Thanksgiving is right around the corner. With it, of course, come celebrations with family and friends and the biggest Black Friday sales. All seems well and good but that’s not always the case, isn’t it? Because cyber threat actors always take advantage of the biggest holidays and sales to lure more victims to their eagerly waiting traps—malicious domains and subdomains.

The WhoisXML API research team is always on the lookout for current and potential threat sources in a bid to make the Internet a safer place for all. That said, we recently took a DNS deep dive in search of domains and subdomains that could serve as attack vectors for Thanksgiving- and Black Friday-themed cyber attacks.

Our in-depth investigation led to the discovery of:

• 318 email-connected domains, one of which turned out to be malicious
• 786 IP addresses, 635 of which turned out to be malicious
• 1,975 IP-connected domains, two of which turned out to be malicious
• 3,521 string-connected subdomains

A sample of the additional artifacts obtained from our analysis is available for download from our website.

A Look at Suspicious Black Friday and Thanksgiving Domains

For this study, we obtained our datasets for expansion analysis from our First Watch Malicious Domains Data Feed. We specifically searched for domains containing the text strings blackfriday and thanksgiving and uncovered a sample of 2,091 and 233 domains, respectively, as of 13 November 2024.

A bulk WHOIS lookup query for the 2,091 blackfriday domains showed that only 1,541 had current WHOIS records. The results for the 1,541 domains showed that:

• They were administered by 104 different registrars led by GoDaddy, which accounted for 373 domains. The registrars that completed the top 10 were Hostinger Operations with 217 domains, Namecheap with 180, NameSilo with 88, Key-Systems with 79, Tucows Domains with 53, eNom with 51, Dotserve with 50, Dynadot with 36, and Atak Domain Bilgi with and PDR with 23 each. The remaining 94 registrars accounted for 12% of the total domain volume. Finally, 7% of the domains did not have registrar data in their current WHOIS records.

  

• They were created between 2014 and 2024. A majority, 99% to be exact, were fairly new, created from 2023 onward. Five domains were created in 2015; three each in 2014, 2021, and 2022; and one each in 2016, 2018, and 2020.

  

• They were registered in 44 different countries led by the U.S., which accounted for 825 domains. The rest of the top 10 registrant countries were Iceland with 167 domains, the U.K. with 68, Brazil with 61, Panama with 51, Canada with 33, China with 29, Germany with 21, Cyprus with 20, and the U.A.E. with 19. The remaining 34 countries accounted for 11% of the total domain volume. Finally, about 5% of the domains did not have registrant country data in their current WHOIS records.

  

Meanwhile, a bulk WHOIS lookup query for the 233 thanksgiving domains revealed that only 175 had current WHOIS records. The results for the 175 domains showed that:

• They were administered by 44 different registrars led by GoDaddy, which accounted for 55 domains. The nine other registrars on the top 5 were Namecheap with 25 domains; IONOS and Squarespace Domains with eight each; Dynadot with seven; and Dotserve, GMO Internet Group, and Hostinger Operations with six each. The remaining 39 registrars accounted for 31% of the total domain volume.

  

• They were created between 1997 and 2024. As with the blackfriday domains, most of the thanksgiving domains, 94% to be exact, were also relatively new, created from 2023 onward. Two domains each were created in 2004, 2017, and 2021, while one each were created in 1997, 2011, 2015, 2016, and 2018.

  

• They were registered in 16 different countries led by the U.S., which accounted for 105 domains. The other countries that made it to the top 5 were Iceland with 25 domains, Canada and Panama with six each, the U.K. with four, and China and Japan with three each. The 11 remaining countries accounted for 5% of the total domain volume. Finally, 8% of the countries did not have registrant country data in their current WHOIS records.

  

Next, we combined all the blackfriday and thanksgiving domains, with or without current WHOIS records, ending up with a total of 2,324 domains. We queried them on Threat Intelligence API and found that four of them were associated with various threats. An example is blackfriday-best-deals[.]com, which has already been tagged as an indicator of compromise (IoC) for generic threats and phishing.

Expansion Analysis Findings

The bulk WHOIS lookups we performed earlier for the blackfriday and thanksgiving domains uncovered 219 email addresses from their current WHOIS records after duplicates were filtered out. Upon closer scrutiny, we determined that 32 of these email addresses were public.

Querying the 32 public email addresses on Reverse WHOIS API resulted in the discovery of 318 email-connected domains after duplicates and the original domains were removed. Threat Intelligence API showed that one of them—feiraochevro[.]com—was associated with a cyber attack.

DNS lookups for the 2,324 original domains with current WHOIS records revealed that they resolved to 1,250 unique IP addresses—464 IPv6 addresses and 786 IPv4 addresses. We focused on the 786 IPv4 addresses for the rest of our analysis.

Threat Intelligence API queries for the 786 IP addresses showed that 635 were associated with various threats. Take a look at five examples below.

A bulk IP geolocation lookup for the 786 IP addresses showed that:

• They were geolocated in 32 different countries led by the U.S., which accounted for 644 IP addresses. Canada and Germany with 24 IP addresses each, Brazil with 12, the Netherlands with 11, and France with 10 completed the top 5 geolocation countries list. The remaining 27 countries accounted for 8% of the total IP address volume.

  

• They were administered by 76 different ISPs led by Cloudflare, which accounted for 431 IP addresses. The rest of the top 10 geolocation countries were Amazon with 65 IP addresses, Namecheap with 48, Hostinger International with 30, Linode with 17, Google with 14, IONOS with 10, OVHcloud with eight, Endurance International Group with seven, and Alibaba with six. The remaining 66 ISPs accounted for 12% of the total IP address volume. Finally, 7% of the IP addresses did not have ISP data.

  

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.