Many countries celebrate Data Privacy Awareness Week every last week of January. Each year, the National Cyber Security Alliance (NCSA) makes it a point to remind users about the importance of keeping their digital data safe from all kinds of threat actors. In fact, they commemorated this year’s Data Privacy Awareness Week with various events.

Sadly, while organizations the world over constantly hope to give every Internet user a fighting chance against attackers, threat actors still find ways to poison pages supposedly touting support for data privacy protection.

We collated a list of domains and subdomains hosting data privacy-related content that could pose risks to visitors instead of protection must-dos. Using various threat intelligence sources, we found:

• More than 18,771 domains and subdomains containing the string combinations “data + privacy,” “data + protection,” and “protect + privacy,” 35 of which are deemed dangerous by various malware engines
• 2,402 domains had retrievable WHOIS records but only 86 were unredacted
• 1,949 unique IP address resolutions scattered across more than 50 countries, 61 of which were tagged “dangerous” by various malware engines
• 6,236 domains that share IP hosts with our initial list of domain names, 23 of which were dubbed “dangerous” by various malware engines

As part of our ongoing effort to enable cybersecurity analysts and researchers to further their studies, we collated all pertinent data and made it available to anyone interested. You may download the related threat research materials here.

Dataset

We scoured the Web for domains and subdomains that contained three string combinations:

Our dataset totaled 6,974 domains and more than 11,979 subdomains. That amounts to almost 19,000 web properties.

Web Property Ownership

A bulk WHOIS lookup for the 6,974 domains revealed that:

• A total of 2,402 domains had current WHOIS records. Of these, only 86 had unredacted registrant email addresses.
• A majority of the nearly 90 domains with ownership information were owned by IT companies, followed by consulting companies and law offices. These findings are consistent with the kinds of users who may want to know more about data privacy—organizations that operate on the Internet and may need legal guidance for compliance purposes.

IP Address Resolution

A bulk IP geolocation lookup for the nearly 7,000 domains showed that:

• The domains resolved to 1,949 unique IP addresses.
• The IP addresses were scattered across 51 countries led by the U.S., Germany, and Canada.

• Reverse IP lookups, with results limited to five domains sharing each host, gave us a list of 6,236 connected domains. If any of them share a host with malicious web properties, avoiding them is recommended.

Malware Checks

A bulk malware check via the Threat Intelligence Platform (TIP) revealed:

• 30 malicious domains from our initial dataset
• Eight malicious subdomains from our initial dataset
• 61 malicious IP address resolutions, including:

  64[.]190[.]62[.]111
  192[.]0[.]78[.]24
  99[.]83[.]153[.]108
  185[.]199[.]110[.]153
  209[.]99[.]40[.]222

• 23 malicious connected domains (i.e., shared IP hosts with the initial set of domain names), including:

  03egrag[.]cn
  a2zkidsbooks[.]co[.]nz
  00i1[.]xyz
  0concordance952[.]ml
  0hoqrpq0agjr[.]ml

Ironically, almost 40 sites that hint to be created to spread data privacy awareness instead put visitors at risk of malware infection and data theft. Users would do well to avoid accessing them (listed in the table below).

You can get the complete list of malicious IP addresses and connected domains from the downloadable spreadsheet as well.

It’s clear that just because a website claims to be good (e.g., espousing data privacy awareness and/or protection), it isn’t necessarily. The dangerous web properties featured in this post prove that. Take note of them and avoid accessing them.

If you wish to perform a similar investigation, please don’t hesitate to contact us. We’re always on the lookout for potential research collaborations.