We’re supposed to spoil our mothers on Mothers’ Day, but with various scams out there, you may end up losing money or with a malware-infected device. WhoisXML API researchers found more than a thousand digital properties that could be used in Mothers’ Day scams. Among our findings are:

• 660+ domain names containing combinations of Mothers’ Day-related text strings, such as “mother,” “mom,” “shop,” “flower,” “gift,” “sale,” and “card” added from 1 April to 3 May 2022
• 580+ subdomains containing the same text strings added within the same period
• Various malware engines flagged some of the web properties as malicious
• Some domains hosted suspicious content

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Analysis of Mothers’ Day-Related Cyber Resources

TLD Distribution

Almost half of the domains in the study fell under the .com top-level domain (TLD). Next to .com, other TLDs that stood out were e-commerce-related ones, such as .shop, .online, and .store. Country-code TLDs (ccTLDs) were also used repeatedly, including .au, .co, .de, and .uk. The rest of the domains were distributed across 60+ TLDs.

The chart below shows the TLD distribution of the Mother’s Day-related domains added since 1 April 2022.

Screenshot Analysis

Using WhoisXML API’s Screenshot API, we were able to find out more about the cyber resources. Several domains were, for instance, parked, while others hosted Mothers’ Day-related content, mostly selling items targeting mothers. Some examples include:

Some of these websites certainly belong to legitimate small businesses that aim to make the most out of the event. However, some digital properties also hosted questionable content, including those that seem to impersonate Amazon and Walmart. Below are some examples.

Other concerning content looks like the login pages of email and social media platforms. This subdomain, for example, displays Google’s login page.

On the other hand, these gift card domains hosted Messenger login pages.

Malware Check

Despite being just a little over a month old, some of the resources have already been flagged as malicious. More alarmingly, a few haven’t been taken down. For instance, these domains seem to still resolve to deceptive sites.

People with weaker browser security may still fall victim to these websites.

Mothers’ Day Scams the Web Properties May Enable

More of the 1,200 domains and subdomains can be used maliciously in the coming days. Among the scams to look out for are described below.

Fake Gift Shops

Phony online shops supposedly selling gifts and flowers for mothers may lure people in the weeks or days leading up to the event. Threat actors set up these digital stores and make them appear legitimate to steal the victims’ financial information.

Fabricated Contests and Giveaways

A phishing campaign targeting WhatsApp entices users with rewards, discounts, vouchers, and giveaways so they’d click malicious links. These links lead to fake Amazon pages that are set up to look legitimate, similar to those we found in our screenshot analysis above. Similar campaigns can be seen targeting email and social media platform users.

Aside from Amazon look-alike pages, our screenshot analysis also revealed several domains that hosted content congratulating visitors for winning gift cards or vouchers. If you didn’t join any contest, this could be a sign of malicious activity.

Malicious Electronic Cards

Threat actors may send electronic cards to mothers, posing as the victim’s children. They may obtain the children’s information from the mother’s Facebook account, especially when email addresses and relationships are visible to the public. Using these details, threat actors can create email accounts using the children’s names. Clicking the card would initiate malware installation on the victim’s computer.

There are several ways to protect users from the malicious activities detailed above. This includes educating them about possible scams that target children who want to spoil their mothers with gifts.

On a higher level, monitoring domains in real-time and automating suspicious domain investigations through API calls can help nip these malicious campaigns in the bud.

If you wish to perform a similar investigation or research, please don’t hesitate to contact us. We’re always on the lookout for potential research collaborations.