Public Interest Registry (PIR) announced the creation of the DNS Abuse Institute about two months ago as it believes that “every .ORG makes the world a better place” and “anything that gets in the way of that is a threat,” notably in the form of Domain Name System (DNS) abuse.

To show support for the initiative, WhoisXML API analyzed monthly typosquatting data feeds for December 2020, January 2021, and February 2021 to identify .ORG domain trends that could help the DNS community and PIR check if recently bulk-registered .ORG domains can be considered trustworthy.

The Data

We downloaded enriched typosquatting data feeds, which include WHOIS details, for each month and selected bulk domain registrations where one or more .ORG domains have been identified as part of a group also containing other top-level domains (TLDs). Here are some examples of bulk-registered domain groups found:

• talkradio101[.]live
• talkradio101[.]biz
• talkradio101[.]world
• talkradio101[.]org

Or:

• amazusn-mail[.]info
• amazcun-mail[.]com
• amazusn-mail[.]com
• amazcun-mail[.]info
• amazuun-mail[.]com
• amazuun-mail[.]shop
• amazusn-mail[.]org
• amazcun-mail[.]org
• amazuun-mail[.]info
• amazuun-mail[.]org

With this selection criterion in mind, a total of 184,248 bulk-registered domains—same or similar-looking domains with different TLD extensions registered at the same time—made their way into the DNS from 1 December 2020 to 28 February 2021. As such, roughly 60,000 potential typosquatting domains were detected per month on average.

Our Findings

Of the 184,248 potential typosquatting domains, 29% (53,193 domains) use the .ORG TLD. So, an average of 17,731 .ORG domains in our sample made it into the DNS each month. The volume of .ORG domains compared with those that use other TLD extensions is not surprising, given that .ORG remains the third most popularly used extension in 2020.

Considering the specified country of registration, a vast majority of the .ORG domains appeared to be registered in the U.S. (26,472), followed by Canada (5,798) and Panama (3,140). The top 4-15 registrant countries, meanwhile, are France (2,471), Germany (2,428), the U.K. (2,215), Turkey (1,119), India (947), China (863), Spain (759), Italy (747), the Netherlands (425), Switzerland (420), Japan (379), and Sweden (357). Together, the top 15 registrant countries accounted for 48,540 or 91% of the total number of potentially typosquatting .ORG domains. The remaining 4,529 .ORG domains were registered across 127 countries.

What’s more, a total of 21,145 of the 53,193 .ORG domains (40%) had WHOIS records that were redacted, privacy-protected, or didn’t have identifiable owners. Some interesting but vague registrant identifiers include “marketing,” “self,” and “owner.”

While redacting one’s personally identifiable information (PII) from a domain’s WHOIS record is not indicative of malicious intent, hiding behind anonymity is also a typical cybercriminal modus operandi. Also, in our experience, large organizations are known to keep their WHOIS records public.

An example of a malicious .ORG domain whose WHOIS record is privacy-protected is rakvtnuum[.]org. This domain was bulk-registered along with 12 look-alikes on 1 December 2020.

Another variant (rakvtguum[.]org) is also tagged “malicious” on VirusTotal. Like the former, its WHOIS record is privacy-protected.

Given the data points above, monitoring bulk-registered .ORG domain registrations with redacted, privacy-protected, or incomplete WHOIS record data using typosquatting data feeds could be a way to detect and respond to DNS abuse.