Background with codes and fingerprint

If you haven’t been hiding in a cave, you’ve heard some of the sound bites: more active users than Twitter after one weekend. More downloads than Tinder. 6% of all Android phones have the app after that same weekend—and the number is rising steeply. It’s breaking the Internet, Bieber-style and as you might imagine, it’s making money hand-over-fist. Sadly but predictably, not all of the gains are legitimate.



Anything that captures the public imagination this widely is bound to attract fraudsters, and the Pokemon Go phenomenon is no different. A little bit of searching in DomainTools Iris Investigate shows an abundance of potentially dangerous Pokemon-themed domains, many of them registered very recently. Check out this chart of the daily numbers of registrations of one (albeit large) slice of such domains:



These domains have the following characteristics:

  • They begin with “pokemon”
  • They are not registered by Niantic, Nintendo, or the Pokemon Corporation
  • They were registered on the days depicted in the chart

While some, or even a lot, of these domains may be relatively innocuous fan sites, any time the registration has nothing to do with the legitimate owner of a trademarked name, it’s important to be cautious. There are widespread reports of malware-laden ripoff apps that are capitalizing on the craze to infect victims.

This provides a good example of how Iris Investigate can be used for not just forensic, but preventive purposes. It would be fast and easy to create a query to find these domains, then download a csv report of the domains. Many messaging security gateways (such as Barracuda, Proofpoint, etc) are able to ingest domain names from a file such as a csv document, to add to their block lists. Furthermore, you could use DomainTools Monitors to discover more such domains going forward, for the same purpose.

By many accounts, the game is well-designed and a lot of fun to play. If you do decide to Go, though, make sure you do so safely!