|
When Facebook changed its parent company name to Meta in October 2021, we detected more than 5,500 newly registered domains (NRDs) a week after the announcement. In more recent news, a judge dismissed the company’s cybersquatting and trademark infringement case against Namecheap. Around 61 domains were transferred to Meta’s ownership. What does cybersquatting activity look like since then?
WhoisXML API researchers checked the Domain Name System (DNS) for domain registrations related to Facebook, Instagram, and WhatsApp, the subjects of the dismissed case. Among our findings include:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
Several domains had redacted WHOIS details, although we found some Gmail, Yahoo!, and Hotmail email addresses. As such, pinpointing the actors behind the domains can be challenging. Out of more than 1,000 typosquatting domains we ran on Bulk WHOIS Lookup, we found that 12 shared the same registrant email address as the legitimate Meta domains.
The top registrar used by the cybersquatting domains was GoDaddy, while only two were registered through Namecheap.
Using Bulk IP Geolocation Lookup, we found 1,043 resolutions, with 764 domains currently resolving to 537 IP addresses. Half of them were geolocated in the U.S., while the rest were spread across 36 other countries.
The situation is the same with the domains’ registrant countries. Only half of the domains were registered in the U.S., while the other half were registered in more than 40 countries.
According to the Screenshot Lookup results, several domains were parked, while some sold likes and followers. However, the domain names hosting login pages could be even more problematic as they could be used to steal user credentials. Below are a few examples.
Some domains hosted login pages that looked exactly like those belonging to the legitimate platforms.
Aside from the suspicious web pages found through the screenshot analysis, some domains have already been flagged as malicious by various malware engines. Most of these domains fell under new generic top-level domains (ngTLDs) led by .tk, .ml, .cf, and .ga.
Furthermore, several malicious properties contained text strings that could easily lure users to malicious pages, including “help,” “support,” “verify,” “secure,” and “business.” Quite a few also used the word “copyright” alongside “instagram.” Focusing on this string combination present in some malicious domains, we found an additional 2,409 domains added over time that could be suspicious.
Cybersquatting domains continue to expand the DNS threat landscape at a rapid pace. About 100 of those targeting Meta’s platforms have already been used to launch cyber attacks, barely a month after they were registered. Early detection of these domains can help reduce risks associated with phishing, impersonation, and other cyber attacks dependent on cybersquatting domains.
Furthermore, expanding threat analysis to include domains bearing the same text strings can help predict and block suspicious domains before they get weaponized.
If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.
Sponsored byVerisign
Sponsored byCSC
Sponsored byDNIB.com
Sponsored byRadix
Sponsored byIPv4.Global
Sponsored byWhoisXML API
Sponsored byVerisign