When Facebook changed its parent company name to Meta in October 2021, we detected more than 5,500 newly registered domains (NRDs) a week after the announcement. In more recent news, a judge dismissed the company’s cybersquatting and trademark infringement case against Namecheap. Around 61 domains were transferred to Meta’s ownership. What does cybersquatting activity look like since then?

WhoisXML API researchers checked the Domain Name System (DNS) for domain registrations related to Facebook, Instagram, and WhatsApp, the subjects of the dismissed case. Among our findings include:

• 1,100+ typosquatting domains targeting the three Meta applications were added since the case was dismissed on 25 April 2022
• 760+ domains currently resolve to 530+ unique IP addresses
• Close to 10% of these domains are already flagged as malicious as of 25 May 2022
• Some domains host suspicious login pages that could be fronts for credential theft
• 2,400+ domains bearing similar string combinations as some of the malicious domains

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Who Is Behind the NRDs?

Several domains had redacted WHOIS details, although we found some Gmail, Yahoo!, and Hotmail email addresses. As such, pinpointing the actors behind the domains can be challenging. Out of more than 1,000 typosquatting domains we ran on Bulk WHOIS Lookup, we found that 12 shared the same registrant email address as the legitimate Meta domains.

The top registrar used by the cybersquatting domains was GoDaddy, while only two were registered through Namecheap.

Where Are the Domains Resolving?

Using Bulk IP Geolocation Lookup, we found 1,043 resolutions, with 764 domains currently resolving to 537 IP addresses. Half of them were geolocated in the U.S., while the rest were spread across 36 other countries.

The situation is the same with the domains’ registrant countries. Only half of the domains were registered in the U.S., while the other half were registered in more than 40 countries.

What Type of Content Do the Domains Host?

According to the Screenshot Lookup results, several domains were parked, while some sold likes and followers. However, the domain names hosting login pages could be even more problematic as they could be used to steal user credentials. Below are a few examples.

Some domains hosted login pages that looked exactly like those belonging to the legitimate platforms.

Malicious Domains Found

Aside from the suspicious web pages found through the screenshot analysis, some domains have already been flagged as malicious by various malware engines. Most of these domains fell under new generic top-level domains (ngTLDs) led by .tk, .ml, .cf, and .ga.

Furthermore, several malicious properties contained text strings that could easily lure users to malicious pages, including “help,” “support,” “verify,” “secure,” and “business.” Quite a few also used the word “copyright” alongside “instagram.” Focusing on this string combination present in some malicious domains, we found an additional 2,409 domains added over time that could be suspicious.

Cybersquatting domains continue to expand the DNS threat landscape at a rapid pace. About 100 of those targeting Meta’s platforms have already been used to launch cyber attacks, barely a month after they were registered. Early detection of these domains can help reduce risks associated with phishing, impersonation, and other cyber attacks dependent on cybersquatting domains.

Furthermore, expanding threat analysis to include domains bearing the same text strings can help predict and block suspicious domains before they get weaponized.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.