Recently, the language learning app, Duolingo, announced the untimely “passing” of their owl mascot “Duo” at the hands of a Tesla Cybertruck driver. Almost immediately, the virally-popular mascot was receiving tributes from other brands and fans from around the world, creating a new viral incident of its own. The popularity of Duo and the buzz around his death created an opportunity for cybercriminals to leverage the incident and its subsequent virality to level various related online scams. Following the announcement made on 11 February, 13 related domains were identified.  We will review what scams followed in the week following the sad news. 

The threat research team at BforeAI analyzed a variety of newly registered domains that emerged in the week following the announcement, to reveal insights into their prevalence, structure, and the types of scams they facilitate.

Incident and Threat Analysis

Figure: Announcement made by Duolingo declaring their mascot as “dead”. (Link)

Date: 11 February

Domains identified: 3

On the day of the actual Duo announcement, the research team identified a crypto scam campaign that appears to be leveraging Duolingo’s brand to push a fraudulent cryptocurrency, which does not officially exist. Associated with this, the team observed a rebranded social media handle on X, that was registered a long time ago (in 2016!), pushing crypto posts and attracting more viewers. The website was titled “Justice for Duolingo” as a sympathetic strategy to push for more financial investments. 

Figure: Websites misleading victims to invest into a newly emerged crypto coin by rebranding old X accounts.

Another, newer X account associated with Duo’s fake crypto coin was flagged as suspicious and restricted. While it was relatively new when compared with the 

rebranded one, it indicates that rebranding old accounts for scams helps scammers in detection evasion. 

Figure: Websites misleading victims to invest into a newly emerged crypto coin by claiming it will help revive Duo.

Another website titled, “Duo Lives”, posted about a “revival celebration” and featured a crypto token called “Duo Everywhere”. Aside from the token, the same website offered a Chrome extension that claimed to “bring your favorite language-learning companion to every corner of the web” as an attempt to bring Duo back. 

This extension raises security concerns as the installation was prompted through their own website, and the safety of the extension still remains unverified. This could potentially prompt the installation of malicious browser stealers or keyloggers through this software extension. 

The red flag for this extension is that the developer of this extension has a private Gmail-based address and not an official email address of Duolingo, indicating a lack of credibility. 

Date: 12 February

Domains identified: 4

The day following the Duo announcement, the BforeAI team identified 2 crypto-themed websites, based on the naming convention. However, they were yet to go live. Interestingly, another website used  “Duolingo” in its domain name and promoted a Chinese company, with protected email details. The team was able to identify another personal email address solely used to register this website after Duolingo made the announcement on 11 February. 

Date: 14 February

Domains identified: 2

While there were only 2 domains identified on 14 February, they were still under construction or not operational. This can indicate a website that is yet to be launched as an adversarial infrastructure and requires constant monitoring to preemptively mitigate related threats. 

Date: 15 February

Domains identified: 2

While one identified domain was still under construction, threat actors introduced a new mascot, titled as “Baby Duo”, a mascot that bears a striking resemblance to the original. They also launched a new community to leverage this interest to lure more victims to invest in and promote a “pump and dump” scheme, which are typical scams in crypto. 

Figure: Baby Duo’s mascot based crypto currency introduced by cybercriminals.

Date: 16 February

Domains identified: 1

While it was single domain identified, this website offered a multi-staged campaign called “Duolingo Family Program” introducing a new mascot called “Hooty”. Hooty was used by cybercriminals to establish a new crypto coin. This was likely to be missed by many detection radars as it is not directly related to Duolingo, but is in fact, another owl and similar to Duolingo’s mascot. 

Another exploitation attempt involved establishing a store for apparel, plushies, and accessories. However, the page did not exist. Even if it was active, the legitimacy of the business would have been questionable at best, but likely the makings of a new scam vector. 

Figure: Multi-step malicious campaign offered in a single website. 

Date: 17 February

Domains identified: 1

The website identified was parked, either indicating the conclusion of the domain or purposefully registered to exploit in the future. 

Overview and Takeaways

Impact:

1. Attackers tried to exploit Duolingo, mostly in the cryptocurrency space, which is a quick way to gain money, commit fraud, and vanish with minimal investment.
2. Chrome extensions could contain malicious pieces of code, kept accessible to steal browser data, such as stored passwords, cards, and autofill PII (personally identifiable information). 
3. An apparel store scam in which orders placed and paid for are never delivered is another classic example of criminals leveraging a viral event to make quick, easy money.
4. To avoid getting direct detection, new mascots were brought into the picture to target gullible victims who might fall for the news. 
5. Harvesting of old accounts to rebrand to exploit new, globally recognized incidents can fool people on social media into believing that these accounts are legitimate. 
6. Unethical SEO techniques were leveraged to soft launch companies, which could be malicious and unverified in nature. Since this incident, Duolingo has been the most popular search keyword, giving them an upper hand in rankings and visibility on search engines. 

Mitigation:

1. A continuous brand monitoring solution can help to identify future website registrations to preemptively mitigate unapproved newly registered domains. 
2. This reinforces a growing trend that every incident that gains worldwide visibility can become a crypto meme, requiring monitoring and alerting customers as well as the brands themselves. 
3. Avoid installing any applications or extensions that are offered by newly-registered websites, or only have have new reviews.