Home / Industry

Behind the Bylines of Fake News and Disinformation Pages

Fake news and disinformation have been significant issues for some time now, even urging the U.S. government to push back against proliferators who, some opine, do the malicious deed for political or financial gain. Amid this scenario, many have begun doubting what’s real and what’s not on the Web not just in the U.S. but worldwide.

Where Concern Is Highest About Fake News On The Internet. Source: Statista

In an effort to help U.S. law enforcement agencies out, WhoisXML API threat researcher Dancho Danchev compiled an exhaustive list of known and yet-unknown fake news and disinformation domains and other web properties.

We used several WHOIS, domain, DNS, and other threat intelligence tools in our deep dive, which uncovered:

  • Close to 50 personal email addresses that were used to register known fake news and disinformation page domains
  • Nearly 35,000 domains that could potentially be tied to ongoing fake news and disinformation campaigns given that they share registrant email addresses or IP addresses with the domain indicators of compromise (IoCs), hundreds of which were dubbed “malware hosts”
  • More than 2,000 unique IP addresses to which the domain IoCs resolved, almost 20 of which were found malicious

As part of our ongoing effort to enable cybersecurity analysts and researchers to further their studies, we collated the pertinent data and made it available to anyone interested. You may download Danchev’s research and related threat research materials here.

What the Public Already Knows

We began our in-depth analysis of ongoing fake news and disinformation campaigns by collating 1,329 domains that were publicized as IoCs. Examples include:

  • 100percentfedup[.]com
  • 21stcenturywire[.]com
  • 365usanews[.]com
  • abcbusinessnews[.]com
  • backroombuzz[.]com
  • campusreform[.]org
  • dailybuzzlive[.]com
  • eaglerising[.]com
  • factcheck[.]org
  • gangstergovernment[.]com

Deep Dive Results

A bulk WHOIS lookup for the domain IoCs provided us with 47 personal email addresses that were used to register them. A closer look at their WHOIS records revealed they were distributed across 105 registrars, topped by GoDaddy, LLC, NameCheap, Inc., and Network Solutions, LLC.

Using the email addresses as reverse WHOIS search terms, we obtained 30,564 possibly connected domains, including:

  • awdnews[.]com
  • banglanews24[.]us
  • channel11news[.]us
  • dailybiznews[.]us
  • econewsnet[.]com
  • fakenewsmaker[.]com
  • glossynews[.]com
  • hackernewsletter[.]us
  • idexnews[.]com
  • javnews[.]com

DNS lookups for the domain IoCs, meanwhile, led to the discovery of 2,247 IP address resolutions, 18 of which were dubbed “dangerous” by various malware engines, namely:

  • 103[.]224[.]182[.]242
  • 103[.]224[.]182[.]243
  • 103[.]224[.]182[.]250
  • 103[.]224[.]212[.]220
  • 104[.]155[.]186[.]234
  • 104[.]21[.]235[.]15
  • 104[.]21[.]77[.]189
  • 104[.]219[.]248[.]3
  • 162[.]210[.]196[.]171
  • 172[.]98[.]192[.]35
  • 173[.]231[.]192[.]43
  • 198[.]185[.]159[.]144
  • 217[.]70[.]180[.]153
  • 23[.]82[.]12[.]32
  • 94[.]229[.]72[.]123

We then subjected the IP addresses to reverse IP lookups, which uncovered an additional 4,637 potentially connected domains. Examples include:

  • 0[.]newszone[.]pro
  • 108[.]countercurrentnews[.]com
  • 20minutenews[.]com
  • 313[.]countercurrentnews[.]com
  • aberdeenlive[.]news
  • beforeitsnews[.]com
  • conservativenewsonline[.]com
  • empirenews[.]net
  • healthimpactnews[.]com
  • kingworldnews[.]com

Of the possibly connected domains subjected to malware checks via the Threat Intelligence Platform (TIP), 191 were dubbed “malware hosts,” including:

  • 033obstances39[.]ml
  • 10d6ni[.]cn
  • 2vvvvvv-metamas[.]top
  • 30308-info[.]com
  • a-rglobal[.]com
  • bayelsabusinessonline[.]com
  • caiyekj[.]cn
  • dating4sex[.]us
  • ekkdojo[.]com
  • famdolls[.]com

Our in-depth analysis of the known fake news and disinformation campaign domains led to the discovery of more than 35,000 web properties that could be tied to the threat. Steering clear most especially of the malicious domains and IP addresses is recommended.

If you wish to perform a similar investigation, please don’t hesitate to contact us. We’re always on the lookout for potential research collaborations.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix


Sponsored byVerisign

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byDNIB.com