Home / Industry

Father’s Day: Bad Guys’ Activities

Threat actors don’t rest. Their malicious campaigns operate 24/7, especially when special occasions are approaching. Last May, we discovered over a thousand web properties related to Mother’s Day, many of which either hosted questionable content or have been flagged as malicious.

In this report, we looked at domain registrations that could be related to Father’s Day and analyzed them using DNS intelligence. Among our findings are:

  • 1,700+ domains and subdomains containing potential Father’s Day-related text strings, such as “father” and “dad,” alongside “gift,” “game,” “shop,” “store,” “card,” and “gift”
  • About 85% of the cyber resources actively resolved to 1,600+ IP addresses
  • Questionable content was hosted on several properties, including login and look-alike pages, giveaways, and news sites
  • Over a dozen properties have been reported as malicious by various malware engines

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Analysis of Father’s Day-Related Cyber Resources

TLD Distribution

About 21% of the domains we uncovered fell under the .com generic top-level domain (gTLD), followed by two e-commerce-related new gTLDs (ngTLDs), .store and .shop, with 15% and 7% shares, respectively. Other mostly used gTLDs include .info, .xyz, .net, and .cards.

There were also country-code TLDs (ccTLDs) in the top 10, including .br, .uk, and .tk. The rest of the domains were distributed across 76 other TLDs. The chart below shows the breakdown.

While large TLDs, such as .com, .info, .uk, and .net are expected to be seen since most of the legitimate websites use them, we can’t say the same for other TLDs. We would specifically be wary of free TLDs, such as .tk and those named by Spamhaus as the most abused TLDs.

Screenshot Analysis

While hundreds of the cyber resources in the study were parked, others hosted live content. Some could be legitimate, such as the online shops of small businesses. However, some are suspicious and we will provide examples via website screenshots taken with Screenshot API in the succeeding sections.

Giveaway Lures

Many Father’s Day-related properties hosted content offering huge discounts and giving away gift cards or cryptocurrencies. These web pages could be used in financial scams that lure victims by promising prizes and giveaways. Below are some examples.

Counterfeiting and Cybersquatting Domains

Similarly, some domains imitated the pages of famous brands like Amazon and Calvin Klein, as shown by the website screenshots below. These and other similar imitation websites may be used in selling counterfeit products or phishing campaigns.

Potential Credential Theft Fronts

Another suspicious type of content comprises login pages that ask visitors for their usernames and passwords. People looking for Fathers’ Day gifts may be redirected to these pages and enticed to enter their sensitive information.

Malicious Fathers’ Day Domains and Subdomains

As of 10 June 2022, only 14 properties have been flagged as malicious, many of which still hosted live content. While our browser security prevented us from visiting some of them, we obtained some screenshots. Three malicious domains hosted precisely the same page, as shown below.

Special occasions like Father’s Day may increase malicious activities, as threat actors take advantage of people’s interest in gifts. If you notice, most of the screenshots provided above showed pages offering gift cards. These could be used for other holidays and special events as vehicles for fraud and malware-enabled attacks.

If you wish to perform a similar investigation or research, please don’t hesitate to contact us. We’re always on the lookout for potential research collaborations.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byDNIB.com


Sponsored byVerisign

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign