A security researcher looked into the buyers behind more than 130 “reopen America” domain names and found a gun rights activist, a Florida businessman, and anonymous buyers in Asia.

Seven of the reopen domains were registered over the course of several hours on April 8 and the remaining 128 were registered on April 17. The list includes two versions for almost every state, such as reopenohio.com and reopenoh.com, as well as versions that specified particular organizations, like reopendaycares.com and reopenbaseball.com.

SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium)

Chad Anderson, a senior security researcher at DomainTools, said that he has seen more than 500 new “reopen” domains registered since early April and expects this trend to continue with new terms such as “liberate” and others cropping up in social media.

To gather more data on the domains registered in early April, Anderson wrote a script to pull the main page, extract the unique URL, strip it to the apex domain, sort alphabetically, and then save the information to a file named after the URL. The next step was to concatenate the files and examine them in the company’s Iris Investigation Platform to look for similarities and connections among the registrations.

Reopen domains and a firearms activist

The April 8 group looks to be linked to a gun rights activist Aaron Dorr who runs the American Firearms Coalition. Anderson found that five of the state-centric reopen domains–Iowa, Ohio, Pennsylvania, Minnesota, and Wyoming–redirect to a state-based firearms coalition group. 

Anderson wrote in a blog post explaining his analysis: “Each group had an action page where they post various political actions like the one calling to end the quarantine and reopen America. The various groups seemed loosely affiliated and seem to be run by different people in each state, but tie back to a Mr. Aaron Dorr. As we looked further we would find that this is a more of a small group’s astroturfing effort.”

Anderson found that each site uses One Click Politics, an online advocacy site that enables quick set up of campaigns and for one person to manage the content, run email campaigns, and collect donations. Astroturfing is a tactic that an individual or single organization uses to create the impression that a policy, person, or idea has widespread public support when usually the opposite is true.

Anderson said it is likely that this is an advocacy group managed by a single person, probably Dorr.

“This led us to wonder what else might be under their purview and if we could directly tie through infrastructure these gun coalition domains to one another with even more concrete ties beyond similar page structure, registration, and article content,” he wrote in the blog post.

Other reopen domain name owners

Anderson next analyzed the the second, larger set of domains and found that they fell into three major groups:

  1. Reopen American Business Hong Kong Group, registered in Chengdu, China
  2. Reopen American Business Linode Group, registered with NameKing and pointing to a Linode server
  3. Reopen State Names on GoDaddy Group, registered using the Domains by Proxy service

The domain names in the Hong Kong group point to Bodis, an advertising services company that monetizes domains and has been linked with malware. 

The Linode Group domains are parked currently. Based on DomainTools risk score analysis, these names score above the threshold for dangerous names.

A Florida businessman bought the last set of names to prevent bad actors from taking advantage of the coronavirus crisis, according to an article in the Florida Times-Union.

Anderson said these investigation techniques can help distinguish between valid information and disinformation about the coronavirus and other current events.

The tech pro’s guide to video conferencing (TechRepublic download)
Coronavirus domain names are the latest hacker trick (TechRepublic)
COVID-19 demonstrates the need for disaster recovery and business continuity plans (TechRepublic Premium)
As coronavirus spreads, here’s what’s been canceled or closed (CBS News)
Coronavirus: Effective strategies and tools for remote work during a pandemic (ZDNet)
How to track the coronavirus: Dashboard delivers real-time view of the deadly virus (ZDNet)
Coronavirus and COVID-19: All your questions answered (CNET)
Coronavirus: More must-read coverage (TechRepublic on Flipboard)

A security researcher analyzed about 130 “reopen America” domain names registered in early April and found that a few individuals and organizations own all of them.
Image: DomainTools