These anti-quarantine websites are fakes. Here's what they're really after
Researchers find that hundreds of "reopen" domain names are being registered at the same time. Many are part of schemes to collect data.
Protesters outside the state capitol building in Topeka, Kansas, pushing for the governor to end shelter-in-place orders.
Over the last month, more than 540 domain names have been registered with the word "reopen" in the URL, but don't take it as a sign that ending social distancing directives has become a mainstream goal. Hundreds of these websites are designed to lend credibility to anti-lockdown protests, according to new research, and many come from suspicious sources or resellers looking to make money.
In a report published Friday, threat-intelligence company DomainTools said it's found hundreds of domain names tied to the "reopen" campaign, which broadly argues against state lockdown measures adopted to curtail the spread of the novel coronavirus. The campaign wants social distancing restrictions to end and businesses to reopen.
Protests have cropped up across the country, with some, but far from all, Americans showing frustration over social distancing guidelines that have upended life and brought many businesses to a halt. A number of these protests have been organized on Facebook, which has said it will remove events that prompt people to violate distancing guidelines.
The number of domains tied to anti-lockdown efforts started small but grew sharply after President Donald Trump sent a series of "liberate" tweets about states with protests, said Chad Anderson, senior security researcher at DomainTools.
Anderson said it's been difficult to tell which domains are associated with actual political causes and which ones simply seek to profit from anti-lockdown sentiment. Researchers at DomainTools have found hundreds of "reopen" URLs that were bought specifically to be resold and others that resemble malware campaigns.
The researchers also found evidence that some of the domains were created as part of an "astroturfing" effort, a reference to campaigns that appear to be grassroots movements but are actually artificially created.
"If an astroturfing campaign finds enough support out there, it can turn into real events with real consequences," said Sean McNee, DomainTools' director of research.
Astroturf seeds
The initial batch of "reopen" domains were a set of seven URLs that came from an anti-gun control group, Anderson said.
He found seven "reopen" websites registered on April 8, in states including Ohio, Pennsylvania, Missouri and Minnesota. The seven pages looked like they represented independent groups, but they were all registered under the name of Aaron Dorr, a pro-gun activist from Iowa. Taken together, they create the appearance of a broad protest against lockdown measures, a digital Potemkin village.
DomainTools said it's spotted a spike in "reopen" domain names registered over the last month, with more than 500 new URLs popping up in the last week.
The Washington Post and NBC News detailed how the Dorr family created Facebook groups with hundreds of thousands of followers calling to reopen the economy and directed people to websites. The websites have almost the exact same design, with names of local politicians swapped out for each state. The sites were set up to organize protests and redirected to gun rights groups.
NBC News found that many of the websites hosted by Dorr were designed to harvest visitors' data, including emails and home addresses.
"They're all about making it look like there is a legitimate, statewide group for these movements," Anderson said. "It gives a local significance, because that's what people respond to."
Dorr couldn't be reached for comment.
A Reuters poll conducted between April 15 to 21 found that 72% of US adults support stay-at-home measures. And a CBS News poll found that 70% of Americans say social distancing should continue to be the nation's No. 1 priority. But the astroturfed campaigns could give the impression that there's widespread objection to distancing directives, DomainTools said.
Counter-squatting
The largest chunk of "reopen" domain names actually came from a man in Florida looking to counter astroturfing efforts, DomainTools found.
The researchers discovered 98 domains tied to one person who registered "reopen" for all 50 states, including different spellings of each region. An article from the Florida-Times Union identified the domain buyer as Michael Murphy, who said he was buying dozens of reopen URLs to prevent actual anti-lockdown protesters from getting them. (CNET couldn't find contact information for Murphy.)
Coronavirus updates
DomainTools spotted 98 URLs belonging to Murphy, who told the local newspaper he'd bought 200 names in total and spent at least $4,000. Another large chunk of domain names with "reopen" came from known resellers, Anderson said.
These are "reopen" websites targeted toward restaurants, movie theaters and sports, and all are set up for sale.
Anderson said DomainTools had already been seeing up to 6,000 new registrations a day related to COVID-19 and has started to see more related to the "reopen" campaign.
"Domainers are a particular type of people who spot any chance they can to hop on a quick buck," Anderson said. "In any of these instances, there's going to be people who try and pick domains they are able to sell for $5,000 that they bought for $10 because someone wants to start a movement."
Potential malware
DomainTools' researchers also found a batch of links registered in bulk specifically with typos for the phrase "Reopen American Business." All of these domains were registered in China and have misspellings, indicating they're set up to be phishing pages.
Typo-squatting is an old trick in which people buy URLs for commonly misspelled websites and set up a page that looks like the real one. The idea is to trick visitors who make typos into entering their sensitive credentials on these fraudulent pages.
These domains all have servers registered with Bodis, an advertising service that monetizes domain names and has links to a previous malware campaign from the advanced persistent threat group DarkHotel. APTs are known groups behind cyberattacks. DarkHotel APT is a hacking group that primarily affects victims in Japan, Taiwan, China, Russia and South Korea.
"It looks like it's going to be used for phishing campaigns," Anderson said. "It hasn't been fully activated yet, but it has characteristics of a DarkHotel APT group."
