Malicious domains registered in the wake of Hurricane Florence

reconnaissancescam

SecurityTrails Blog · Sep 18 · SecurityTrails team

Hurricane Florence is hitting North and South Carolina, and despite reports of over 20 human lives lost as victims of this horrific reality, we are sadly aware of scammers attempting to exploit the fear and kindness of good people who wish to help and donate to the victims and organizations.

We have covered the subject of uncovering malicious domains that come in the form of phishing websites by using name server records, and today we are prompted to explore specific domains that are found after high-profile events — in this unfortunate case, natural disaster.

The Multi-State Information Sharing and Analysis Center (MS-ISAC) reports: "The landfalls and impending landfalls of Hurricanes Florence, Isaac, and Helene, Tropical Storm Olivia, and Typhoon Mangkhut will highly likely propel the emergence of new and recycled scams involving financial fraud and malware."

In the past 10 days, there has been an increase in numbers of registered domains regarding Hurricane Florence. It's not the first time we've seen cyber criminals try to leverage public support during natural disasters for financial gain. Just as in past years with Hurricanes Harvey and Irma, these domains include words like "charity", "compensation", "relief", "lawyer" and "claims" — so it's well advised for Internet users to be careful when entering websites using these phrases. All domains that include these words can be easily researched through the SecurityTrails domain keyword search that you can find on our home page!

Using the advanced domain DSL query API, we found over 137 results by searching for "query": "(keyword = 'claims' OR keyword = 'relief' OR keyword = 'compensation' OR keyword = 'charity') AND keyword = 'florence'".

Cyber criminals mostly register domains that are related to charity, and design them to appear as legitimate websites, with "Donate' buttons allowing them to wrongfully collect money and private information from people eager to help victims of disaster.

When looking at donation websites, if you see names that specifically include Hurricane Florence, take precautions to verify the website's legitimacy. Donate to trusted organizations only.

Another way malicious actors scam people is to send phishing emails that contain links to malicious websites.

One of these websites we have found is hurricaneflorence.live and www.hurricaneflorence.live.

When we searched for the keyword "hurricaneflorence", there were 216 domains registered that contained the phrase.

Among these 216 registered domains, www.hurricaneflorence.live and hurricaneflorence.live pop up.

When going to that domain, we were redirected to filesenzu.com, a website that offers downloads of movies. These kinds of websites can be sent to people in email, appearing as a live stream of Hurricane Florence, and lead them to a fraudulent websites. When looking into the website's DNS records, we see that they use Cloudflare, which may indicate a reason as to why they would hide their information.

It's also likely that even more malicious domains will be registered in the days of recovery following natural disasters, and Internet users need to be aware of scammers trying to leverage their kind acts to help the victims.

Recommendations for users to avoid being scammed are to…

  • Be wary of emails that claim to contain information about the disaster.
  • Be cautious of "live" photos and videos, not opening attachments in emails, social media posts and crowdfunding websites asking for financial information.
  • Never uncover private and financial information in emails or on untrusted websites.
  • Always go to trusted websites when looking for live information about the disaster.

Where to donate

For checking up on how legitimate a charity organization is, you can visit Charity Navigator.

Or, you can visit Nola's article and see the list of best organization to donate to here.


Use SecurityTrails to see how much new domains related to the Hurricane will show up in the days that come, and use our WHOIS history tool to recover information about a suspicious website.

Along with these features that help you get daily updates and important information, SecurityTrails also offers customer feeds and consulting services — we're here to alert companies when their brand or a keyword they choose is registered as a part of a newly discovered domain. For more information, you can always contact us.