Threat actors don’t rest. Their malicious campaigns operate 24/7, especially when special occasions are approaching. Last May, we discovered over a thousand web properties related to Mother’s Day, many of which either hosted questionable content or have been flagged as malicious.

In this report, we looked at domain registrations that could be related to Father’s Day and analyzed them using DNS intelligence. Among our findings are:

• 1,700+ domains and subdomains containing potential Father’s Day-related text strings, such as “father” and “dad,” alongside “gift,” “game,” “shop,” “store,” “card,” and “gift”
• About 85% of the cyber resources actively resolved to 1,600+ IP addresses
• Questionable content was hosted on several properties, including login and look-alike pages, giveaways, and news sites
• Over a dozen properties have been reported as malicious by various malware engines

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Analysis of Father’s Day-Related Cyber Resources

TLD Distribution

About 21% of the domains we uncovered fell under the .com generic top-level domain (gTLD), followed by two e-commerce-related new gTLDs (ngTLDs), .store and .shop, with 15% and 7% shares, respectively. Other mostly used gTLDs include .info, .xyz, .net, and .cards.

There were also country-code TLDs (ccTLDs) in the top 10, including .br, .uk, and .tk. The rest of the domains were distributed across 76 other TLDs. The chart below shows the breakdown.

While large TLDs, such as .com, .info, .uk, and .net are expected to be seen since most of the legitimate websites use them, we can’t say the same for other TLDs. We would specifically be wary of free TLDs, such as .tk and those named by Spamhaus as the most abused TLDs.

Screenshot Analysis

While hundreds of the cyber resources in the study were parked, others hosted live content. Some could be legitimate, such as the online shops of small businesses. However, some are suspicious and we will provide examples via website screenshots taken with Screenshot API in the succeeding sections.

Giveaway Lures

Many Father’s Day-related properties hosted content offering huge discounts and giving away gift cards or cryptocurrencies. These web pages could be used in financial scams that lure victims by promising prizes and giveaways. Below are some examples.

Counterfeiting and Cybersquatting Domains

Similarly, some domains imitated the pages of famous brands like Amazon and Calvin Klein, as shown by the website screenshots below. These and other similar imitation websites may be used in selling counterfeit products or phishing campaigns.

Potential Credential Theft Fronts

Another suspicious type of content comprises login pages that ask visitors for their usernames and passwords. People looking for Fathers’ Day gifts may be redirected to these pages and enticed to enter their sensitive information.

Malicious Fathers’ Day Domains and Subdomains

As of 10 June 2022, only 14 properties have been flagged as malicious, many of which still hosted live content. While our browser security prevented us from visiting some of them, we obtained some screenshots. Three malicious domains hosted precisely the same page, as shown below.

Special occasions like Father’s Day may increase malicious activities, as threat actors take advantage of people’s interest in gifts. If you notice, most of the screenshots provided above showed pages offering gift cards. These could be used for other holidays and special events as vehicles for fraud and malware-enabled attacks.

If you wish to perform a similar investigation or research, please don’t hesitate to contact us. We’re always on the lookout for potential research collaborations.