Some ‘Reopen’ Domains Could Be Phishing and Malware Campaigns

CNET reports on new research from a threat-intelligence company into the more than 540 domain names registered this month with the word “reopen” in their URL.

While hundreds of them are “designed to lend credibility to anti-lockdown protests,” and 98 more were purchased to thwart that effort, there’s still many other domains that “come from suspicious sources or resellers looking to make money… Researchers at DomainTools have found hundreds of ‘reopen’ URLs that were bought specifically to be resold and others that resemble malware campaigns.” These are “reopen” websites targeted toward restaurants, movie theaters and sports, and all are set up for sale… “Domainers are a particular type of people who spot any chance they can to hop on a quick buck,” said Chad Anderson, senior security researcher at DomainTools. “In any of these instances, there’s going to be people who try and pick domains they are able to sell for $5,000 that they bought for $10 because someone wants to start a movement.”

DomainTools’ researchers also found a batch of links registered in bulk specifically with typos for the phrase “Reopen American Business.” All of these domains were registered in China and have misspellings, indicating they’re set up to be phishing pages… The idea is to trick visitors who make typos into entering their sensitive credentials on these fraudulent pages. These domains all have servers registered with Bodis, an advertising service that monetizes domain names and has links to a previous malware campaign from the advanced persistent threat (APT) group DarkHotel.

APTs are known groups behind cyberattacks. DarkHotel APT is a hacking group that primarily affects victims in Japan, Taiwan, China, Russia and South Korea. “It looks like it’s going to be used for phishing campaigns,” Anderson said. “It hasn’t been fully activated yet, but it has characteristics of a DarkHotel APT group.”
There’s also an interesting detail about the first seven “reopen” pages created, which looked like they represented independent groups but were all registered under the name of pro-gun activist Aaron Dorr from Iowa, and redirected visitors to the gun rights groups that were organizing protests to “liberate” their locked down cities. That activist’s family also created “reopen” Facebook groups with hundreds of thousands of followers — which then directed people to the websites. “NBC News found that many of the websites hosted by Dorr were designed to harvest visitors’ data, including emails and home addresses.”

NBC adds that the group’s usual method “is to attack established conservative groups from the right, including the National Rifle Association, and then make money by selling memberships in their groups or selling mailing lists of those who sign up, according to some conservative politicians and activists who have labeled the efforts as scams.”