Kozow[.]com hosts the website of free dynamic Domain Name System (DNS) service provider Dynu Systems. It has been cited for ties to several malicious activities over the past few months. To see if it would be a good idea for organizations to consider blocking the domain from their networks, we collated a list of kozow[.]com subdomains and subjected them to deeper scrutiny.

We obtained a list of 22,160 kozow[.]com subdomains from our database and analyzed the common strings found.

Brands Possibly Being Spoofed by Kozow.com Subdomains

The following brands, whether correctly or incorrectly spelled, appeared in the subdomains, which could indicate typosquatting or more destructive threats, such as phishing and malware-hosting:

Amazon took the top spot with the highest number of possibly spoofed subdomains (1,982), at least three of which are malicious—cpcontacts[.]amazonde-accountalert[.]kozow[.]com, amazon-recoverydata3[.]kozow[.]com, and alert-amazon[.]com-verifypage[.]kozow[.]com.

WhatsApp followed with 404 subdomains. Examples of malicious subdomains include grupwhatsappdewasa[.]kozow[.]com, cpanel[.]whatsappbokep18[.]kozow[.]com, and chatwhatsapps[.]kozow[.]com. These subdomains could be targeting app users looking to join groups.

In third place was Apple with 387 subdomains, at least three of which are malicious—cpcalendars[.]appleld-apple-com[.]skq[.]kozow[.]com, cpcontacts[.]appleld-apple-com[.]skq[.]kozow[.]com, and www-secure-apple[.]supports-accounts0129[.]kozow[.]com. A lot of these seemed to pretend to offer support to targets.

Other malicious examples for each brand and the ruses used are listed below.

1. Chase/JPMorgan: Probably pretending to offer support, security, and verification services, among others. Malicious examples include supp0rt07d-online08d-chas3[.]kozow[.]com, cpanel[.]support-account-chasemail[.]kozow[.]com, and secure07a-chase[.]kozow[.]com.
2. PayPal: Likely pointing to configuration, verification, and security updates, among others. Malicious examples include cpcontacts[.]updatemyaccount-paypal[.]kozow[.]com, www[.]configurate-setting-verify-pypal-techsupport[.]kozow[.]com, and cpcontacts[.]secureaccountservice-paypal[.]kozow[.]com.
3. Xfinity/Comcast: Possibly requesting billing updates in connection to invoice fraud campaigns. Malicious examples include update-billing-xfinity[.]kozow[.]com, myhome07c-update-billing-xflnlty[.]kozow[.]com, and service-billing-xfinity-id[.]kozow[.]com.
4. Netflix: Probably pretending to offer free access to movies and shows mostly. Malicious examples include netflix-movies-and-series-unlimited-login[.]kozow[.]com, net-flix[.]kozow[.]com, and mail[.]billing-update[.]netflix[.]com[.]dzxsz[.]kozow[.]com.
5. Microsoft: Themed subdomains mostly went after Office 365 and Outlook users here. Malicious examples include myoutlook1postmasterowaportal[.]kozow[.]com, postmasterbofficeamicrosoftonline[.]kozow[.]com, and secureofficenow[.]kozow[.]com.

The other abused brands include Google/Android/YouTube (73 subdomains), Facebook (49), Bank of America (43), Instagram (38), Wells Fargo (29), Spotify (14), HSBC (6), ITPro (4), Adobe (3), AOL (3), Starbucks (3), and Yahoo (2). The typosquatters do not seem to have a particular target industry, as tech giants, banks and financial service providers, streaming service providers, utility providers, and even an online publication were in the top 20 list.

Noteworthy Strings the Kozow.com Subdomains May Be Riding On

Apart from subdomains containing brands or company names as listed above, the following strings were also appearing repetitively:

The string “contact” topped the list with 1,007 subdomains, at least three of which are malicious—cpcontacts[.]amazonde-accountalert[.]kozow[.]com, cpcontacts[.]appleld-apple-com[.]skq[.]kozow[.]com, and cpcontacts[.]updatemyaccount-paypal[.]kozow[.]com.

This was closely followed by “calendar” with 978 subdomains and “app” with 722. Malicious examples of subdomains containing both strings include cpcalendars[.]appleld-apple-com[.]skq[.]kozow[.]com, cpcalendars[.]www-appmazon-login-authorized-secure[.]kozow[.]com, cpcalendars[.]secure[.]my-amazon[.]updatedetailinfo73292300[.]kozow[.]com, cpcalendars[.]appleld-apple-com[.]skq[.]kozow[.]com, cpcontacts[.]appleld-apple-com[.]skq[.]kozow[.]com, and cpanel[.]secure[.]apps[.]home-dashboard-ridireecttoamazonverif[.]kozow[.]com.

Other examples are listed below per theme.

1. secure/security: cpanel[.]secure[.]apps[.]home-dashboard-ridireecttoamazonverif[.]kozow[.]com, cpcalendars[.]www-appmazon-login-authorized-secure[.]kozow[.]com, and www-secure-apple[.]supports-accounts0129[.]kozow[.]com. Those likely intended to communicate a false sense of security.
2. account: cpcontacts[.]amazonde-accountalert[.]kozow[.]com, cpcontacts[.]updatemyaccount-paypal[.]kozow[.]com, and amazon-accountverification[.]kozow[.]com. Those subdomains possibly were used to steal user credentials using spoofed branded websites.
3. update: cpcontacts[.]updatemyaccount-paypal[.]kozow[.]com, update-account-information-details[.]kozow[.]com, and amaz0n[.]updateacc0unt[.]kozow[.]com. Besides riding on brand popularity, those subdomains may have been used to prompt users to proceed with fake system or account updates.

The other abused strings include verify/verification (399 subdomains), support (257), info/information (188), recover/recovery (179), online (154), login/logon (93), payment (90), signin (74), and help (61). These strings were used in tandem with the brands listed above, most likely to provide a semblance of legitimacy to the subdomains.

Many potential threats might be hiding behind domains like kozow[.]com in the form of subdomains, notably to evade detection and subsequent blocking. But close monitoring of subdomain data feeds can help alleviate the problem as this post showed.

If you are interested in the complete list of kozow[.]com subdomains used in this post or would like to collaborate on similar research, feel free to contact us.