Home / Industry

Phishing Group Found Abusing .top Domains

Threat researcher Dancho Danchev recently discovered a phishing operation that seemed to be abusing .top domains for which he collated 89 email addresses that served as indicators of compromise (IoCs). To amass more information and other potentially connected web properties, the WhoisXML API research team took a DNS deep dive that led to the discovery of:

  • 4,284 domains that were registered using the email addresses identified as IoCs
  • 71 IP addresses that played host to the email-connected domains, two of which turned out to be malicious based on malware checks
  • 890 domains hosted on the same IP addresses as the email-connected domains

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Facts about the IoCs

We began our analysis by looking closer into the 89 email addresses Danchev identified as IoCs and found that:

  • Only 10 of them weren’t used to register any domain recently.
  • A majority of the email addresses, 51 to be exact, were created via the qq[.]com service. 163[.]com (17), west263[.]com (4), gmail[.]com (3), and 126[.]com (2) rounded out the top 5 email services. The remaining 12 email addresses were spread across 12 different service providers—abc[.]com, domainmanager[.]top, foxmail[.]com, hxmail[.]com, lamartina[.]info, live[.]cn, seobuzz[.]it, sina[.]cn, sina[.]com, somcom[.]com, we[.]top, and yeah[.]net. The chart below shows the email address volume breakdown per service provider.
  • Each of the 79 email addresses were used to register between one and more than 10,000 domains recently. Altogether, they served as registrant email addresses to 172,654 domains.

IoC-Related DNS Findings

To begin our hunt for unreported possible connections, we first needed to limit the scope of this study.

We ran reverse WHOIS searches on the 79 email addresses identified as IoCs. We then chose to focus only on those that served as registrant email addresses to 500 or fewer domains registered recently. That left us with a sample of 35 email addresses that were used to register 4,284 potentially connected domains in total. Take a look at the number of domains registered using each email address in the chart below.

Further scrutiny of the 4,284 domains showed that a majority of them, 2,237 to be exact, sported the .top top-level domain (TLD) extension as Danchev pointed out. The .wang (282), .xyz (268), .pub (261), .bid (236), .mobi (202), .xin (129), .com (116), .cn (109), and .gift (91) TLD extensions completed the top 10. The remaining 354 domains were spread across 27 other TLD extensions. The number of domains per TLD extension is shown in the chart below.

We can thus infer that the phishers mostly favored using domains under gTLD extensions, specifically .top, based on the top 10 list above. That, however, didn’t mean they didn’t weaponize domains sporting ccTLD extensions, as evidenced by the inclusion of .cn in the top 10, as well.

A bulk WHOIS lookup for the 4,284 email-connected domains revealed that:

  • Only 95 had currently active WHOIS records.
  • A majority of them, 46 to be exact, were registered with Beijing Xinwang Digital Information Technology. Alibaba Cloud Computing (18), Shangzhong Online Technology (13), Xiamen Yiming Technology (6), and Shanghai Meicheng Technology Information Development (3) completed the top 5 registrars. Eight domains were scattered across eight other registrars while one didn’t have publicly available registrar data. The number of domains per registrar is shown in the chart below.
  • The highest number of email-connected domains with retrievable WHOIS records, 14 to be exact, were registered in 2021. One didn’t have a publicly viewable creation date. Take a look at the domain breakdown by creation period below.

  • Only one domain—cnlegaldata[.]com—had a visible registrant country—the U.S.

Next, we subjected the 4,284 email-connected domains to DNS lookups, which revealed that:

  • Only 99 of the domains currently resolve to IP addresses.
  • They resolved to 71 unique IP addresses, two of which turned out to be malicious based on malware checks.
  • A majority of the IP addresses, 57 to be exact, were geolocated in China. The remaining 14 were spread across three other countries—the U.S. (11), Canada (2), and Singapore (1). The chart below sums up our findings.
  • China Unicom was the top Internet service provider (ISP), accounting for 47 of the IP addresses. Alibaba Cloud and Sharktech (5 each) and Cloudflare (4) rounded out the top 3 ISPs. The remaining 10 unique IP addresses were distributed among eight other ISPs—Hangzhou Alibaba Advertising and Tencent (2 each) and Zenlayer, China Telecom, Cloudie, Confluence Networks, Hong Kong Communications International, and UCloud Information Technology (HK) (1 each). The chart below shows the number of IP addresses per ISP.

Additional open-source intelligence (OSINT) research on the IP addresses found that one—208[.]91[.]197[.]46—was reported on AbuseIPDB five times as of this writing.

As a final step, we ran reverse IP lookups for the 71 IP addresses in search of IP-connected domains and found that:

  • Sixty-six of the IP addresses continued to host domains to date.
  • Fifty-seven of them were seemingly dedicated hosts.
  • Altogether, the 57 seemingly dedicated IP addresses hosted 890 domains.

While none of the IP-connected domains were dubbed malicious, at least two may be suspicious. Asicskids[.]com and tomfordeyewear[.]com, which bear popular fashion brand names, couldn’t be publicly attributed to ASICS and Tom Ford, respectively, based on WHOIS record comparisons with the legitimate companies’ official domains.

We also noticed the appearance of the string bank in five of the IP-connected domains. While only three seem to be mimicking legitimate banks—grandbank[.]cn, nanjingbank[.]com[.]cn, and ruifengbank[.]com—all five could be weaponized for phishing.

Our DNS deep dive into the phishing campaign led to the discovery of 5,245 unreported potentially connected threat artifacts, a majority of which were .top domains.

If you wish to perform a similar investigation or learn more about the products used in this research, please don’t hesitate to contact us.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix


Sponsored byDNIB.com


Sponsored byVerisign

Brand Protection

Sponsored byCSC