The rapid spread of COVID-19 had people scrambling to protect themselves. Among different means of protection, besides imposed community quarantines and social-distancing measures, it has been widely recommended to purchase reliable surgical masks and respirators. Mass demand for such products quickly led to a shortage in different parts of the world.

Considering this a business need, one may not be surprised to see many vendors trooping online to meet the growing demand for personal protective equipment (PPE). Big brands like 3M also stood up to the challenge to produce millions of face masks per month.

In parallel, we picked up an increasing number of 3M- and 3M mask-themed domain name registrations via our Typosquatting Data Feed. We decided to take a closer look at these recently registered domains to assess their possible nature and overall legitimacy.

What Do 3M and 3M Mask-Themed Recently Registered Domains Look Like?

Looking for domain names containing the exact brand name “3M” for various TLDs, we found 28 newly registered domains (NRDs) between October 2019 and April 2020, 11 of which emerged in March and April:

• 3m[.]beer
• 3m[.]help
• 3m[.]marketing
• 3m[.]capital
• 3m[.]gmbh
• 3m[.]group
• 3m[.]sale
• 3m[.]yoga
• 3m[.]healthcare
• 3m[.]compare
• 3m[.]select

We also found 43 NRDs for the search term “3M mask.” Some of them are:

• masksby3m[.]com
• 3mn95masks[.]online
• 3mmasksupply[.]com
• 3mdmasks[.]com
• 3m-n95masks[.]com
• 3mkn95mask[.]com
• 3mn95masksdirectshipping[.]com

We looked at these names using several of our domain intelligence tools and documented two instances of interest in the next sections.

A Recently Registered Domain with a Shady Past

Among the 3M-themed NRDs we found in the typosquatting data feeds was 3m[.]group. Note that the only change with 3M’s official website 3m[.]com was the TLD “.group” extension. In these dangerous times, one should be wary that such a domain name could be used to mislead legitimate 3M customers or suppliers to fraudulent sites.

A Threat Intelligence Platform (TIP) analysis indeed revealed that the said domain is suspected of ties to malicious activity.

Interestingly, we dug deeper and ran the domain on WHOIS History Search and found that 3m[.]group was first registered on 17 April 2017 by a company known as “Nexperian Holding Limited.” For more information on WHOIS history check this post.

A search on the World Intellectual Property Organization (WIPO) database for the organization name turned up connections to several typosquatting complaints lodged by well-known brands that include:

• Van Cleef & Arpels for the domain vcajewelry[.]com
• Aviva Brands Limited for the domain avivacanad[.]com
• Swiss Arabian Perfumes Ind. Ltd. for the domain sapil[.]com
• Mou Limited for the domains mou-footwear[.]com, moufootwear[.]com, and mou-london[.]com

We then subjected the company name to a reverse WHOIS lookup and discovered that it is associated with thousands of other domains.

While we can’t be sure of the nature (malicious or non-malicious) of all these domains, we found that the organization has had ties to several fraudulent websites disguised as legitimate e-commerce sites. Reports reveal that these sites sold fake goods.

To date, 3m[.]group is even up for sale. Here’s what the site currently looks like, as obtained by Screenshot Lookup, which can be used to screen websites without having to access them in a browser.

An NRD Selling Masks to Healthcare Professionals

Many of the domain names in the above NRD list containing the term “3M mask” aren’t currently in use. 3mdmasks[.]com, however, currently hosts a site. A Screenshot Lookup preview shows this page:

While we have not seen evidence of the website’s dishonesty (it doesn’t appear on blacklists) at the time of writing, we did notice that its WHOIS record has been redacted. Its contact page didn’t contain any physical address either—a potentially questionable choice for a provider of medical equipment seeking to establish itself.

One may also question the owner’s choice of domain name “3mdmasks.” It could be deemed a cybersquatting entity for being confusingly similar to 3M’s registered trademark. The American corporation has been rather protective of its brand in the past, notably winning its case against 3N a couple of years back and receiving around US$500,000 in damages.

Recently registered domains, while not automatically malicious, are worth a decent amount of scrutiny. With that in mind, different types of cybersecurity organizations and enterprises in general can integrate Typosquatting Data Feed, Newly Registered & Just Expired Domains, and Screenshot Lookup into existing solutions and systems as additional sources of threat intelligence.