look like during the supposed leakage until the announcement that it was a prank? In particular, we investigated the following in this post:

• Registration trend of domains related to Voltswagen from 29 March to 4 April 2021
• Bulk registration of domains associated with Voltswagen a week before and after the incident
• WHOIS registration details of the bulk-registered domains

Why did we look at the domain registration trend? While threat actors are known to weaponize both new and old domain names, they have also been noted to use newsworthy events to bait victims. We observed this during the onset of the pandemic, the aftermath of the U.S. election, the Sputnik Vaccine announcement, and many others.

Voltswagen-Related New Domain Registrations

The Newly Registered Domains Data Feed for the .com top-level domain (TLD) dated 29 March to 4 April 2021 returned 539 domains. We used the text string “voltw” as a search term. That way, we could also catch misspellings that could hint at typosquatting.

And indeed, some domains use misspelled variations of “Voltswagen,” such as lindsayvoltswagn[.]com and leaseavoltswagon[.]com.

No Voltswagen-related domain registrations were observed on the day of the supposed leak (29 March 2021). However, the domain registrations visibly increased a day after. It peaked on 1 April and spiralled down right after the incident was announced as a marketing prank.

Bulk Registration Trend

We also observed how the marketing campaign affected the Typosquatting Data Feed, which tracks bulk domain registrations. We downloaded the data feed for the weeks ending 28 March and 4 April 2021.

No Voltswagen-related domains were bulk-registered between 22 and 28 March 2021, while 338 domains containing the string “voltsw” were detected from 29 March to 4 April 2021.

The largest group of bulk-registered domains comprised 94 domain names, which included the use of “Volkswagen” sporting different TLDs and several misspellings. Below are some examples of the domain in the group.

• voltswsgen[.]store
• voltswagens[.]info
• voltswagon[.]xyz
• voltswagen[.]ist
• voltswagen[.]autos
• voltswagen[.]earth
• voltswagen[.]solutions
• volts-wagen[.]org
• voltswagen[.]wales
• voltswagons[.]us

Examining Domain Registration Records

We looked up the WHOIS records of the 338 bulk-registered domains and found that most are either redacted or anonymized. In particular, 81% of the domain owners redacted or privacy-protected their registrant organizations. The percentage is higher for registrant email addresses at 92%.

Redacted WHOIS details refer to information that a registrar or registry could have hidden after the Internet Corporation for Assigned Names and Numbers (ICANN) aligned its policy with the General Data Protection Regulation (GDPR).

On the other hand, anonymized WHOIS records are protected by privacy protection services, such as Domains By Proxy, LLC and Whois Privacy Protection Service, Inc.

Either way, such WHOIS data redaction is not consistent with the official Volkswagen domain names, such as volkswagen[.]com and vw[.]com. While the registrant email address of these domains is not disclosed, their registrant organization is publicly available through WHOIS lookups. The registrant organization is VW Group of America, which did not appear in the WHOIS records of any of the Voltswagen domains.

Newly registered domains (NRDs) that use terms related to newsworthy events are worth monitoring, especially now that domain ownership attribution is getting more challenging due to privacy protection.

Only less than 20% of the Voltswagen domains detected by the Typosquatting Data Feed made their registrant organizations public, none of which matches Volkswagen’s official domain records. The rest of the domains can’t be attributed to the company because their WHOIS records are hidden.

Interested in getting the complete list of domain names used in this piece? Feel free to contact us. We are open to working with cybersecurity researchers and investigators and recently launched the Typosquatting Community Feed, an apply-only feed reserved for the security community.