Cybersquatting. PHOTO: Cybercrime Magazine.

Threat Actors Ride On Domain Registration Trends in Q2 2022

A steady stream of cybersquatting domains targeted some of the most-visited online shopping sites and blockchain apps

Jonathan Zhang, CEO at Whois XML API

Walnut, Calif. – Sep. 19, 2022

Real-world activities and events are often mirrored online. When the COVID-19 pandemic hit, it resounded online. The news about Elon Musk’s Twitter purchase agreement made waves on the Internet too. In the same way, digital trends and developments, such as social media and blockchain technology applications, also reach beyond the virtual realm, making their way into household conversations.

We can go on with more examples, but the point is that what happens online is often a reflection of offline events — and vice versa. And threat actors may be monitoring and weaponizing these drivers, too. We figured as much in our Domain Registration Trends Report—Q2 2022, where we mapped some of the most common trends and themes driving domain registrations and DNS activities in the second quarter of 2022.

Our findings indicate that threat actors mobilize many digital properties related to identified themes. Below are the shares of malicious domains we found for each domain registration driver:

  • 12 percent of the properties related to the U.S. tax season
  • 3 percent of the domains containing “Elon Musk” and “Twitter”
  • 3 percent of the cybersquatting domains targeting some of the most-visited online shopping sites
  • 2 percent of the cybersquatting domains targeting cryptocurrencies, non-fungible tokens (NFTs), and decentralized financial (De-Fi) platforms
  • 1 percent of the domains containing the strings “Ukraine” and “Russia,” alongside “aid,” “donate,” “help,” and “support”
  • 1 percent of the Mother’s Day- and Father’s Day-themed domains 

We identified six domain registration drivers for Q2, but they can be categorized into 3 types of domain registration drivers — seasonal, unforeseen, and persistent. The applicable cybersecurity approaches and considerations may differ for each classification.

Seasonal Domain Registration Drivers

Since they are scheduled events, Mother’s Day, Father’s Day, and the U.S. tax season fall under this category. For seasonal drivers, you may want to start monitoring suspicious domain registrations days or weeks before the event.

This insight is evident in the domain registration trend relevant to Mother’s Day and Father’s Day. Domain registrations significantly increased a week before they were celebrated in multiple countries — May 8 for Mother’s Day and June 19 for Father’s Day. You can see this in the chart below.

The trend is also noticeable in .mom domains. 

We can also observe a similar trend for tax-related cyber resources. You can see in the chart below that relevant domain registrations rose two months before April, the busiest month of the season.

Registrations went up again in May before the Q2 Estimated Tax Payment deadline set on June 15, 2022.

Unforeseen Domain Registration Drivers

News and current events can drive up DNS activities in the following days and weeks. In Q2, the Elon Musk-Twitter deal was mirrored in the DNS. Relevant domains increased during the week of the announcement made on April 25, 2022.

For this category, it’s essential to constantly monitor the news and immediately check the DNS for relevant activities.

The ongoing Russia-Ukraine war can also be classified as unforeseen. Although there was a decreasing trend in Q2, major news related to the war may drive up registrations at any time.

Persistent Domain Registration Drivers

Some drivers remain constant throughout the year. Threat actors are typically also indiscriminate when weaponizing related domains. Hence, security teams may want to implement continuous real-time monitoring for relevant DNS activities.

For Q2, we detected a steady stream of cybersquatting domains targeting some of the most-visited online shopping sites. The number of domains consistently exceeded 1,200 per week from April to the first two weeks of June. You can see the targeted companies and the registration trend below.

Another persistent registration driver we’ve been monitoring since last year has to do with cryptocurrencies. In Q2, we included other blockchain applications, namely NFTs and De-Fi platforms. Blockchain-themed domain registrations peaked at the beginning of the quarter and dwindled in the middle of June.

The domain registration drivers in Q2 2022 have been interesting, and we will continue monitoring the DNS in the coming months for significant trends and themes. Malicious actors could be doing the same, so it’s best to stay ahead.

If you’re interested in the domain registration themes and trends we discussed, feel free to contact us. We are also on the lookout for research collaborations.

Whois XML API Archives

Jonathan Zhang is the founder and CEO of WhoisXML API—a domain and IP data intelligence provider that empowers all types of cybersecurity enterprises to build better products and achieve greater network security with the most comprehensive domain, IP, DNS, and cyber threat intelligence feeds.  WhoisXML API also offers a variety of APIs, tools, and capabilities, including Threat Intelligence Platform (TIP) and Domain Research Suite (DRS).


Sponsored by Whois XML API

Precise and exhaustive data is vital for cyber-security professionals to analyze and prevent cyber crime. Whois XML API offers a comprehensive collection of domain, WHOIS, DNS and threat intelligence data feeds that are essential to their work. It’s an exhaustive Cyber-security package that offers a maximum coverage of both real-time and historic data, complete with instruments for threat hunting, threat defense, cyber forensic analysis, fraud detection, brand protection, data intelligence enrichment across variety of SIEM, Orchestration, Automation and Threat Intelligence Platforms.



Send this to a friend