Home / Industry

Third-Party Vendor Risk Management: A Look into Top Couriers’ Digital Footprint

Just as no man is an island, no company can perform core functions without other organizations’ help. This fact is highlighted in today’s age of outsourcing, partnership, and third-party connections. Unfortunately, threat actors have also found a massive opportunity in these relationships. Targeting a third-party vendor often allows them to target the vendor’s clientele.

In this post, we used our Third-Party Risk Management (TPRM) solutions to look at some of the popularly used express mail courier services that several companies worldwide partner with—FedEx, DHL, China Post, and UPS. These companies are often targeted since they have thousands, if not millions, of personally identifiable information (PII) in their records. In August 2020, for example, a Canadian courier became a victim of a ransomware attack, giving threat actors access to its customers’ personal details.

Potential “Unknowns” in the Digital Footprint of FedEx, DHL, China Post, and UPS

We gathered a total of 24,601 domains and subdomains containing the words “fedex,” “dhl,” “chinapost,” and “ups.” A vast majority of the subdomains were not owned by any of the courier companies, as confirmed by a bulk WHOIS lookup.

Indeed, only 40 domains appeared to be managed by the legitimate companies, as they matched WHOIS record details with the official couriers’ domain names. This number represents less than 1% of the total number of subdomains in our dataset. The table below shows the breakdown.

Company# of domains with matching WHOIS record detailsPercentage match
China Post00.00%

We studied the top-level domain (TLD) distribution of the domains and subdomains obtained and ran them against the most abused TLDs known to direct visitors to phishing and botnet command-and-control (C&C) servers. Seven of the most abused TLDs made up more than half (53%) of the total number of subdomains.

The pie chart shows the TLD distribution of the subdomains under the .com, .net, .org, .de, .ru, .info, and .eu TLDs against all other TLDs not included in the list of most abused.

All seven TLDs were among the most abused by botnet operators. The .com TLD was also most favored by phishers. It also figured in 35% of the four couriers’ potential loopholes.

Common Terms Used

Some words commonly appeared along with the courier names. The chart below shows the 10 most commonly used terms revealed.

Among the runners-up were “secure,” “account,” “delivery,” “portal,” and “export.” Aside from these, subdomains with random numbers appearing alongside the couriers’ names were also common. Around 5,000 subdomains contained random strings of numbers, including:

  • ups5183[.]carlsoncraft[.]com
  • ups518598[.]bmlink[.]com
  • dhl007[.]stage-env[.]com
  • dhl00[.]static[.]otenet[.]gr
  • chinapost1[.]chinapost1[.]org
  • fedex13111422[.]bxgjs[.]com
  • fedex13111521[.]tjastgg[.]com

This characteristic is consistent with the use of a domain generation algorithm (DGA) commonly employed by botnet operators.

Registrar Distribution

According to a bulk WHOIS lookup, the subdomains were registered under over 100 domain registrars. Among these are 18 of Spamhaus’s top 20 most abused registrars for botnet-related activities. The table below shows the root domain distribution for the top 10 most abused domain registrars.

Domain RegistrarNumber of Root Domains
Domain Age

The bulk WHOIS lookup also revealed that 9.4% of the root domains were created within the past year. Some of them were only a month old at the time of analysis. About 19% were less than five years old and the rest were created before 2015. While all subdomains may require deeper investigation, newer domains can be given a higher priority since newly registered domains (NRDs) are often abused.

This study powered by Third-Party Risk Management (TPRM) solutions reveals that subdomains containing the terms “fedex,” “dhl,” “chinapost,” and “ups” could pose risks to organizations working with these top four courier service providers. Indeed, those brand names could be misused to give a false sense of trust as part of phishing and related attacks.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byDNIB.com

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix


Sponsored byVerisign