PyeongChang 2018 and future Olympic games a target for domain fraud

February 23, 2018
Harold Nguyen, Roman Tobe

The 2018 Olympic Winter Games in PyeongChang are underway but attempts at cyber fraud related to their domain identity appears to have been in the works for some time. The South Korean city was officially named as the Olympic host in 2011. Yet since 2010, 105 lookalike domains have been registered using variations on the official pyeongchang2018 moniker1. Proofpoint researchers have monitored the activity associated with these domains and determined a number of uses for these domain registrations. Some sites may be used to make money through advertising and monetizing web traffic. Others are designed to profit through illegal streaming and paywalls, while others, as we saw in the Rio Olympics, are profiting through non-sanctioned ticket sales.

Beyond the PyeongChang 2018, upcoming Olympic games in Tokyo 2020, Beijing 2022, and Paris 2024 have all seen greater volumes of domain registrations, indicating a growing trendline for potential fraudulent activity.

ANALYSIS

A total of 105 domains related to ‘pyeongchang2018.com’ have been registered since 2010, the same year the official site https://www.pyeongchang2018.com/ was registered.

  • This is almost five times the average number of suspicious domains per brand-owned domain discovered by our previous research into Fortune 50 domain abuse.
  • Registrations of “pyeonchang2018.com’ lookalike domains started to accelerate in 2014, and at least 20 new suspicious domains have been registered since the beginning of 2017.
  • Over 35% of these domains are Parked Sites, possibly intended for cybersquatting to either sell or use at some point soon.
  • In general, most lookalike sites are private registrations. A private domain registration protects your personal information from being published in the Whois Public Internet Directory which can be viewed by anyone. In 2017, we observed 30 privately registered domains, as opposed to 7 registered domains that contained registrar and email address information.
  • Only 3 of the 105 domains that we examined were legitimate but unofficial domains, all related to Olympic medal tracking.
  • Over 75% of those suspicious domains do not have a .com top-level domain (TLD). The TLDs of these domains are not concentrated around any particular TLD, such as .xyz, but include a wide variety. For example:

o    pyoengchang2018.net

o    pyeongchang2018tickets.ru

o    pyeongchang2018.ru

o    pyeongchang-2018.asia

o    pyeongchang2018.be

o    pyeongchang2018.nu

o    pyeongchang2018.in

o    pyeongchang2018.pl

o    pyeongchang-2018.biz

o    pyeongchang2018.co

o    pyeongchang2018.juegos

o    pueongchang2018.com

o    pueongchang2018.ru

o    pueongchang2018.net

o    pyeongchang2018.it

o    pyeongchang2018.com.cn

A closer inspection of specific suspicious domains uncovered several examples representative of the types of misuse that leverages fraudulent domains:

Pyeongchang2018live.com is a live-streaming site, which is likely neither official nor legal. It asks for payment in PayPal, indicating a potential scam:

  • Pyeongchang2o18.com, where the “zero” in “2018” is the letter “o”, exemplifies a common character substitution in typosquatting.

From our studies, the domain findings from the PyeongChang 2018 games are in-line with current trends. From January through August 2017, brand-owned defensive domains have fallen while suspicious domains registered by someone other than the brand have grown. In that same time period, suspicious domain registrations rose 20% vs. the year-ago period as brand-owned defensive registrations fell 20%2 .

It’s too early to tell how many of the domains registered for future Olympic games will result in malicious activity. However, expect non-brand owned domain registrations to continue to rise. The volume of registrations for sites related to “tokyo2020” has exceeded 500, with “beijing2022” and “paris2024” already reaching 100 and 200 registrations, respectively. A sign that brand-owned, unofficial and fraudulent domain registrations need to be persistently monitored for consumer protection and reputational risk.

 

1  Proofpoint. Data research at the time of publication, February 2018.

2  Proofpoint. “Q3 2017 Quarterly Threat Report.” October 2017.