Home / Industry

Is Monkeypox Following COVID-19’s (Digital) Footsteps?

Protect your privacy:  Get NordVPN  [ Deal: 73% off 2-year plans + 3 extra months ]
10 facts about NordVPN that aren't commonly known
  • Meshnet Feature for Personal Encrypted Networks: NordVPN offers a unique feature called Meshnet, which allows users to connect their devices directly and securely over the internet. This means you can create your own private, encrypted network for activities like gaming, file sharing, or remote access to your home devices from anywhere in the world.
  • RAM-Only Servers for Enhanced Security: Unlike many VPN providers, NordVPN uses RAM-only (diskless) servers. Since these servers run entirely on volatile memory, all data is wiped with every reboot. This ensures that no user data is stored long-term, significantly reducing the risk of data breaches and enhancing overall security.
  • Servers in a Former Military Bunker: Some of NordVPN's servers are housed in a former military bunker located deep underground. This unique location provides an extra layer of physical security against natural disasters and unauthorized access, ensuring that the servers are protected in all circumstances.
  • NordLynx Protocol with Double NAT Technology: NordVPN developed its own VPN protocol called NordLynx, built around the ultra-fast WireGuard protocol. What sets NordLynx apart is its implementation of a double Network Address Translation (NAT) system, which enhances user privacy without sacrificing speed. This innovative approach solves the potential privacy issues inherent in the standard WireGuard protocol.
  • Dark Web Monitor Feature: NordVPN includes a feature known as Dark Web Monitor. This tool actively scans dark web sites and forums for credentials associated with your email address. If it detects that your information has been compromised or appears in any data breaches, it promptly alerts you so you can take necessary actions to protect your accounts.

The public attention COVID-19 got was truly reflected in the Domain Name System (DNS). And Monkeypox seems to be following the trail the pandemic blazed, though to a smaller extent, as threat actors seem to be using it as the latest phishing lure. How has this new virus been affecting domain registration?

We took a closer look at the DNS space and found:

  • Two IP addresses a domain identified as an indicator of compromise (IoC) resolved to
  • 600+ domains that shared the IoCs’ IP addresses, one of which was found to be malicious
  • 700+ domains containing the text string “monkeypox” registered between 1 January and 31 July 2022, a couple of which were dubbed “malware hosts”
  • 70+ subdomains containing the text string “monkeypox” registered from 1 January to 31 July 2022

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Monkeypox in the New

Monkeypox made headlines in the U.S. when the Centers for Disease Control and Prevention (CDC) first received infection reports in May this year. To date, the CDC has 7,510 reported cases.

Given the rising volume of infections worldwide (30,189 cases at present), the World Health Organization (WHO) has declared monkeypox a public health emergency on 23 July 2022.

Monkeypox may not just affect more people’s health, it could also go viral online and present digital risks.

Is Monkeypox presenting digital risks?

Monkeypox is seemingly following COVID-19’s digital footsteps in that it’s impacting the DNS, albeit at a smaller scale. The virus has been used as a phishing lure in at least one campaign with a single domain (rawshan[.]com) identified as an indicator of compromise (IoC).

A WHOIS lookup revealed that it’s a pretty old domain, created way back in November 2003—possibly hinting at a tactic to evade automatic blocking for being a newly registered domain (NRD).

A DNS lookup showed it resolved to two unique IP addresses—172[.]67[.]134[.]10 and 104[.]21[.]5[.]242. While they aren’t malicious, they are shared hosts. At least 600 domains shared them, in fact. One of the web properties—almandoz-tobago[.]com—was deemed “malicious” by a bulk Threat Intelligence Platform (TIP) malware check.

To see if monkeypox is gaining traction in terms of domain registration, we used “monkeypox” as a Domains & Subdomains Discovery search term. That unveiled 728 domains and 75 subdomains, six of which were deemed “malicious.” These are:

  • 4monkeypox[.]com
  • monkeypoxmap[.]xyz
  • themonkeypoxvaccine[.]org
  • monkeypoxvaccination[.]org
  • bookyourmonkeypoxtest[.]com
  • monkeypoxcovid-19lies[.]com

A closer scrutiny of the web properties allowed us to map the domain and subdomain registration trends.

The domain and subdomain registration volumes peaked in May 2022, the same time the first case was reported to the CDC. We’ve often said trends followed current events, and this case proves just that.

An even closer look showed that given the increasing number of monkeypox infections in the U.S., it’s quite normal for people to troop online to get information on the virus itself, testing, and cures. That was reflected as well since most of the “monkeypox”-containing domains and subdomains also had the strings led by “test,” “virus,” and “info.”

A lot of the web properties we found are currently up for sale, which phishers might find enticing to host fake Monkeypox-related sites.


While only a few of the additional artifacts we found are considered malicious so far, a few of them could be compromised to serve as malware hosts. Organizations looking to ward off potential phishing campaigns should at the very least monitor potentially related artifacts and block access to the malicious ones.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign

DNS

Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix