{
	"id": "96d8abc5-d5fb-4656-a56e-70f7117db16c",
	"created_at": "2026-04-06T00:16:14.545352Z",
	"updated_at": "2026-04-10T03:30:32.741541Z",
	"deleted_at": null,
	"sha1_hash": "b8b444488e20ec6453d22d32aada6a5d08286d90",
	"title": "Cybersquatting: Attackers Mimicking Domains of Major Brands Including Facebook, Apple, Amazon and Netflix to Scam Consumers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 9919126,
	"plain_text": "Cybersquatting: Attackers Mimicking Domains of Major Brands\r\nIncluding Facebook, Apple, Amazon and Netflix to Scam\r\nConsumers\r\nBy Zhanhao Chen, Janos Szurdi\r\nPublished: 2020-09-01 · Archived: 2026-04-02 10:52:50 UTC\r\nExecutive Summary\r\nUsers on the internet rely on domain names to find brands, services, professionals and personal websites.\r\nCybercriminals take advantage of the essential role that domain names play on the internet by registering names\r\nthat appear related to existing domains or brands, with the intent of profiting from user mistakes. This is known as\r\ncybersquatting. The purpose of squatting domains is to confuse users into believing that the targeted brands (such\r\nas Netflix) own these domain names (such as netflix-payments[.]com) or to profit from users’ typing mistakes\r\n(such as whatsalpp[.]com for WhatsApp). While cybersquatting is not always malicious toward users, it is illegal\r\nin the U.S.,\r\n[1]\r\n and squatting domains are often used or repurposed for attacks.\r\nThe Palo Alto Networks squatting detector system discovered that 13,857 squatting domains were registered in\r\nDecember 2019, an average of 450 per day. We found that 2,595 (18.59%) squatted domain names are malicious,\r\noften distributing malware or conducting phishing attacks, and 5,104 (36.57%) squatting domains we studied\r\npresent a high risk to users visiting them, meaning they have evidence of association with malicious URLs within\r\nthe domain or are utilizing bulletproof hosting.\r\nWe also ranked the Top 20 most abused domains in December 2019 based on adjusted malicious rate, which\r\nmeans that a domain is either a target of many squatting domains or most of these squatting domains are\r\nconfirmed malicious. We found that domain squatters prefer profitable targets, such as mainstream search engines\r\nand social media, financial, shopping and banking websites. When visiting these sites, users are often prepared to\r\nshare sensitive information, which opens them up to phishing and scams to steal sensitive credentials or money if\r\nthey can be deceived into visiting a squatting domain instead.\r\nhttps://unit42.paloaltonetworks.com/cybersquatting/\r\nPage 1 of 22\n\nFrom December 2019 to date, we observed a variety of malicious domains with different objectives:\r\nPhishing: A domain mimicking Wells Fargo (secure-wellsfargo[.]org) targeting customers to steal\r\nsensitive information, including email credentials and ATM PINs. Also, a domain mimicking Amazon\r\n(amazon-india[.]online) set up to steal user credentials, specifically targeting mobile users in India.\r\nMalware distribution: A domain mimicking Samsung (samsungeblyaiphone[.]com) hosting Azorult\r\nmalware to steal credit card information.\r\nCommand and control (C2): Domains mimicking Microsoft (microsoft-store-drm-server[.]com and\r\nmicrosoft-sback-server[.]com) attempting to conduct C2 attacks to compromise an entire network.\r\nRe-bill scam: Several phishing sites mimicking Netflix (such as netflixbrazilcovid[.]com) set up to steal\r\nvictims’ money by first offering a small initial payment for a subscription to a product like weight loss\r\npills. However, if users don’t cancel the subscription after the promotion period, a much higher cost will be\r\ncharged to their credit cards, usually $50-100.\r\nPotentially unwanted program (PUP): Domains mimicking Walmart (walrmart44[.]com) and Samsung\r\n(samsungpr0mo[.]online) distributing PUP, such as spyware, adware or a browser extension. They usually\r\nperform unwanted changes, like changing the browser's default page or hijacking the browser to insert ads.\r\nOf note, the Samsung domain looks like a legitimate Australia educational news website.\r\nTechnical support scam: Domains mimicking Microsoft (such as microsoft-alert[.]club) trying to scare\r\nusers into paying for fake customer support.\r\nhttps://unit42.paloaltonetworks.com/cybersquatting/\r\nPage 2 of 22\n\nReward scam: A domain mimicking Facebook (facebookwinners2020[.]com) scamming users with\r\nrewards, such as free products or money. To claim the prize, users need to fill out a form with their\r\npersonal information such as date of birth, phone number, occupation and income.\r\nDomain parking: A domain mimicking RBC Royal Bank (rbyroyalbank[.]com) leveraging a popular\r\nparking service, ParkingCrew, to generate profit based on how many users land on the site and click the\r\nadvertisements.\r\nWe studied domain squatting techniques including typosquatting, combosquatting, level-squatting, bitsquatting\r\nand homograph-squatting (all defined below). Malicious actors can use these techniques to distribute malware or\r\nto conduct scams and phishing campaigns.\r\nTo detect squatting domains, Palo Alto Networks developed an automated system to capture emerging campaigns\r\nfrom newly registered domains, as well as from passive DNS (pDNS) data. We continue to detect currently active\r\ncybersquatting domains – we identify malicious and suspicious squatting domains and designate them to the\r\nappropriate categories (such as phishing, malware, C2 or grayware). Protections against domains classified in\r\nthese categories are available in multiple Palo Alto Networks security subscriptions, including URL Filtering and\r\nDNS Security.\r\nWe recommend that enterprises block and closely monitor traffic from these domains, while consumers should\r\nmake sure that they type domain names correctly and double-check that the domain owners are trusted before\r\nentering any site. More tips can be found in this post on how to protect against cyberattacks.\r\nSquatting Techniques\r\nTyposquatting is one of the most common types of domain registration abuse. Typosquatters intentionally register\r\nmisspelled variants (such as whatsalpp[.]com) of target domain names (whatsapp[.]com) to profit from users’\r\ntyping mistakes or to deceive users into believing that they are visiting the correct target domain. The most\r\nfrequent typosquatting techniques include registering names one edit distance from the original domain, as these\r\nare the most common and overlooked mistakes users make. For more information, readers can refer to academic\r\nresearch papers on the scale and malicious use of typosquatting.\r\nCombosquatting is another widespread registration abuse that combines popular trademarks with words such as\r\n“security,” “payment” or “verification.” Combosquatting domains like netflix-payments[.]com are often used in\r\nphishing emails, by scam websites and for social engineering attacks to convince users that they are visiting web\r\ncontent maintained by the targeted trademark. For more information, readers can refer to this academic paper on a\r\nlongitudinal study of combosquatting.\r\nHomographsquatting domains take advantage of internationalized domain names (IDNs), where Unicode\r\ncharacters are allowed (such as microsofŧ[.]com). Attackers usually replace one or more characters in the target\r\ndomain with visually similar characters from another language. These domains can be perfectly indistinguishable\r\nfrom their targets, as in the case of apple.com, where the English letter \"a\" (U+0061) was replaced with the\r\nCyrillic letter \"а\" (U+0430). For more information, readers can refer to academic research papers on IDNs.\r\nSoundsquatting domains take advantage of homophones, i.e., words that sound alike (for example, weather and\r\nwhether). Attackers can register homophone variants of popular domains, such as 4ever21[.]com for\r\nhttps://unit42.paloaltonetworks.com/cybersquatting/\r\nPage 3 of 22\n\nforever21[.]com. As text-to-speech software like Siri and Google Assistant becomes prevalent, more and more\r\nusers will become vulnerable to the abuse of soundsquatting domains. For more information, readers can refer to\r\nthis academic research paper on soundsquatting.\r\nBitsquatting domains have a character that differs in one bit (such as micposoft[.]com) from the same character\r\nas the targeted legitimate domain (microsoft[.]com). Bitsquatting can benefit attackers because a hardware error\r\ncan cause a random bit-flip in memory where domain names are stored temporarily. Thus, even though users type\r\nthe correct domains, they may still be led to malicious ones. Although such hardware errors are usually rare, an\r\nacademic research paper has shown that bitsquatting is a real threat.\r\nLevelsquatting domains, such as the case of safety.microsoft.com.mdmfmztwjj.l6kan7uf04p102xmpq[.]bid,\r\ninclude the targeted brand’s domain name as a subdomain. In this example, the victims of the phishing attack\r\nmight believe they are visiting safety.microsoft.com, when instead, they are visiting the attacker’s website. This\r\nattack is especially worrisome for mobile users because the browser's address bar might not be wide enough to\r\ndisplay the entire domain name. For more information, readers can refer to this academic paper for a more\r\ncomprehensive study of levelsquatting domains.\r\nDetection of Various Squatting Techniques\r\nWe leverage lexical analysis to detect candidate squatting domains among the Palo Alto Networks newly\r\nregistered domain (NRD) and pDNS feeds. Our list of target domains is the combination of popular domains in\r\ngeneral and domains popular in specific categories, such as shopping and business. We generate the\r\naforementioned squatting variants of the target domains, and match them against our NRD feed and pDNS\r\nhostnames. Additionally, we cluster weekly collections of NRDs to see if registration campaigns target known\r\nbrands. After the initial discovery step, we leverage WHOIS data to filter out defensive registrations and a\r\nheuristic rule-based classifier to identify which domains are true squatting domains.\r\nFigure 1 shows the daily detection statistics for December 2019. During this period, we detected 13,857 squatting\r\ndomains (~450 per day). Since then, the number of daily detections fluctuate from 200-900. To understand how\r\nthese domains are leveraged for abuse, we use URL Filtering to categorize them. We label domain names as\r\nmalicious if they are involved in distributing malware or phishing, or if they are being used for command and\r\ncontrol (C2) communication. We label domains categorized as grayware, parked, questionable, insufficient content\r\nand high-risk as suspicious. The average malicious rate of the 13,857 squatting domains is 18.59% (2,595) and\r\nthe average suspicious rate is 36.57% (5,104).\r\nhttps://unit42.paloaltonetworks.com/cybersquatting/\r\nPage 4 of 22\n\nFigure 1. Volume and malicious and suspicious rates of daily domain squatting in December 2019.\r\nNext, we compare our detection of squatting domains to vendors found on VirusTotal. Considering detection\r\ndelays, we allow a 10-day time window for malicious squatting domains to appear on VirusTotal. Figure 2 shows\r\nhow well the top 10 vendors detected these malicious and high-risk domains. The best-performing vendor covers\r\nabout 25% of the malicious or high-risk squatting domains that we detected. Meanwhile, other vendors cover less\r\nthan 20% of our detections. Lastly, we found that 55% of malicious or high-risk squatting domains are not\r\ndetected by any vendors.\r\nFigure 2. Malicious and high-risk squatting domain detection on VirusTotal in December 2019.\r\nThe Domain Squatting Ecosystem\r\nTo identify malicious infrastructure hotspots, we studied specific network elements and entities that typosquatters\r\ndepend on for their operations. Specifically, we studied popular registrars, name services, autonomous systems\r\nand certificate authorities used by domain squatters.\r\nhttps://unit42.paloaltonetworks.com/cybersquatting/\r\nPage 5 of 22\n\nFor each chart outlined below, we considered the number of squatting detections to reflect their popularity among\r\ndomain squatters, and the malicious IOC rate to quantify the degree of threat to users. Combining these two\r\nmetrics, we calculated the adjusted malicious rate of each entity. Thus, a high adjusted malicious rate means that\r\nan entity is either targeted by many squatting domains or most of these squatting domains are malicious.\r\nTop 20 Most Abused Domains\r\nDomain squatters prefer popular and thus profitable targets. Figure 3 shows the Top 20 most abused domains.\r\nThese targets are popular websites, such as mainstream search engines and social media, financial, shopping and\r\nbanking websites. Squatting domains mimicking these websites benefit from their credibility to attract more users\r\nthat can be scammed. Therefore, these targets have relatively high squatting detection numbers.\r\nFigure 3. Top 20 most abused domains in December 2019.\r\nTop 10 Most Abused DNS Services and Autonomous Systems\r\nNext, we look at the DNS services and the autonomous systems (AS) used by squatting domains to understand\r\ntheir infrastructure preferences. An AS is a set of IP subnets maintained by one or more network operators.\r\nThe name service used by domain squatters often signifies which registrar was used to register the domain, where\r\nthe squatting web page is hosted or which parking service these domains utilize to profit from user traffic. Figure\r\n4 displays the most abused name services of squatting domains. Freenom.com and dnspod.com are often used by\r\ndomain squatters, as they provide cheap or free domain registration and domain hosting. DNSPod is known for\r\nhosting shady DNS records and for providing services for malicious bulletproof hosting operators. Level-squatters\r\nhttps://unit42.paloaltonetworks.com/cybersquatting/\r\nPage 6 of 22\n\nmight choose to use registrar.eu as it supports an unlimited number of subdomains and free URL forwarding,\r\nwhich reduces the cost of deploying and scaling attacks.\r\nFigure 4. Top 10 most abused DNS services in December 2019.\r\nAdditionally, parkingcrew.net and above.com are popular parking services because they provide a simple\r\nmonetization avenue to domain owners, achieved by pointing domain names’ DNS records to their name servers.\r\nParking services usually show users parked pages laden with ads or redirect users to affiliate marketing or\r\nmalicious websites.\r\nAs hosting services often have their own AS, we observed that the AS distribution is somewhat consistent with the\r\nname service distribution. The top three most abused AS (19495, 48635, 262254) belong to the three most abused\r\nname service providers, respectively (freenom.com, registrar.eu, ddos-guard.net). The fourth most abused AS\r\n(40034) is owned by ztomy.com, a service favored for DNS hijacking attacks.\r\nhttps://unit42.paloaltonetworks.com/cybersquatting/\r\nPage 7 of 22\n\nFigure 5. Top 10 most abused autonomous systems in December 2019.\r\nTop 10 Most Abused Registrars\r\nRegistrars are entities that sell domain names to users. The most abused registrar, Internet.bs, provides free\r\nservices preferred by domain squatters, including privacy-protected registration and URL forwarding. We captured\r\nseveral level-squatting campaigns at this registrar. In these campaigns, attackers set up hundreds of subdomains\r\nmimicking popular target domains under com-secure-login[.]info and com-finder-me[.]info. An example level-squatting subdomain is www.icloud.com-secure-login[.]info. The second-most abused registrar, Openprovider,\r\noffers cheap and easy bulk registrations, attracting many squatting registrations. Additionally, we observed many\r\ndomains from this registrar having their WHOIS records redacted for privacy. Our system discovered many level-squatting domains registered at TLD Registrar Solutions using the .support TLD (top-level domain), including\r\nicloud.com-iphone[.]support and apple.com.recover[.]support, which users might confuse with legitimate Apple\r\ntechnical support services.\r\nhttps://unit42.paloaltonetworks.com/cybersquatting/\r\nPage 8 of 22\n\nFigure 6. Top 10 most abused registrars in December 2019.\r\nTop 5 Most Abused Certificate Authorities\r\nAs HTTPS became common, cybercriminals increased the use of certificates to make their websites appear\r\nlegitimate. Figure 7 provides an overview of the certificate authorities (CAs) preferred by squatting sites. The\r\nmost popular CA is Cloudflare, as it offers a bundle, including free SSL encryption. The second most popular CA,\r\ncPanel Inc CA, is preferred by domain squatters because of the convenience and the ease of its AutoSSL services.\r\nThrough cPanel’s management interface, their customers are able to finish all steps of SSL encryption, including\r\ncertificate purchase, automatic installation and renewal. Thawte CA is not a trusted CA anymore, and browsers\r\nwill label their certificate as suspicious, but squatting domains are still using it.\r\nhttps://unit42.paloaltonetworks.com/cybersquatting/\r\nPage 9 of 22\n\nFigure 7. Top 5 most abused certificate authorities in December 2019.\r\nMalicious Usages and Threats\r\nIn this section, we discuss in detail different types of abuse leveraging squatting domains. It includes malware\r\ndistribution, phishing, C2 communication, potentially unwanted programs (PUPs), scams, ad-laden sites and\r\naffiliate marketing.\r\nPhishing\r\nPhishing is one of the most popular threats leveraging squatting domains. All of the different squatting techniques\r\nwe discussed can be used to lure users into believing that a squatting domain is owned by the legitimate brand and\r\nto increase the efficiency of phishing and scam campaigns.\r\nOne example is a combosquatting domain, secure-wellsfargo[.]org, which targets Wells Fargo’s customers. This\r\ndomain hosts a copy of Wells Fargo’s official site, as illustrated in Figure 8.a. However, this site is only the front-end portion of the original site, redirecting all clicks to the same login page (shown in Figure 8.b) to steal\r\ncustomers’ sensitive information, including email credentials and ATM PINs.\r\nhttps://unit42.paloaltonetworks.com/cybersquatting/\r\nPage 10 of 22\n\nFigure 8.a. Fake Wells Fargo website: secure-wellsfargo[.]org\r\nFigure 8.b. Phishing login page for secure-wellsfargo[.]org\r\nFigure 9 demonstrates how another combosquatting domain,\r\namazon-india[.]online\r\n, mimicking Amazon, is set up to steal user credentials, specifically targeting mobile users in India. As a common\r\nstrategy, all links on this site first redirect users to the same product page (the middle screenshot in Figure 9) and\r\nthen to the payment page. In this particular case, the perpetrators did not even go through the trouble of optimizing\r\nthe phishing page for desktop users.\r\nhttps://unit42.paloaltonetworks.com/cybersquatting/\r\nPage 11 of 22\n\nFigure 9. Fake Amazon website: amazon-india[.]online\r\nMalware Distribution\r\nSquatting domains are also often used to distribute malware. A combosquatting domain mimicking Samsung\r\n(samsungeblyaiphone[.]com) hosts Azorult malware\r\n5acd6d9ac235104f90f9a39c11807c37cdfb103d6c151cc1a2e4e38bf3dbe41f on the URL\r\nsamsungeblyaiphone[.]com/dolce.exe. Azorult malware is a credential and payment card information stealer,\r\nusually spread by phishing emails. It has been an active threat since 2016 and is one of the top malware families.\r\nOnce the malware executes, it will generate a unique identifier for the compromised machine based on the\r\nmachine’s globally unique identifier and username. Then the malware will contact the C2 server with this\r\nidentifier, and it will retrieve the configuration of the infected machine, including the running processes and\r\nservices. Additionally, Azorult malware often downloads payload from other compromised servers. The new\r\npayload can collect and send out sensitive data such as cookies, browser credentials and cryptocurrency\r\ninformation.\r\nAnalyzing the malware sample downloaded from samsungeblyaiphone[.]com, we found that it attempted to send\r\na POST request to samsungeblyaiphone[.]com/index.php, which is consistent with this malware family’s known\r\nbehavior to exfiltrate data. Besides the observed network activity, the malware also displayed suspicious behaviors\r\nsuch as changing the settings of Internet Explorer.\r\nCommand \u0026 Control (C2)\r\nMalware instances on infected machines typically need to “phone home” to a C2 server for further commands to\r\nexecute, to download new payloads or to perform data exfiltration. Malware often relies on domain names to\r\nlocate C2 servers, and these domains are called C2 domains. While using squatting domains for C2 is uncommon,\r\nhttps://unit42.paloaltonetworks.com/cybersquatting/\r\nPage 12 of 22\n\nwe speculate that the intention of those who do so is to evade automated detection (such as Domain Generation\r\nAlgorithm detection) and manual analysis.\r\nOur squatting detection system captured squatting domains mimicking Microsoft, microsoft-store-drm-server[.]com on January 30, 2020, and microsoft-sback-server[.]com on February 3, 2020. From the Palo Alto\r\nNetworks WildFire Malware Analysis Engine, we retrieved similar malware samples, including\r\nfa28b59eb0ccd21d3994b0778946679497399b72c2e256ebf2434553cb7bf373 and\r\ne7fb436bf7d8784da092315bce1d3511a6055da41fe67362bad7a4c5d3f0294e , connecting to them. These two\r\ndomain names used the previously mentioned DNSPod for name resolution, which is infamous for being slow in\r\nresponding to abuse investigations. First, the malware resolved these domains to the same IP address\r\n217.182.227[.]117. Then, it communicated through SSL traffic with the same JA3 (SSL fingerprint):\r\n6312930a139fa3ed22b87abb75c16afa on client-side and 4192c0a946c5bd9b544b4656d9f624a4 on server-side.\r\nObserving the same behavior, we conclude they were using the identical SSL application and were part of the\r\nsame campaign.\r\nSimilar to most C2 domains, these two squatting domains were short-lived. They were only used for one to two\r\ndays after registration and were then abandoned by attackers. Tracking 217.182.227[.]117, we are able to find\r\nother C2 domains used by this campaign: store-in-box[.]com from Jan. 27-28, stt-box[.]com from Jan. 29-31,\r\nmicrosoft-store-drm-server[.]com from Jan. 31-Feb. 2, and microsoft-sback-server[.]com on February 3.\r\nPotentially Unwanted Program (PUP)\r\nA PUP could be either standalone software, like spyware or adware, or a browser extension. PUPs usually perform\r\nunwanted changes, like changing the browser's default page or hijacking the browser to insert ads. Researchers\r\nhave shown that some PUP downloaders are also repurposed for malware campaigns. Websites hosting PUPs\r\nusually try to scare users by showing them warning messages like “Your computer is infected!” or “Your license\r\nhas expired!” to convince them to download the advertised software.\r\nFigure 10 shows a combosquatting domain mimicking Walmart (walrmart44[.]com) that distributes PUP.\r\nDepending on the browser used, it redirects users to landing pages offering different types of PUPs for download.\r\nWhen we visit this domain in Safari, it tells us that our Flash player might be outdated and offers us the chance to\r\ndownload the newest version from their site, as illustrated in Figure 10.a. While using Chrome, we get a “click\r\ncontinue and install extension” page, as shown in Figure 10.b, which redirects users to the Chrome store for the\r\n“Security for Chrome” extension. Alternatively, this website will occasionally redirect users to various legitimate\r\necommerce websites, including Walmart, Amazon and Aliexpress. After repeated visits, it will remember the\r\nsource IP address and reject further visits even if we use different browsers (Figure 10.c).\r\nhttps://unit42.paloaltonetworks.com/cybersquatting/\r\nPage 13 of 22\n\nFigure 10.a. Redirection to PUP installation in Safari from walrmart44[.]com\r\nFigure 10.b. Redirection to PUP installation in Chrome from walrmart44[.]com\r\nFigure 10.c. walrmart44[.]com blocks crawlers when visited too frequently.\r\nA combosquatting domain mimicking Samsung (\r\nsamsungpr0mo[.]online\r\nhttps://unit42.paloaltonetworks.com/cybersquatting/\r\nPage 14 of 22\n\n) looks like a legitimate Australian educational news website with a valid SSL certificate. However, visiting this\r\nsite, users are faced with popup windows, warning them about security flaws (Figure 11.a). Clicking on the\r\nwarnings, users are redirected to a fake virus scanning page, which recognizes their operating system to increase\r\ncredibility but will always display the same list of detected viruses (Figure 11.b). Finally, clicking the “Proceed”\r\nbutton takes users to a download page for a system repair tool, which is legitimate but potentially unwanted.\r\nFigure 11.a. samsungpr0mo[.]online displaying warning messages in the top right corner.\r\nFigure 11.b. A fake virus scanning page displays after clicking on a warning message from\r\nsamsungpr0mo[.]online\r\nTechnical Support Scam\r\nTechnical support scams are social engineering attacks. An associated website’s purpose is to scare people with\r\naudio and visual warnings into believing that their machine is compromised. It prompts people to call the\r\nhttps://unit42.paloaltonetworks.com/cybersquatting/\r\nPage 15 of 22\n\ndisplayed fake technical support center’s phone number. When people call the number, scammers will try to\r\npersuade them that the only way to save their machine is by paying for the fraudulent support service. In the case\r\nof combosquatting, the domain name often contains keywords like “security,” “alert” and “warning.” An example\r\ndomain mimicking Microsoft (microsoft-alert[.]club) shown in Figure 12.a was registered on June 11, 2020. This\r\nwebsite presents warning messages in Japanese (translated to English in Figure 12.b), renders dynamic content,\r\nsuch as a running command line window, and plays audio alerts.\r\nFigure 12.a. A technical support scam page hosted on microsoft-alert[.]club\r\nFigure 12.b. Translated to English.\r\nRe-bill Scam\r\nRe-bill scammers first offer a subscription to products such as weight loss pills in exchange for a small initial\r\npayment. However, if users don’t cancel the subscription after the promotion period, a much higher cost will be\r\ncharged to their credit cards, usually $50-100. Additional information on this type of scam can be found in Unit\r\nhttps://unit42.paloaltonetworks.com/cybersquatting/\r\nPage 16 of 22\n\n42’s previous research on deceptive affiliate marketing. The combosquatting domain netflixbrazilcovid[.]com\r\nleverages both Netflix and the COVID-19 pandemic. The main page looks like the Portuguese Netflix site (Figure\r\n13.a), and has the purpose of obtaining user email addresses. (It is shown translated to English in Figure 13.b.) A\r\ndeceptive reward message (Figure 13.c) is then shown to potential victims. Finally, users are redirected to a survey\r\nand then to a re-bill scam page (Figure 13.d).\r\nFigure 13.a. A fake Netflix main page hosted on netflixbrazilcovid[.]com\r\nFigure 13.b. Translated to English.\r\nhttps://unit42.paloaltonetworks.com/cybersquatting/\r\nPage 17 of 22\n\nFigure 13.c. Deceptive social engineering reward email.\r\nFigure 13.d. A re-bill scam page distributed by deceptive reward email.\r\nReward Scam\r\nAnother popular scam offers users rewards such as free products or money. When we initially captured\r\nfacebookwinners2020[.]com, it was under development with placeholder images and texts, as shown in Figure\r\n14.a. However, the perpetrators recently replaced placeholders with meaningful content. From the screenshot, we\r\ncould tell the page mimics a free lottery related to Facebook. To claim the prize, users need to fill out a form with\r\ntheir personal information such as date of birth, phone number, occupation and income (Figure 14.b).\r\nhttps://unit42.paloaltonetworks.com/cybersquatting/\r\nPage 18 of 22\n\nFigure 14.a. Reward scam page under development: facebookwinners2020[.]com\r\nFigure 14.b. An application form on facebookwinners2020[.]com requesting personal information.\r\nDomain Parking\r\nA common and easy way to monetize user traffic is to use a parking service by pointing the squatting domain’s IP\r\naddress or NS record to the parking service’s servers. Figure 15 provides an example of a parked domain\r\nmimicking RBC Royal Bank, rbyroyalbank[.]com, leveraging a popular parking service, ParkingCrew, to\r\ngenerate profit based on how many users land on the site and click the advertisements. In some cases, parking\r\nservices also redirect users to scam and phishing pages. As the hostname in the certificate is different from the\r\nsquatting domain, the browser will label it as “Not secure.” Parked pages usually show users a list of\r\nadvertisements related to the parked domain. In our example, the ads shown are related to financial services.\r\nFigure 15. A parked page for rbyroyalbank[.]com\r\nhttps://unit42.paloaltonetworks.com/cybersquatting/\r\nPage 19 of 22\n\nConclusion\r\nIn summary, domain squatting techniques leverage the fact that users rely on domain names to identify brands and\r\nservices on the Internet. These squatting domains are often used for nefarious activities, including phishing,\r\nmalware and PUP distribution, C2 and various scams. A high rate of malicious and suspicious usage among\r\nsquatting domains was observed. Therefore, continuous monitoring and analysis of these domains are necessary to\r\nprotect users.\r\nPalo Alto Networks monitors newly registered domains and newly observed hostnames from pDNS and Zone files\r\nto capture emerging squatting campaigns. Our automatic pipeline publishes the domains it detects to URL\r\nFiltering and DNS Security using the appropriate category, including malware, phishing, C2 or grayware.\r\nAnalyzing the squatting ecosystem, we found that domain squatters prefer certain types of target domains,\r\nregistrars, hosting services and certificate authorities. The following attributes are common in cases of malicious\r\nsquatted domains:\r\nDomain names that are targeting known financial, shopping and banking domains.\r\nDomains that use frequently abused registrars and hosting services.\r\nDomains that do not have completely validated SSL certificates.\r\nTherefore, we advise everyone to be more careful when encountering these domains.\r\nPalo Alto Networks customers using URL Filtering, DNS Security, WildFire and Threat Prevention are protected\r\nfrom the threats related to squatting domains mentioned in this blog. Using AutoFocus, our customers can further\r\nstudy the malware mentioned in this blog by using the tag AzoRult.\r\nAcknowledgements\r\nSpecial thanks to Daiping Liu, Kelvin Kwan, Laura Novak, Jun Javier Wang, Vicky Ray, Eddy Rivera, Erica\r\nNaone and Arun Kumar for their help with improving the blog.\r\nIOCs\r\nSha256\r\n5acd6d9ac235104f90f9a39c11807c37cdfb103d6c151cc1a2e4e38bf3dbe41f\r\nfa28b59eb0ccd21d3994b0778946679497399b72c2e256ebf2434553cb7bf373\r\ne7fb436bf7d8784da092315bce1d3511a6055da41fe67362bad7a4c5d3f0294e\r\nJA3 Pair\r\nClient JA3: 6312930a139fa3ed22b87abb75c16afa\r\nSever JA3: 4192c0a946c5bd9b544b4656d9f624a4\r\nhttps://unit42.paloaltonetworks.com/cybersquatting/\r\nPage 20 of 22\n\nMalware/Phishing Squatting Hostname\r\namazon-india[.]online\r\napple.com.recover[.]support\r\ncom-finder-me[.]info\r\ncom-secure-login[.]info\r\nfacebook.com-account-login-manage.yourfiresale[.]com\r\nicloud.com-iphone[.]support\r\nmicrosoft-alert[.]club\r\nmicrosoft-sback-server[.]com\r\nmicrosoft-store-drm-server[.]com\r\nmicrosofŧ[.]com (xn--microsof-wyb[.]com)\r\nnetflix-payments[.]com\r\nnetflixbrazilcovid[.]com\r\nrbyroyalbank[.]com\r\nsafety.microsoft.com.mdmfmztwjj.l6kan7uf04p102xmpq[.]bid\r\nsamsungeblyaiphone[.]com\r\nsamsungpr0mo[.]online\r\nsecure-wellsfargo[.]org\r\nstore-in-box[.]com\r\nstt-box[.]com\r\nwww.icloud.com-secure-login[.]info\r\nGrayware Hostname\r\n4ever21[.]com\r\nfacebookwinners2020[.]com\r\nmicposoft[.]com\r\nwalrmart44[.]com\r\nhttps://unit42.paloaltonetworks.com/cybersquatting/\r\nPage 21 of 22\n\nwhatsalpp[.]com\r\nURL\r\nsamsungeblyaiphone[.]com/dolce.exe\r\nsamsungeblyaiphone[.]com/index.php\r\nIP\r\n217.182.227[.]117\r\n1. Anti-cybersquatting Consumer Protection Act (ACPA) (15 USC §1125(d)) ↑\r\nSource: https://unit42.paloaltonetworks.com/cybersquatting/\r\nhttps://unit42.paloaltonetworks.com/cybersquatting/\r\nPage 22 of 22\n\nMalware instances execute, to download on infected machines new payloads typically need or to perform data to “phone home” exfiltration. Malware to a C2 server for often relies on further commands to domain names to\nlocate C2 servers, and these domains are called C2 domains. While using squatting domains for C2 is uncommon,\n   Page 12 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/cybersquatting/"
	],
	"report_names": [
		"cybersquatting"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434574,
	"ts_updated_at": 1775791832,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b8b444488e20ec6453d22d32aada6a5d08286d90.pdf",
		"text": "https://archive.orkl.eu/b8b444488e20ec6453d22d32aada6a5d08286d90.txt",
		"img": "https://archive.orkl.eu/b8b444488e20ec6453d22d32aada6a5d08286d90.jpg"
	}
}