Home / Blogs

Could Bulk-Registered Typosquatting Domains Be Connected to .ORG DNS Abuse?

BLACK FRIDAY DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]

Public Interest Registry (PIR) announced the creation of the DNS Abuse Institute about two months ago as it believes that “every .ORG makes the world a better place” and “anything that gets in the way of that is a threat,” notably in the form of Domain Name System (DNS) abuse.

To show support for the initiative, WhoisXML API analyzed monthly typosquatting data feeds for December 2020, January 2021, and February 2021 to identify .ORG domain trends that could help the DNS community and PIR check if recently bulk-registered .ORG domains can be considered trustworthy.

The Data

We downloaded enriched typosquatting data feeds, which include WHOIS details, for each month and selected bulk domain registrations where one or more .ORG domains have been identified as part of a group also containing other top-level domains (TLDs). Here are some examples of bulk-registered domain groups found:

  • talkradio101[.]live
  • talkradio101[.]biz
  • talkradio101[.]world
  • talkradio101[.]org

Or:

  • amazusn-mail[.]info
  • amazcun-mail[.]com
  • amazusn-mail[.]com
  • amazcun-mail[.]info
  • amazuun-mail[.]com
  • amazuun-mail[.]shop
  • amazusn-mail[.]org
  • amazcun-mail[.]org
  • amazuun-mail[.]info
  • amazuun-mail[.]org

With this selection criterion in mind, a total of 184,248 bulk-registered domains—same or similar-looking domains with different TLD extensions registered at the same time—made their way into the DNS from 1 December 2020 to 28 February 2021. As such, roughly 60,000 potential typosquatting domains were detected per month on average.

Chart 1: Number of potential typosquatting domains detected from 1 December 2020 to 28 February 2021 in our samples

Our Findings

Of the 184,248 potential typosquatting domains, 29% (53,193 domains) use the .ORG TLD. So, an average of 17,731 .ORG domains in our sample made it into the DNS each month. The volume of .ORG domains compared with those that use other TLD extensions is not surprising, given that .ORG remains the third most popularly used extension in 2020.

Chart 2: Comparison of number of potential typosquatting domains that use .ORG and other TLDs

Considering the specified country of registration, a vast majority of the .ORG domains appeared to be registered in the U.S. (26,472), followed by Canada (5,798) and Panama (3,140). The top 4-15 registrant countries, meanwhile, are France (2,471), Germany (2,428), the U.K. (2,215), Turkey (1,119), India (947), China (863), Spain (759), Italy (747), the Netherlands (425), Switzerland (420), Japan (379), and Sweden (357). Together, the top 15 registrant countries accounted for 48,540 or 91% of the total number of potentially typosquatting .ORG domains. The remaining 4,529 .ORG domains were registered across 127 countries.

Chart 3: Top 15 .ORG domain registrant countries

What’s more, a total of 21,145 of the 53,193 .ORG domains (40%) had WHOIS records that were redacted, privacy-protected, or didn’t have identifiable owners. Some interesting but vague registrant identifiers include “marketing,” “self,” and “owner.”

Chart 4: Comparison of attributable versus non-attributable .ORG domains

While redacting one’s personally identifiable information (PII) from a domain’s WHOIS record is not indicative of malicious intent, hiding behind anonymity is also a typical cybercriminal modus operandi. Also, in our experience, large organizations are known to keep their WHOIS records public.

An example of a malicious .ORG domain whose WHOIS record is privacy-protected is rakvtnuum[.]org. This domain was bulk-registered along with 12 look-alikes on 1 December 2020.

Chart 5: Malware database check for rakvtnuum[.]org

Another variant (rakvtguum[.]org) is also tagged “malicious” on VirusTotal. Like the former, its WHOIS record is privacy-protected.


Given the data points above, monitoring bulk-registered .ORG domain registrations with redacted, privacy-protected, or incomplete WHOIS record data using typosquatting data feeds could be a way to detect and respond to DNS abuse.

By Jonathan Zhang, Founder and CEO of WhoisXMLAPI & ThreatIntelligencePlatform.com

Filed Under

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix

Cybersecurity

Sponsored byVerisign

DNS

Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign