Threat Intelligence Blog

More Registrations, But So Far, Little Fraud

Last month we wrote about the launch of the Affordable Care Act (ACA) and the possibility of fraud associated with online enrollment. At the time, we detected 2,500 domainDomain: A specified location where a set of activity or knowledge exists. For instance, an Internet domain is synonymous with a website address or URL where information can be made available. LookingGlass Cyber (n) - A fancy name for a URL or website. names that had been registered which included the terms “obamacare” or “affordablecareact”, suggesting that a large number of websites related to the ACA were in the process of coming online.


This month we re-ran that report, and found 4,000 domain names now registered that included these phrases – an increase of approximately 60 percent since the ACA launched.

domains containing obamacare and affordablecareact
A sample of the more than 4,000 domains that contained “obamacare” or “affordablecareact”. While no malicious content was detected when these sites were analyzed, caution should always be exercised when visiting new websites.

Many of the websites we found use famous and well-known brands to divert traffic from the legitimate online enrollment sites to their own sites. One example is “irsaffordablecareact.com”. Someone looking for “Affordable Care Act” may see this appear in search engine results and click on it, thinking it is a legitimate site. After all, the IRS is a government organization, the website contains the name of the law, and there are no misspellings. However, upon clicking upon the page, it does not lead to an online enrollment form. Instead, it leads to a “parked page”, a term used to describe a website in which the domain name has been registered but no actual content has been posted on the website.

Another example of a website that has been registered since last month is www.obama-care.us. In an early analysis of the site, the Washington Examiner wrote that it claimed it was part of the “Obamacare enrollment team,” and also had an “Obamacare enrollment form” for visitors to fill out. The form requested peoples’ names, addresses, and Social Security numbers; yet, even after entering in that information, users could not actually enroll in a plan. As of this writing, the site is currently offline.

To evaluate whether the 4,000 sites we detected were similar to the examples above, Cyveillance developed scoring algorithms that gave high scores to sites that suggested fraudulent activity. For example, those sites requesting social security numbers, requesting passwords, or requesting credit card numbers received higher scores than parked pages.

At the time the analysis was conducted, Cyveillance found:

  • None of the domain names in our sample appear to pose a security risk yet, including the 49 that contain words like “social security number”, “credit card”, or “paypal”.
  • Almost all of the websites associated with these domain names fell into one or more of the following categories:
    • Those with a political message
    • Affiliate marketing or eBook marketing sites
    • Domain names registered by speculators who most likely will “flip” them for monetary gain

For the time being there does not appear to be much if any direct fraud underway in sites with “Obamacare” or “AffordableCareAct” in the domains. However, Cyveillance often sees a lag time between registration of domain names and criminal activity. Many times criminals can register these domain names in bulk, sit back, and wait. Of course there will be many sites online which will be ACA-related but not contain “Obamacare” or “AffordableCareAct” in the domain name, and it is very likely that some of those may be fraudulent or contain malicious malwareMalware: A generic term for a software that is designed to disable or otherwise damage computers, networks and computer systems LookingGlass Cyber (n) - another type of cold that can destroy a computer by latching on to destroy other programs..

To avoid becoming prey to ACA scams and social engineering, computer-based training can help an organization’s employees avoid becoming victims. Organizations can also monitor and remove cybersquatted domains, rogue mobile applications and phishing websites that are using an organization’s good name and reputation to commit fraud or confuse consumers.

Additional Posts

How a Proactive Defense and Online Monitoring Can Help Corporate Security Professionals Better Protect Executives

How a Proactive Defense and Online Monitoring Can Help Corporate Security Professionals Better ...

LinkedIn’s New App Introduces Broad Range of Security, Compliance Risks

In an ambitious attempt to further integrate its services into the lives of business professionals, ...