Home / Blogs

To our readers: Does your company offer DNS or DNS Security services? CircleID has an opening for an exclusive sponsor for our DNS topic. Gain unparalleled results with our deep market integration. Get in touch: [email protected]

Registration Patterns of Deceptive Domains

A key requirement for a bad actor wanting to launch a brand attack is the registration of a carefully chosen domain name. The most convincing infringements frequently use a domain name that’s deceptively similar to that of the official site of the target brand. This allows a variety of attacks to be executed, including phishing attacks—where the domain is used to host a lookalike site or produce a deceptive sender address for emails—and other kinds of brand infringement where users are misdirected to fake sites via mistyped URLs or search engine manipulation.

One well established threat vector used in creating fraudulent websites is the use of strings like “www” or “http” within the domain name itself—e.g., registering domains such as www-google.com or httpgoogle.com to impersonate the legitimate site (i.e., www.google.com or http://google.com).

CSC carried out a study in August 2022 using its 3D Domain Monitoring technology to consider patterns of activity in domain registrations for names beginning with “www” or “http” over the preceding one-year period. The analysis includes identification of newly registered domains (N), re-registered domains (R) or dropped (i.e., lapsed) domains (D). Each instance of these activities for a particular domain is referred to as an “event.”

Findings

Between August 2021 and August 2022, more than 230,000 events were identified for “www” domains, and more than 12,000 for “http” domains. Figure 1 shows the continuous activity across the one-year period, with numerous peaks and troughs.

Figure 1: Daily numbers of new registrations (N), re-registrations (R) and dropped (D) domains, for domain names beginning with “http” (left axis; blues / dark grey) and “www” (right axis; red / yellow / light grey).

Among the full dataset, a number of specific keyword strings were found to appear as the second-level domain names (the part of the domain name to the left of the dot) multiple times. They represent either repeated lapses and re-registrations of particular domain names, or the registration of distinct domains with the same second-level domain name but different top-level domain (TLD) extensions—so-called “cousin” domains. Of these keyword strings, several referenced well known brand names, or variations or typos of those names, indicating an intention to target the brand in question, as shown in Tables 1 and 2.

Table 1: Most frequently occurring brand-specific keyword second-level domain names in the dataset of “www” domains.
Keyword stringNo. registration or drop events
www-roblox21
www-lcloud16
www-apple15
wwwgoogle13
www-avito12
www-citizens11
www-yandex10
www-torproject10
www-icloud10
www-blablacar10
www-bitstamp10
www1royalbank10
Table 2: Most frequently occurring brand-specific keyword second-level domain names in the dataset of “http” domains.
Keyword stringNo. registration or drop events
https-skinbaron9
https-www-ruraivla-com-lsum-main8
httpsgoogle7
https-csmoney7
httpgoogle7
http18comic7
httpsstreamlabs6
https-googlecom6
https-httpsgoogle6
httpsgoogledotcom6
httpsgoogleplay6
https—google6
httpsgoogle-com6
httpsgooglecom6
httpsecuregoogle6
httpsdealersvwcredit6
https-anydesk6
httpqgoogle6
httpagoogle6
httpcredito-app-nubank6
http2google6

Tables 3 and 4 show the top TLDs represented within the dataset.

Table 3: Top 10 TLDs represented in the dataset of events for “www” domains.
TLDNo. registration or drop events
.COM204,795
.XYZ6,233
.NET4,411
.ORG3,008
.TOP1,646
.VIP1,423
.INFO950
.FR937
.ONLINE714
.UK676
Table 4: Top 10 TLDs represented in the dataset of events for “http” domains.
TLDNo. registration or drop events
.COM8,284
.XYZ1,267
.NET429
.ORG388
.LIVE228
.ONLINE180
.INFO170
.UK160
.FR154
.SITE150

Unsurprisingly, .COM dominates the dataset, reflecting both the continued popularity of the TLD, and its extensive use in official domain names of the brands being impersonated. However, a range of new generic TLDs (gTLDs) such as .XYZ, .TOP, .VIP, .ONLINE, .LIVE, and .SITE also feature in the lists, consistent with previous observations that these extensions are popular with fraudsters1, 2, 3.

Infringements targeting top brands

CSC also analysed the frequency of registration and drop events for “www” and “http” domains names incorporating any of the top 10 most valuable company brands in 20224, on the assumption that these are likely to be attractive targets for bad actors. The findings are shown in Table 5.

Table 5: Numbers of registration and drop events for domains containing the names of the top 10 most valuable company brands in 2022.
Brand stringNo. registration or drop events for “www” domainsNo. registration or drop events for “http” domains
apple21243
google143120
amazon11419
microsoft146
tencent00
mcdonalds82
visa5810
facebook3831
alibaba74
vuitton10
TOTALS595235

The associated keywords also present in the domain names may give further insight into the intentions of those registering the domains. For example, in the dataset of 255 “apple” domain events, we frequently see certain keywords, their variants or misspellings, that may indicate phishing activity, including “login” (13 instances), “support” (47) and “activate” (17).

Significantly, of the 564 active, unique domains containing any of the top 10 brand names taken from the dataset above, 16% feature active MX records, meaning they’re configured to send or receive emails, another indicator that they may have been registered for use in phishing campaigns.

Looking at the content of the websites among the brand specific dataset, the majority of domains were inactive by the time of analysis, although several had been flagged as dangerous or deceptive at the browser level, suggesting they may have previously hosted fraudulent sites. Others included pay-per-click links, monetizing the misdirected web traffic attracted to these sites, and potentially driving users to competitor sites. Some of the sites also display banner advertisements to gambling-related or adult sites. Figure 2 shows three examples of websites found to feature live, infringing content.

Figure 2: Live fraudulent or infringing websites hosted on “www” or “http” domains, targeting Apple® (a potential phishing site), Microsoft®, and Facebook®.

Conclusions

Over one year, CSC’s 3D Domain Monitoring technology identified nearly a quarter of a million registration or drop events of domains designed to be deliberately deceptive, by virtue of the inclusion of the strings “www” or “http” at the start. A significant proportion of these appear to target specific brands, with 830 of the events corresponding to just the 10 most valuable brands.

Several domains were found to resolve (or previously resolved) to infringing content, while 16% of the domains relating to the 10 most valuable brands were configured with active MX records. This indicates they may have been registered for their email function—an indicator of possible phishing campaigns.

These findings highlight the importance of brand owners employing an active domain monitoring and enforcement program. This enables brand owners to identify and mediate the risks associated with infringing third-party domain registration activity.

By David Barnett, Brand Monitoring Subject-Matter Expert at CSC

David Barnett has worked in the internet brand-protection industry as an analyst and consultant since 2004. David managed the Analysis & Consultancy services in Brand Monitoring from 2006 to 2019, and currently works as the Brand Monitoring subject-matter expert in CSC’s office in Cambridge, U.K., helping to serve a range of brand-protection customers in a variety of industries.

Visit Page

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

Related

Topics

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API