Home / Industry

A Look into New Cybersquatting and Phishing Domains Targeting Facebook, Instagram, and WhatsApp

When Facebook changed its parent company name to Meta in October 2021, we detected more than 5,500 newly registered domains (NRDs) a week after the announcement. In more recent news, a judge dismissed the company’s cybersquatting and trademark infringement case against Namecheap. Around 61 domains were transferred to Meta’s ownership. What does cybersquatting activity look like since then?

WhoisXML API researchers checked the Domain Name System (DNS) for domain registrations related to Facebook, Instagram, and WhatsApp, the subjects of the dismissed case. Among our findings include:

  • 1,100+ typosquatting domains targeting the three Meta applications were added since the case was dismissed on 25 April 2022
  • 760+ domains currently resolve to 530+ unique IP addresses
  • Close to 10% of these domains are already flagged as malicious as of 25 May 2022
  • Some domains host suspicious login pages that could be fronts for credential theft
  • 2,400+ domains bearing similar string combinations as some of the malicious domains

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Who Is Behind the NRDs?

Several domains had redacted WHOIS details, although we found some Gmail, Yahoo!, and Hotmail email addresses. As such, pinpointing the actors behind the domains can be challenging. Out of more than 1,000 typosquatting domains we ran on Bulk WHOIS Lookup, we found that 12 shared the same registrant email address as the legitimate Meta domains.

The top registrar used by the cybersquatting domains was GoDaddy, while only two were registered through Namecheap.

Where Are the Domains Resolving?

Using Bulk IP Geolocation Lookup, we found 1,043 resolutions, with 764 domains currently resolving to 537 IP addresses. Half of them were geolocated in the U.S., while the rest were spread across 36 other countries.

The situation is the same with the domains’ registrant countries. Only half of the domains were registered in the U.S., while the other half were registered in more than 40 countries.

What Type of Content Do the Domains Host?

According to the Screenshot Lookup results, several domains were parked, while some sold likes and followers. However, the domain names hosting login pages could be even more problematic as they could be used to steal user credentials. Below are a few examples.

Some domains hosted login pages that looked exactly like those belonging to the legitimate platforms.

Malicious Domains Found

Aside from the suspicious web pages found through the screenshot analysis, some domains have already been flagged as malicious by various malware engines. Most of these domains fell under new generic top-level domains (ngTLDs) led by .tk, .ml, .cf, and .ga.

Furthermore, several malicious properties contained text strings that could easily lure users to malicious pages, including “help,” “support,” “verify,” “secure,” and “business.” Quite a few also used the word “copyright” alongside “instagram.” Focusing on this string combination present in some malicious domains, we found an additional 2,409 domains added over time that could be suspicious.

Cybersquatting domains continue to expand the DNS threat landscape at a rapid pace. About 100 of those targeting Meta’s platforms have already been used to launch cyber attacks, barely a month after they were registered. Early detection of these domains can help reduce risks associated with phishing, impersonation, and other cyber attacks dependent on cybersquatting domains.

Furthermore, expanding threat analysis to include domains bearing the same text strings can help predict and block suspicious domains before they get weaponized.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix


Sponsored byVerisign


Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global