Posted October 31, 2013
More Registrations, But So Far, Little Fraud
Last month we wrote about the launch of the Affordable Care Act (ACA) and the possibility of fraud associated with online enrollment. At the time, we detected 2,500 domain names that had been registered which included the terms “obamacare” or “affordablecareact”, suggesting that a large number of websites related to the ACA were in the process of coming online.
This month we re-ran that report, and found 4,000 domain names now registered that included these phrases – an increase of approximately 60 percent since the ACA launched.
A sample of the more than 4,000 domains that contained “obamacare” or “affordablecareact”. While no malicious content was detected when these sites were analyzed, caution should always be exercised when visiting new websites.
Many of the websites we found use famous and well-known brands to divert traffic from the legitimate online enrollment sites to their own sites. One example is “irsaffordablecareact.com”. Someone looking for “Affordable Care Act” may see this appear in search engine results and click on it, thinking it is a legitimate site. After all, the IRS is a government organization, the website contains the name of the law, and there are no misspellings. However, upon clicking upon the page, it does not lead to an online enrollment form. Instead, it leads to a “parked page”, a term used to describe a website in which the domain name has been registered but no actual content has been posted on the website.
Another example of a website that has been registered since last month is www.obama-care.us. In an early analysis of the site, the Washington Examiner wrote that it claimed it was part of the “Obamacare enrollment team,” and also had an “Obamacare enrollment form” for visitors to fill out. The form requested peoples’ names, addresses, and Social Security numbers; yet, even after entering in that information, users could not actually enroll in a plan. As of this writing, the site is currently offline.
To evaluate whether the 4,000 sites we detected were similar to the examples above, Cyveillance developed scoring algorithms that gave high scores to sites that suggested fraudulent activity. For example, those sites requesting social security numbers, requesting passwords, or requesting credit card numbers received higher scores than parked pages.
At the time the analysis was conducted, Cyveillance found:
- None of the domain names in our sample appear to pose a security risk yet, including the 49 that contain words like “social security number”, “credit card”, or “paypal”.
- Almost all of the websites associated with these domain names fell into one or more of the following categories:
- Those with a political message
- Affiliate marketing or eBook marketing sites
- Domain names registered by speculators who most likely will “flip” them for monetary gain
For the time being there does not appear to be much if any direct fraud underway in sites with “Obamacare” or “AffordableCareAct” in the domains. However, Cyveillance often sees a lag time between registration of domain names and criminal activity. Many times criminals can register these domain names in bulk, sit back, and wait. Of course there will be many sites online which will be ACA-related but not contain “Obamacare” or “AffordableCareAct” in the domain name, and it is very likely that some of those may be fraudulent or contain malicious malware.
To avoid becoming prey to ACA scams and social engineering, computer-based training can help an organization’s employees avoid becoming victims. Organizations can also monitor and remove cybersquatted domains, rogue mobile applications and phishing websites that are using an organization’s good name and reputation to commit fraud or confuse consumers.