|
Threat actors don’t rest. Their malicious campaigns operate 24/7, especially when special occasions are approaching. Last May, we discovered over a thousand web properties related to Mother’s Day, many of which either hosted questionable content or have been flagged as malicious.
In this report, we looked at domain registrations that could be related to Father’s Day and analyzed them using DNS intelligence. Among our findings are:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
About 21% of the domains we uncovered fell under the .com generic top-level domain (gTLD), followed by two e-commerce-related new gTLDs (ngTLDs), .store and .shop, with 15% and 7% shares, respectively. Other mostly used gTLDs include .info, .xyz, .net, and .cards.
There were also country-code TLDs (ccTLDs) in the top 10, including .br, .uk, and .tk. The rest of the domains were distributed across 76 other TLDs. The chart below shows the breakdown.
While large TLDs, such as .com, .info, .uk, and .net are expected to be seen since most of the legitimate websites use them, we can’t say the same for other TLDs. We would specifically be wary of free TLDs, such as .tk and those named by Spamhaus as the most abused TLDs.
While hundreds of the cyber resources in the study were parked, others hosted live content. Some could be legitimate, such as the online shops of small businesses. However, some are suspicious and we will provide examples via website screenshots taken with Screenshot API in the succeeding sections.
Many Father’s Day-related properties hosted content offering huge discounts and giving away gift cards or cryptocurrencies. These web pages could be used in financial scams that lure victims by promising prizes and giveaways. Below are some examples.
Similarly, some domains imitated the pages of famous brands like Amazon and Calvin Klein, as shown by the website screenshots below. These and other similar imitation websites may be used in selling counterfeit products or phishing campaigns.
Another suspicious type of content comprises login pages that ask visitors for their usernames and passwords. People looking for Fathers’ Day gifts may be redirected to these pages and enticed to enter their sensitive information.
As of 10 June 2022, only 14 properties have been flagged as malicious, many of which still hosted live content. While our browser security prevented us from visiting some of them, we obtained some screenshots. Three malicious domains hosted precisely the same page, as shown below.
Special occasions like Father’s Day may increase malicious activities, as threat actors take advantage of people’s interest in gifts. If you notice, most of the screenshots provided above showed pages offering gift cards. These could be used for other holidays and special events as vehicles for fraud and malware-enabled attacks.
If you wish to perform a similar investigation or research, please don’t hesitate to contact us. We’re always on the lookout for potential research collaborations.
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byVerisign
Sponsored byCSC
Sponsored byRadix
Sponsored byIPv4.Global
Sponsored byWhoisXML API