The public attention that COVID-19 has attracted has really resonated with the Domain Name System (DNS). And Monkeypox appears to be following the pandemic’s trail, albeit to a lesser extent, as attackers appear to be using it as the latest phishing bait. How did this new virus affect domain registration?
We took a close look at the DNS space and found:
- The two IP addresses of a domain identified as an indicator of compromise (IoC) are allowed to
- Over 600 domains with shared IoC IP addresses, one of which turned out to be malicious.
- More than 700 domains containing the text string “monkeypox” registered between January 1st and July 31st, 2022, some of which have been called “malware hosts”.
- More than 70 subdomains containing the text string “monkeypox” registered from January 1 to July 31, 2022
A sample of additional artifacts resulting from our analysis is available for download from our website.
Monkeypox in the New
Monkeypox made headlines in the US when the Centers for Disease Control and Prevention (CDC) first received reports of the infection in May of this year. To date, 7,510 cases have been reported to the CDC.
Given the rise in infections worldwide (currently 30,189 cases), the World Health Organization (WHO) declared monkeypox a public health emergency on July 23, 2022.
Not only could monkeypox affect the health of more people, it could also spread online and pose digital risks.
Does Monkeypox present digital risks?
Monkeypox appears to be following in the digital footsteps of COVID-19 in that it affects the DNS, albeit on a smaller scale. The virus was used as a phishing bait in at least one single domain campaign (rawshan[.]com) identified as an indicator of compromise (IoC).
A WHOIS search showed it to be a fairly old domain, dating back to November 2003, possibly hinting at an automatic block evasion tactic due to it being a newly registered domain (NRD).
A DNS lookup showed that it resolves to two unique IP addresses – 172.[.]67[.]134[.]10 and 104[.]21[.]5[.]242. Although they are not malicious, they are common hosts. In fact, at least 600 domains separated them. One of the web resources is almandoz-tobago[.]com was found to be “malicious” in a Threat Intelligence Platform (TIP) mass inspection.
To see if monkeypox is gaining momentum in terms of domain registrations, we used “monkeypox” as a search term to look for domains and subdomains. This identified 728 domains and 75 subdomains, six of which were found to be “malicious”. It:
- 4 monkeypox[.]com
- monkey pox[.]xyz
- monkeypox[.]organization
- monkeypoxvaccination[.]organization
- orderyourmonkeypoxtest[.]com
- monkey oscovid-19 lie[.]com
A more thorough study of web resources allowed us to display trends in domain and subdomain registration.
Domain and subdomain registration volumes peaked in May 2022, when the first case was reported to the CDC. We have often said that trends followed current events, and this case proves just that.
An even closer look showed that, given the rising number of monkeypox infections in the US, it is only normal for people to gather online to get information about the virus itself, testing and treatment. This was also reflected as most of the domains and subdomains containing “monkeypox” also had lines beginning with “test”, “virus”, and “information”.
Many of the websites we found are currently up for sale, which may be of interest to phishers to host fake Monkeypox-related sites.
While only a few additional artifacts that we have found are considered malicious so far, some of them can be compromised and used as malware hosts. Organizations seeking to prevent potential phishing campaigns should at a minimum monitor potentially related artifacts and block access to malicious ones.
If you would like to conduct such an investigation or have access to the full data of this study, please do not hesitate to contact us.