Not all of the domains that contain a company’s brand are under its control. A portion of them—sometimes even the vast majority—is typically registered by unidentifiable third parties with masked WHOIS records. Arguably, WHOIS redaction might also be preferred by the companies themselves for privacy purposes. But to which extent is this the case?

We conducted a short study to explore this question at the enterprise level, looking at the WHOIS records of the top 25 Fortune 500 companies’ official domain to check if public attribution was possible. Next, we aimed to uncover the related digital footprint of those companies, assessing the ratio that could also be publicly attributed. Last, we looked at a subset of non-attributable domain names that presented signs of maliciousness.

The Subjects

See the list of the top 25 Fortune 500 companies with their corresponding domains below.

The Tools

Three specific intelligence tools were used for this study, namely:

• Bulk WHOIS Lookup: To determine if any of the WHOIS records of the top 25 Fortune 500 companies have been redacted or privacy-protected.
• Reverse WHOIS Search: To find out how many domains containing their brand names each company owns.
• Typosquatting Data Feed: To obtain lists of new bulk-registered domains that may be mimicking the companies’ domains.

The Findings

The Bulk WHOIS Lookup for the top 25 Fortune 500 companies revealed that only two organizations (Walmart and Berkshire Hathaway) or 8% of the sample hid their registrant details from the public. Walmart opted not to disclose its domain registration information, while Berkshire Hathaway’s records were privacy-protected by Perfect Privacy, LLC.

We then used Reverse WHOIS Search to come up with two data sets so we can compare the ratio of domains containing the companies’ brands to the domains publicly known as under their control (those that can be publicly attributed to them based on the registrant organization indicated in the domains’ WHOIS records). Note that we took out Walmart and Berkshire Hathaway from the sample as they did not reveal their registrant organization names in their WHOIS records.

We compared the two Reverse WHOIS Search data sets to determine each of the 25 companies’ potential domain attack surface. The first data set lists all domains that contain the company names shown in Table 2, while the second contains all domains that have the registrant organizations listed in the same table. See the figure below for the results of the comparison.

Apple, AT&T, Alphabet, Walgreens Boots Alliance, Verizon Communications, Microsoft, and Bank of America were taken out of the sample as they owned more of the domains included in the reverse WHOIS search results than not.

Based on the reverse WHOIS search results, the 14 companies left (Exxon Mobil, UnitedHealth Group, McKesson, AmerisourceBergen, Ford Motor, Cigna, Costco Wholesale, Chevron, Cardinal Health, JPMorgan Chase, General Motors, Marathon Petroleum, Kroger, and Fannie Mae) appeared in the WHOIS records of 63,215 domains. Of these, only 41,664 domains or 66% contained their legally recognized organization names as registrants. This means that cyber attackers could theoretically use 21,551 domains for phishing, business email compromise (BEC), or other malware-enabled schemes.

We sought to identify additional threat vectors by consulting typosquatting data feeds from 1—31 October 2020. While only three of the 25 companies (Amazon, JPMorgan Chase, and Verizon Communications) had typosquatting domains that month, we can’t say for sure if the others are threat-free in previous or upcoming months.

None of the 58 domains that contained the three companies’ brands indicated their official organization names as registrants. We can say then that none of the bulk-registered domains in October are “proven” to be under their control.

A check on the nature of the 58 look-alike domains on VirusTotal revealed that 40 or 69% of them have been cited for various malicious activities like phishing. A breakdown for Amazon, JPMorgan Chase, and Verizon Communications is shown by the figure below.

Domains that contain a company’s brand but are not under its control increases its exposure to cyber attacks. These domains can figure in phishing, spam, BEC, and other cyber attacks that could put their customers at risk of identity or financial theft. That could lead to loss of trust and a damaged reputation that are preventable with the help of robust domain intelligence.