PayPal is still one of the most imitated brands on the Internet. From 1-8 June 2020, the Typosquatting Data Feed detected a total of 64 PayPal lookalike domains. The domains appeared on the data feed because they became part of the Domain Name System (DNS) on the same day similar ones were. While such occurrences can be a result of PayPal’s brand protection strategy, it could also mean that threat actors are planning to use them in phishing attacks.

The latter is not an unlikely scenario, especially since IBM X-Force has been releasing different warnings related to various PayPal squatting campaigns. In a little over a year, it issued four notices on these dates:

• 10 January 2019
• 18 November 2019
• 2 January 2020
• 27 April 2020

With this in mind, what can we say about these newly detected domain names?

What We Know About 1—8 June’s Newly Registered PayPal Domain Names

Of the 64 domains, half have since been dropped. Listed below are the domains detected within the specified date range that remain active:

1. paypalticket91661[.]info
2. paypal-team[.]space
3. paypal-service[.]website
4. paypalticket91644[.]info
5. mypaypal[.]online
6. paypal-service[.]site
7. team-paypal[.]space
8. paypalticket91640[.]info
9. paypal-service[.]space
10. paypal-updateconfirmationsaccounts[.]com
11. paypal-updateconfirmationsaccount[.]com
12. paypal-support[.]space
13. team-paypal[.]website
14. paypalticket91645[.]info
15. paypalticket91642[.]info
16. paypalticket91664[.]info
17. paypal-updateconfirmationaccount[.]com
18. paypal-updateconfirmationaccounts[.]com
19. team-paypal[.]site
20. paypalticket91647[.]info
21. paypalticket91643[.]info
22. paypalticket91646[.]info
23. mypaypal[.]website
24. paypalticket91663[.]info
25. paypalticket91665[.]info
26. paypal-team[.]website
27. paypalticket91660[.]info
28. mypaypal[.]site
29. paypalticket91641[.]info
30. paypal-team[.]site
31. pay-pal-support[.]xyz
32. paypal-support[.]website

Are These Typosquatting Domains?

We can’t say for sure if any of the 32 domains are typosquatting or malicious domains as PayPal could have registered some of them as part of its typosquatting or brand protection strategy. These domain names could also have been purchased for domaining purposes.

However, we did compare their WHOIS records with that of the legitimate paypal[.]com website via Bulk WHOIS Lookup. Here’s what we found out:

• Their domain registrars include Epic LLC, GoDaddy, Wix.Com Ltd., and Registrar of Domain Names REG.RU, LLC.

  

• The registrant names, organizations, and contact information were all anonymized or protected for privacy, or left blank.

  

• All domains were registered either in Sweden or Russia, with only one exception. Pay-pal-support[.]xyz was registered in the U.S.

  

• On the other hand, the WHOIS details of the official paypal[.]com are as follows:

  Registrar: MarkMonitor, Inc.
  Registrant organization: Paypal Inc.
  Registrant address: 2211 North First Street, San Jose, California

  

All other information such as the email address, telephone, and technical and administrative details are also provided. As such, there is a glaring difference between the WHOIS records of the legitimate PayPal domain and its lookalikes.

A Look into PayPal’s Typosquatting Protection Strategy

Another reason for treating these 32 typosquatting domains as suspicious is the fact that PayPal uses the same WHOIS details for a large number (if not all) of its other domains. We found 2,451 domains that use the same registration details as paypal[.]com.

We were able to look into PayPal’s typosquatting strategy with the help of Reverse WHOIS Search. Utilizing its advanced search feature, we specified the following search terms:

Out of the almost 2,500 domains, only seven were registered between 1 May and 9 June 2020. And only one of them can be deemed a lookalike.

Integrating Typosquatting Data Feed could help PayPal protect its brand and its users promptly. By contacting the owners or even the registrars of these domains, PayPal can save its users from becoming victims of phishing, fraud, and other cybercrime.

What Can Victims Lose?

On 8 June, a user with the Twitter handle @JetmanPR warned his followers about a phishing email he received. The email was supposedly from PayPal, alerting him about suspicious activities on his PayPal account.

The email is fake based on the email domain and the glaring grammatical errors in the message. The PayPal user thankfully didn’t fall for the ruse. Others were not as lucky.

In May, a woman almost lost £11,000 to scammers after clicking a malicious link embedded in a message that was supposedly from PayPal. Luckily, her bank’s fraud team was alerted and fixed everything.

PayPal squatting seemingly remains prevalent, as shown by the Typosquatting Data Feed. PayPal is already educating users about phishing and provides them with an avenue to report such acts. As an additional effort, keeping track of PayPal-inspired domain registrations is possible with Typosquatting Data Feed.