Apr 21, 2020 20:00:00

It turned out that there were a lot of acquisition of domain names called 'reopen + state name', and what is the cause?

In order to prevent the spread of new coronavirus infection (COVID-19), 'lockdown' is implemented in the United States, which is a measure to restrict the movement of people and business activities by legal punishment. Meanwhile, the acquisition of domains that combine the words 'reopen (reopening) + American state name' such as 'reopenmn.com (Minnesota Resume.com, mn is an abbreviation for Minnesota)' is occurring one after another. Brian Krebs, an American journalist specializing in security and cybercrime, has published a survey of what's behind the chain of domain acquisitions.

Who's Behind the “Reopen” Domain Surge? — Krebs on Security

https://krebsonsecurity.com/2020/04/whos-behind-the-reopen-domain-surge/

From around the third week of April 2020, protest demonstrations against going out restrictions have been held one after another in various states in the United States. This protest demonstration claims that 'going out restrictions are a violation of rights' and calls for resumption of economic activity.

Facebook is implementing measures to delete the event page of the protest demonstration while protest demonstrations against going out restrictions are being held in the United States one after another-GIGAZINE

However, Krebs argues that the series of protests is 'not a voluntary movement by the public.' The reason lies in the set of domains registered in connection with the protest. Mr. Krebs reported that he found nearly 150 domains when he extracted only domains that started with 'reopen' and ended with '.com' from the registered domains in the past month. You can see all domains from the links below.

reopen-Google Spreadsheet
https://docs.google.com/spreadsheets/d/1HQnx-RvMM7BrpX1ysgjqzu8XkaDeu0w4gJgTtzB3dfk/

In this 150 cases, not only the domain 'reopen + American state name' similar to 'reopenmn.com' was registered for all states of the United States, but also the domain 'reopen + America metropolitan name' was registered. It was said that it had been done. In addition, it seems that domains such as 'reopeningchurch.com (reopening church. Com)' that added general names and concepts to reopen were also registered.

According to Krebs, the vast majority of these domains are dormant, but some are already in use and associated with gun rights groups, Republican organizations, conservative think tanks, religious groups and pressure groups. It is said that there is. For example, if you actually visit ' reopenmn.com ', you will be redirected to the page of 'Minnesota Gun Rights', a gun rights group in Minnesota.

Similarly, if you access ' reopenpa.com ', which is a domain that means 'Pennsylvania Resume', you will be asked to relax COVID-19, which is implemented by the Pennsylvania Gun Association 'PENNSYLVANIA FIREARMS ASSOCIATION'. You will be forwarded to the Signature Movement page.

The above two sites are embedded with the Google Analytics tracker. And the exact same tracker is embedded in a number of 'reopen + US state name' domains, Krebs pointed out. In addition, the tracker in question is also embedded in an anti-gun control site registered by gun advocate Dorr Brothers, who even said that even the National Rifle Association looks liberal compared to them.

In addition, 'reopenoureconomy.com (resuming economic activity.com)' and 'reopensociety.com (resuming society.com)' are libertarian advocates FreedomWorks and 'Reopenmississippi.com (Resume Mississippi.com)'. Krebs said it was related to the In Pursuit of , a conservative organization that sent a large number of employees under the Trump administration.

In addition, Krebs argues that there are cases where the relationship can be inferred from the domain registration date. From 13:25 to 16:43 on April 17, 2020, more than 50 domains were registered, but two of those domains contained registrant information for a person named 'Michael Murphy'. It was Mr. Krebs investigated the e-mail address, phone number, address, etc. of this registrant information, but there was no response for the e-mail address and phone number. Information such as the address suggests that Michael Murphy runs an art store made from waste and a web design company in Florida.

However, Krebs reports that he also found a lot of obscure information about Michael Murphy. The Twitter account associated with Michael Murphy's email address has only been spamming ads for years, but Skype associated with a phone number has Russian names and Russian The address of was written.

Krebs said, a series of domain name acquisition, groups and organizations opinion argue, persuade, pretending to voluntary grassroots advocacy carried out, such as ' Astroturfing says that it is the'.