Home / Industry

What’s the Domain Attack Surface of the Top 10 Most Impersonated Brands in Q2 2021?

Domain attack surface discovery is an incessant quest for domain and subdomain names that could be used as attack vectors. The larger its attack surface, the more vulnerable an organization tends to be. On the other hand, the more attack vectors discovered, the higher the chances of mitigating cyber attacks.

This post aims to see how the domain attack surface of the 10 most spoofed brands looks like in recent weeks, particularly between 1 July and 3 August 2021. In particular, we addressed these questions:

  • How significant was the addition to the domain attack surface in the past four weeks?
  • What percentage of the domains can be publicly attributed to the brands they contain?
  • What top-level domains (TLDs) are mainly used?
  • Are any of them already considered malicious?

Top 10 Most Imitated Brands

The brands in this study are based on Check Point’s Brand Phishing Report for the second quarter of 2021. The report lists companies that own the most imitated brands by hackers in their phishing campaigns. Microsoft topped the list, accounting for 45% of the total number of brand-related phishing attacks recorded.

Some of these companies were also present when we studied the domain attack surface of the 10 most spoofed brands in 2020.

Domain Attack Surface Size

The 10 brands accumulated over 42,000 domains and subdomains as per our data sample, added from 1 July to 3 August 2021. This number consists of roughly at least 12,000 domains and 30,000 subdomains, added within a span of only four weeks.

These cyber resources with exact matches of the brand names were found using Domains and Subdomains Discovery, which is part of the Domain Research Suite (DRS).

While Microsoft was the most spoofed brand in phishing campaigns, Amazon had the largest domain attack surface with close to 12,000 domains and subdomains. It was followed by Chase Bank, Apple, Google, and PayPal.

Some examples of the cyber resources found for each brand are provided below.

BrandExamples of DomainsExamples of Subdomains
Amazon• jp-amazon-amazon[.]top
• amazon-amazon[.]monster
• xn—mzon-4naz[.]vg
• amazon.zr4w9c[.]cn
• amazon.alloqejqufcjvs[.]club
• amazon.plotpad[.]com
Chase Bank• chase03[.]cf
• chasebk[.]us
• chasee[.]icu
• chase[.]scuritybetumbokchase[.]com
• chase[.]secure3913[.]link
• chase[.]cxoeventsme[.]com
Apple• aappleid[.]apple
• appledapple[.]ph
• applechapple[.]be
• aappleid[.]apple[.]com-usersupdate[.]live
• apple[.]appleid[.]com-ar[.]xyz
• appleid[.]apple[.]sign-in-apps-stored[.]com
Google• googlegoogle[.]gq
• googlegoogle[.]com[.]cn
• xn—googl-fsa641b[.]ws
• accont[.]google[.]brsuporte[.]co
• google[.]gerson[.]barreiros[.]nom[.]br
• safety[.]google[.]admin-mcas-gov[.]ms
PayPal• xn—ppl-loa30mca[.]ws
• ppaypal[.]me
• 4paypal[.]ml
• paypal-paypal[.]holhost[.]com
• paypalpaypal1[.]repl[.]co
• paypal[.]customer-servce[.]com
DHL• dhlsupplychain[.]dhl
• dhlsg[.]me
• dhlweb[.]xyz
• dhl[.]pay-systemeng[.]site
• dhl[.]paying-delivery[.]site
• dhl[.]pay-onlineservice[.]com
Microsoft• xn—microft-e1a22g[.]vg
• microsofts[.]in
• microsoft-e5[.]vg
• microsoft[.]microsoft[.]ooficesuit[.]xyz
• microsoft[.]thekeysupport[.]com
• microsoft[.]signon-o365[.]cloud
LinkedIn• linkedinforlinkedin[.]tk
• xn—lnkdin-i6b4230d[.]ph
• hulinkedin[.]ws
• linkedin[.]voicemailsend[.]live
• linkedin[.]revisaodeperfil[.]com[.]br
• linkedin[.]dfsoltec[.]com
Bestbuy• xn—btbuy-uza96w[.]ws
• bestbuyu[.]ws
• ibestbuy[.]it
• cdn[.]bestbuy[.]surfavenuemallbestbuy[.]com
• bestbuycoupon[.]ostheotasori[.]tk
• welcome[.]bestbuy[.]accoountonline[.]com
Dropbox• xn—opbox-4ya6853c[.]com
• wdropbox[.]ws
• httdropbox[.]vg
• dropbox[.]car[.]blog
• dropbox-api[.]dropbox[.]com[.]fac3b00k[.]ga
• dropbox[.]siliconvalleysignings[.]com

Are These Cyber Resources Publicly Attributable to the Brands They Contain?

Some of the domains and subdomains found in this study are likely owned and controlled by the brands’ owners. While this category of domains still belongs to their domain attack surface, it could be easier for the brands to address threats that weaponize their domains and subdomains.

So, how many of the domains found can be publicly attributed to the brands? We retrieved the registrant email addresses of the brands’ official domains from WHOIS Search and WHOIS History Search to answer this.

These were then compared to the WHOIS records of the domains obtained from Bulk WHOIS Lookup. Note that Bulk WHOIS Lookup returned the WHOIS records of 60% of the total number of domains. Some of the domains may have already been dropped by their owners.

Of the domains with WHOIS records, only 24 or 0.09% use the same registrant email addresses as the brands’ official domains. Hence, 99.91% cannot be publicly attributed to the brands and could have been registered and are being managed by other entities.

TLD Distribution: .com Leads

Another interesting aspect when analyzing domain attack surfaces is the TLD distribution. In other words: Are the domains registered under specific domain registries? What is the role of country-code TLDs (ccTLDs) in the domain attack surface?

As for the 10 most imitated brands in this study, a majority (35%) fall under the .com space. The rest are distributed across 209 other TLDs. The top 10 TLDs are shown in the graph below.

As you can see, six of the top 10 TLDs are ccTLDs—.vg, .ws, .ph, .co, .ga, and .ml. About 5% of the domains are under .politie, a TLD reserved for the Netherlands Police. These domains could have been reported for cybercrime or used by law enforcement. Some examples of such domains are:

  • amazonz[.]politie
  • bestbuy-news[.]politie
  • weblinkedin[.]politie
  • google-shoppinglist[.]politie
  • paypalverification98[.]politie
  • microsoftacikpazar[.]politie
  • anythingbutdropbox[.]politie
  • delivery-apple[.]politie
  • 45paypal[.]politie

Malicious Domains

We took about 30% of the domains as samples and ran them on Threat Intelligence Platform (TIP) to see if they have been reported as malicious or not. Alarmingly, 68% turned out to be listed on blocklist sites, such as VirusTotal and Google Safe Browsing.

These domains have already been found malicious, although they are only about a month old (at the time of writing). The domain 0365microsoftonline[.]com, for example, only appeared in the Domain Name System (DNS) on 29 July 2021.

For the top 10 most spoofed brands under study, more than 42,000 domains and subdomains were added in a span of only four weeks, and almost all of them could not be publicly attributed to the brands they contain. It is also worth noting that circa 30% of our reduced sample turned out to be malicious.

If you are a cybersecurity researcher or professional who wants to enhance your domain attack surface discovery process, contact us. We can talk more about obtaining data from well-parsed and ready-to-consume domain, IP, and DNS intelligence sources.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global