Pride month is celebrated worldwide. While it’s meant to be a time of celebration for members of the LGBTQ community and their families and supporters, its popularity has also made it a possible target of cyber threats. In this post, we look at potentially dangerous Internet properties that have been registered both recently and over the years.

Pride Month-Related Domains and Subdomains

A recent asset discovery search for domains and subdomains containing the string “pride month” provided a list of:

• 52 domains
• 15 subdomains

A bulk WHOIS lookup for these revealed that only two of the domains were publicly attributable (i.e., their registrants’ names appeared on their WHOIS records). That amounts to only 3% of the total number of domains and subdomains. In addition, four of the domains were newly registered.

Based on screenshot lookups, only 13 of the domains and subdomains resolved to live websites (excluding those that are parked and currently up for sale). One of these (i.e., pridemonth[.]club), however, could be considered suspicious as instead of supporting the LGBTQ community, it seems to be a site for those who do not support it.

Fortunately for those who may be looking for reputable Pride Month-related websites, none of the domains and subdomains we subjected to Threat Intelligence Platform (TIP) malware database checks were flagged as “malicious.”

LGBTQ-Themed Domains and Subdomains

A domains and subdomains discovery search for domains and subdomains containing the string “lgbtq” provided a list of:

• 6,633 domains
• 1,566 subdomains

As the numbers show, there are far more websites whose names contain “lgbtq” compared with “pride month.”

A bulk WHOIS lookup for these revealed that only 308 (4%) had publicly identifiable registrants based on the email addresses in their WHOIS records. In addition, 22 of these were registered this year.

Screenshot lookups showed that it’s probably not a good idea to access at least three (i.e., lgbtq[.]ge, lgbtq[.]dk, and lgbtq[.]it) of the domains in public places or offices as they pointed to websites with adult content. Their owners may just be riding on the current popularity of the movement to get people to access their websites.

Malware database checks revealed that 45 of the domains and subdomains are dubbed “malicious” or “suspicious” on various threat intelligence sources, including Bambenek Consulting, VirusTotal, and Google Safe Browsing.

Reverse Domain Name System (DNS) checks for these malicious domains pointed to 25 unique connected IP addresses and 72 other unique connected domains and subdomains that may be worth blocking access to and from.

Pride Month and LGBTQ Domain Registration Trend

Looking at the domain registration volume for the strings “pride month” and “lgbtq” revealed an upward trend from 1992 to the present. (Note that 2021 is not yet over so the number of domains for this year remains a partial figure.) Given this continued uptick in registrations, we are likely to see more Pride Month and LGBTQ-related websites over time. Most are likely to be safe to access based on the analysis done for this post but more can also pose risks to visitors.

Threat actors often ride on popular events and topics for their campaigns. Pride Month and the LGBTQ community are no exceptions, as evidenced by the presence of related malicious domains and subdomains. Any users interested in news and articles or joining connected organizations or donating to related causes must watch out for malicious web properties that can cause them to become victims of phishing or more sinister cyber attacks.

As the terms gain more popularity, so will the number of threats riding on them likely increase. Blocking access to the 45 confirmed domains and subdomains identified in this post with the help of domain and IP intelligence sources is the first step toward the right direction—protecting their personal or corporate data and network.

For more information on the intelligence gathered in this post or to run a joint security analysis, feel free to contact us.