Four new case studies of domain registration activity spikes driven by real-world events

Introduction

A variety of previous studies have demonstrated how real-world events can trigger subsequent spikes in domain registrations and infringement activity. Previous CSC articles and reports have focused on issues as diverse as the COVID pandemic^[1], the war in Ukraine^[2], supply-chain issues affecting the baby-milk and semiconductor industries^[3], the Euro 2020 competition^[4], the Black Friday and Cyber Monday holiday shopping events^[5], and the Reddit stock manipulation campaign targeting the GameStop organisation^[6]. 

When a high-impact event or news story takes place, there is typically a resulting burst of public interest and online searches for associated content, and bad actors can take advantage of this 'buzz' for their own gain. There are a number of ways in which this can be implemented, including: the production of content (which can include areas such as the sale of goods via e-commerce sites) relating to the issue at hand; misdirection of users to infringing, unofficial or potentially malicious websites; phishing activity utilising branded domain names to host fraudulent websites or for their e-mail functionality; or monetisation of dormant high-traffic domains through the emplacement of pay-per-click (PPC) links. In some cases, potentially desirable names may also be seized with the intention of subsequent sale to the infringed brand owner (i.e. cybersquatting) or any other interested party. 

In this article, I look at four recent events or news stories, and focus on the manifestation of associated spikes in potential infringements, by considering patterns in domain registration activity. The analysis includes consideration of new registrations ('N'), re-registrations ('R') and domain drops (lapses) ('D').

Findings

Study 1: Changes of UK Prime Minister (Summer 2022)

Summer 2022 was a time of rapid political change in the UK, resulting in two changes of Prime Minister. The associated analysis considers registration activity of domains containing the names of the three leaders, specifically: (i) 'liz' plus 'truss'; (ii) 'rishi' plus 'sunak'; and (iii) 'borisjohnson' (or typos / variations). The findings are shown in Figure 1, where peaks in registration activity can be seen to correspond to associated key news events.

Figure 1: Daily numbers of new registrations ('N') and re-registrations ('R') combined, and dropped ('D') domains, with names relating to the three 2022 UK Prime Ministers (Boris Johnson (top), Liz Truss (middle), Rishi Sunak (bottom)). Key events in the news timeline^[7,8] are denoted according to the key shown below.

A: Boris Johnson announces resignation (07-Jul-2022)
B: Liz Truss enters leadership contest (10-Jul-2022)
C: Rishi Sunak frontrunner in leadership contest following second round of voting (13-Jul-2022)
D: Liz Truss confirmed as new Conservative leader and PM following party-member vote (05-Sep-2022)
E: Boris Johnson tenders resignation (06-Sep-2022)
F: Liz Truss faces political rebellion following economic turmoil (04-Oct-2022)
G: Liz Truss announces resignation following appointment of new Chancellor and reversal of 'mini-budget' policies (20-Oct-2022)
H: Rishi Sunak confirmed as new Conservative leader and PM (24-Oct-2022)

In this case, many of the registrations were associated with websites featuring satirical or commentary-related content (Figure 2), though some were of greater concern (misdirection to third-party content or potential phishing activity) (Figure 3). In general, political content can also be of particular concern in cases where it is found to be associated with the spread of misinformation, or be attempting to manipulate voting patterns^[9].

Figure 2: Examples of satirical websites identified in the registration dataset - second-level domain names (SLDs) (i.e. the part of the domain name to the left of the dot) are: borisjonson (registered 07-Sep-2022) (top); liztrussgame (registered 23-Oct-2022) (middle); hasrishisunakresignedyet (registered 15-Oct-2022) (bottom)

Figure 3: Examples of other websites identified in the registration dataset - SLDs are: trussliz and wetruzzliz (but displaying content relating to the UK opposition party) (registered 02-Jun-2022) (top); rishisunakforpm (registered 25-Oct-2022) (bottom)

Study 2: FIFA World Cup Qatar 2022

In this study, I consider domain registration activity relating to the 2022 FIFA World Cup competition which took place in Qatar between 20-Nov and 18-Dec 2022. The initial searches focused on all domains containing the keywords 'qatar' or 'world(-)cup', for which over 10,000 registration activity events were identified (comprising 8,690 unique domain names) during a one-year analysis period from December 2021 to December 2022. Continuous activity was identified throughout the year, though unsurprisingly with a ramp-up in new registrations towards the time of the event itself (Figure 4).

Figure 4: Daily (top) and monthly (bottom) numbers of new registrations ('N'), re-registrations ('R'), and dropped ('D') domains with names containing 'qatar' or 'world(-)cup'

In order to take a deeper dive into the highest-relevance domain names, I then focus on searches utilising keywords indicating that the domains under consideration are likely to pertain specifically to the event, rather than just referencing the more generic terms 'Qatar' or 'World Cup'. Specifically, this considers domains with names containing:

• 'world(-)cup' AND 'qatar'

        OR

• ['world(-)cup' OR 'qatar'] AND ['football' OR 'futbol' OR 'soccer' OR '2022' OR 'fi(-)fa']

The methodology also considers only those domains which were still active as of the time of analysis (02-Dec-2022) (i.e. those for which the most recent activity event was not a domain drop ('D')). 

This focused analysis yields a dataset of 977 domains, for which the pattern of registration activity (considering only the most recent activity event for each unique domain name) is shown in Figure 5.

Figure 5: Daily (top) and monthly (bottom) numbers of new registrations ('N') and re-registrations ('R') combined, for high-relevance domain names relating to the Qatar World Cup (considering the most recent activity event for each unique domain name)

In this more focused dataset, the overall activity pattern is broadly similar, though an additional peak in registrations is also apparent in early April 2022. This relates to what appears to be one or two specific, short-lived, coordinated registration campaigns of domains with names of the form 'qatar-2022-iX.xyz' and 'worldcup2022-jYYX.buzz' (where 'X' is an additional digit and 'Y' is an additional character). Although none of these domains was found to resolve to any live site at the time of analysis, the .xyz and .buzz new-gTLD domain extensions have been noted as previously being frequently associated with malicious or infringing content^[10,11].

Of the 977 high-relevance domains overall, 633 were found to yield an active website response (i.e. an HTTP status code of 200) at the time of analysis. Within this set, a range of (where non-official) potentially infringing or high-threat content types were observed (Figure 6).

Figure 6: Examples of live websites relating to the Qatar World Cup, representing a range of content types of potential concern (with the SLD shown in each case in square brackets) - top to bottom: potential phishing [qatar2022]; piracy [worldcuplivefifa]; gambling [worldcupbet]; ticket sales [qatar-worldcup]; other e-commerce [qatarfootballcup]; cryptocurrency-related [qatarfifaworldcup]; NFT-related [worldcupnft2022]

Study 3: New Year 2023

The new year can be a prime time for brand owners to launch new products, campaigns and marketing activity, and one way in which this can be promoted in a topical fashion is through the registration of new domains making explicit reference to the year. However, similar tactics can also be employed by bad actors, through the registration of desirable domain names. In some cases, these domains may be registered well in advance of the start of the new year itself, as a way of 'getting ahead of the curve'. Accordingly, this study considers activity associated with the registration of domains with names beginning or ending with the string '2023' (i.e. 'left- or right-matches') throughout the calendar year 2022.

Over the course of 2022, 6,730 domain activity events (representing 6,458 unique domain names) were identified for '2023-specific' domains, as shown in Figure 7. 

Figure 7: Daily (top) and monthly (bottom) numbers of new registrations ('N'), re-registrations ('R') and dropped ('D') domains with names beginning or ending with '2023'

Figure 8 shows the growth across 2022 of the cumulative total number of registered domains with names beginning or ending with '2023'.

Figure 8: Daily cumulative total number of registered domains with names beginning or ending with '2023'

Unsurprisingly, the greatest levels of activity (dominated by new registrations) occurred during the latter parts of 2022 (particularly in December), but it is significant that registrations were taking place throughout the year, with a continual growth in the number of registered '2023' domains. It is also worth noting that there were already 2,380 such domains registered at the start of 2022 (compared with 7,524 at the end).

Considering the unique domains represented in the 2022 activity dataset, a range of TLDs (domain extensions) were represented (Figure 9), including significant numbers of new-gTLDs, many of which are of concern due to the previously-noted frequency of their association with infringing activity^[12].

Figure 9: Top TLDs amongst the unique '2023' domains represented in the 2022 activity dataset

Significant numbers of these domains were found to be associated with potentially infringing websites, including several with names including top brand names (Figure 10). 

Figure 10: Examples of potentially infringing websites with domain names including references to both '2023' and a brand name from the Interbrand top 20 list of 'best global brands'^[13] (SLDs shown in square brackets): (top) potentially fraudulent cryptocurrency-related site [2023-tesla] (registered 27-Dec-2022); (bottom) traffic misdirection / re-direction to a site offering potentially unauthorised or unofficial informational content [2023bmw] and [2023-toyota] (both registered 07-Oct-2022)

A variety of other sites of potential concern were also identified in the dataset, including a range of examples where no brand name was present in the domain name itself. Some of these were, however, found to feature website content which appears to be infringing against specific brands (Figure 11).

Figure 11: Examples of websites offering the sale of potentially counterfeit products and with domain names including a reference to '2023' (SLDs are replicascamisetanba2023 and 2023freerunshoesshop)

Many of the domain names incorporate popular keywords, in apparent attempts to attract traffic in response to common web searches. These included examples such as 'nft' (present in 7 domains) and 'blackfriday' (present in 5 examples, despite Black Friday 2023 being 11 months away). Significantly, 'covid' and 'corona' both appeared in only one example each, perhaps indicating that the online buzz associated with the pandemic is subsiding. The dataset also included some more surprising examples, such as 'keto' (present in 522 domains in the dataset, in addition to several others featuring misspellings such as 'keeto'), perhaps reflective of the continuing popularity of keto diets. Many of these 'keto' domains appear to be part of one or more coordinated registration campaigns, with large numbers of examples with SLDs beginning '2023keto' followed by strings of random characters, across new-gTLDs such as .cyou, .click and .buzz. Even amongst groups of such domains registered on the same day and TLD, a range of content types were observed, including nutrition-related sites, sites advertising a business promotion service provider, and even adult content.

Study 4: Southwest Airlines’ logistics crisis

In December 2022, US air operator Southwest Airlines experienced a 'travel meltdown' in which a series of logistical failures resulted in the cancellation of more than 16,000 flights between 21-Dec and 31-Dec, resulting in tens of thousands of customer refund claims per day, and overall losses to the organisation of between $725 million and $825 million^[14]. 

In this case, I considered domains with names containing 'southwest' (or variants), over a one-month period between 12-Dec-2022 and 11-Jan-2023, to determine whether the story generated activity in response to the increased interest in the company and the desire by customers to claim refunds.

Overall, 708 domain activity events, representing 674 unique domain names, were identified during the monitoring period, including a general spike in overall registration activity around the 11-day period in which the incident took place (Figure 12).

Figure 12: Daily numbers of new registrations ('N'), re-registrations ('R') and dropped ('D') domains with names containing 'southwest' (or variants)

Since the term 'southwest' is relatively generic, I then focused on the subset of ('high-relevance') domains which appear relate specifically to Southwest Airlines and the associated events of the story. This was done by considering those domain names which also feature relevant keywords (such as 'air' (but excluding false positives such as 'repairs', 'fairs', etc.), 'aviation', 'aerospace', 'bookings', 'claim' or 'classaction'), or where the domain name itself is a misspelling of Southwest's official website (southwest.com). This yielded a dataset of 46 domain activity events, comprising 43 unique domain names. Within this reduced dataset, the spike in activity around the time of interest can be seen to be much more pronounced (Figure 13).

Figure 13: Daily numbers of new registrations ('N') and re-registrations ('R') combined, and drops ('D'), for high-relevance domains with names containing 'southwest' (or variants)

Of the 36 registration or re-registration events within the dataset of high-relevance domains, 30 (83%) occurred in the four-day period between 27-Dec and 31-Dec.

Of the 43 unique high-relevance domain names in total, 10 were inactive as of the date of analysis (12-Jan-2023). Of the remainder, 27 (68% of the total) resolved to parking pages featuring pay-per-click (PPC) links, indicating an effort by the site owners to monetise the traffic received by the sites. One domain resolved to a site which may be associated with a recruitment scam (Figure 14), one re-directed to the website of a legal-service provider (apparently abusing the Southwest brand name in order to attempt to take advantage of the potential customer desire to take legal action against the company), and one generated a browser warning indicating that dangerous content was formerly present, in addition to other content types.

Figure 14: Example of a website associated with a possible recruitment scam, hosted on a high-relevance, brand-specific domain name

Four (9%) of the high-relevance domain names are configured with MX records, indicating the ability to send and receive e-mails, and suggesting that the domains may be associated with phishing or brand-impersonation activity.

Within the dataset, two instances of domain 'tasting'^[15] were identified, comprising domains (with SLDs of southwest-air-line and southwest-bookings) being registered and then dropped the following day, and possibly indicating efforts by the owners to determine the levels of traffic received by the sites, or to launch short-lived (and thereby difficult to detect) phishing attacks.

31 of the high-relevance domains had registration (whois) information available, all of which used privacy-protection providers or had redacted contact information, possibly indicating efforts by the owners to maintain anonymity and potentially nefarious intentions.

Additionally, several individual 'clusters' of domains, potentially representing coordinated registration campaigns by specific entities, were identified. These included:

• One group of 12 domains all registered on 28-Dec-2022, comprising misspellings of 'southwest.com' and hosted on a group of four consecutive IP addresses
• One group of five domains all registered on 30-Dec or 31-Dec and all hosted at the same IP address, with names comprising references to 'southwestairlinesclassaction' (or variants)
• One group of eight domains all registered on 29-Dec or 30-Dec and all hosted at the same IP address

All of the above domains resolved to parking pages featuring PPC links at the time of analysis.

Conclusion

The above news stories or events are all of different types, including examples which are regional or global in scope, and those which may be relevant mainly to specific corporations or industry areas. However, in all cases, resulting spikes in associated domain registration activity were observed. In general, this activity incorporates a mixture of both legitimate and non-legitimate (potentially threatening) registrations, comprising responses both by the official organisations concerned, and by nefarious bad actors.

The findings highlight that, in addition to the construction and maintenance of official domain portfolios by brand owners - and the protection of critical domains using appropriate domain security measures^[16,17] - monitoring for third-party activity remains of crucial importance. Particular additional focus must be taken when external events drive increased public interest in associated content, which can result from industry-relevant events, news stories, marketing activity or product releases, corporate changes, and a range of other factors. Accordingly, the monitoring strategy needs to be flexible enough to evolve in response to emerging issues as they develop. Also key to the protection of the brand is a robust enforcement programme incorporating a wide range of approaches, to ensure the swift takedown of damaging infringing content.

It is also striking that so much of the observed activity is carried out so far in advance of the date of the events themselves, showing the significance of proactivity and timeliness in brand protection initiatives, combined with a robust strategy of defensive registrations, to obtain required domains in advance of their registration by wily third parties.

References

[1] https://www.cscdbs.com/en/resources-news/impact-of-covid-on-internet-security/ 

[2] https://www.cscdbs.com/blog/how-to-manage-the-online-effects-of-the-ukraine-war/

[3] https://www.cscdbs.com/en/resources-news/supply-chain-report-form/

[4] https://www.cscdbs.com/blog/euro-2020-part-3-domains-revisited-and-other-channels/

[5] https://www.cscdbs.com/blog/holiday-shopping-events-part-2/

[6] 'The GameStop saga - how online activity and news stories can create feedback loops', Brand Journal, issue no. 21 (April 2021) (internal CSC publication)

[7] https://www.euronews.com/2022/10/14/truss-timeline-key-events-in-three-months-of-political-chaos-in-british-politics

[8] https://www.cnn.com/uk/live-news/uk-prime-minister-announcement-monday-gbr-intl/index.html

[9] https://www.ox.ac.uk/news/2021-01-13-social-media-manipulation-political-actors-industrial-scale-problem-oxford-report

[10] https://www.cscdbs.com/blog/the-highest-threat-tlds-part-1/

[11] https://www.cscdbs.com/blog/the-highest-threat-tlds-part-2/

[12] https://www.cscdbs.com/en/resources-news/threatening-domains-targeting-top-brands/

[13] https://interbrand.com/best-global-brands-2022-download-form/

[14] https://www.cnn.com/travel/article/southwest-airlines-dot-complaints/index.html

[15] https://www.cscdbs.com/blog/patterns-and-trends-in-domain-tasting-of-the-top-10-global-brands/

[16] https://www.linkedin.com/pulse/holistic-brand-fraud-cyber-protection-using-domain-threat-barnett/

[17] https://www.cscdbs.com/en/resources-news/domain-security-report/ (2022)

This article was first published on 31 January 2023 at:

https://www.linkedin.com/pulse/four-new-case-studies-domain-registration-activity-spikes-barnett/