This type of deception is often key to the misdirection of customers to the fraudulent site[1].

One example of a methodology employed by infringers is the use of a non-brand-specific domain name, together with a branded (or otherwise relevant) subdomain name which, when combined, produces a hostname[2] appearing similar to the URL of an official site. This is illustrated by the example shown in Figure 1, showing an SMS- (text message) based scam targeting UK customers of a large international banking brand (referred to in the description below as ‘bankbrand’), and as also discussed in previous analyses[3],[4].

Figure 1: Example of a message comprising an SMS-based scam targeting UK customers of a large international banking brand, using a deceptive (‘uk-’) domain name / subdomain combination

This approach is attractive because it avoids the requirement to register a brand-related domain name (which can readily be picked up by a brand owner employing a domain-monitoring solution), and works on the principle that a domain owner can configure whatever subdomain-name hierarchy they wish. In the case of Figure 1, the actual registered domain name is ‘uk-account.help’ (using the new-gTLD[5] domain extension ‘.help’, which may be unfamiliar to many users), with a subdomain name of ‘bankbrand.co’. The technique is additionally effective because of the tendency of mobile SMS message viewers to add line breaks after a hyphen, leaving ‘bankbrand.co.uk-’ – superficially very similar to the bank’s official domain name – on a single line.

The previous analysis of this type of scam focused on domain names beginning with ‘uk-’ (as in the above example); in this new study, we consider domains with names analogously beginning with ‘com-’, which generally have a more global relevance and applicability, particularly in view of the commonness of use of the .com extension by official brand websites. 

Analysis

The analysis, using data from domain name zone files, revealed the existence of 11,070 gTLD domains with names beginning ‘com-’. Of these, 1,871 have been deemed of moderate or high additional potential concern, on the basis of the presence also in the domain name of keywords which may be associated with types of scam frequently seen (e.g. phishing or parcel-tracking scams)[6].

Of these 1,871 domain names, we first consider the existence of hostnames consisting of each of the domain names prefixed by the names of any of the top ten most highly phished brands in 2024[7], either in isolation, or themselves prefixed by ‘www.’ – i.e. direct checks for 2 × 18,710 ‘candidate’ hostnames which, if active, have a significant potential for abuse. 

2,040 of these produce some sort of live website response, although none were found to resolve to active infringing content as of the time of analysis. Some examples do appear to be in use by legitimate third parties who just happen to use ‘com-’-style domain names (with the fact that the brand-specific subdomains also resolve to site content perhaps just implying that the sites have been configured with wildcard DNS records, such that any arbitrary subdomain name will resolve to the site). Others appear even to have been set up as part of corporate phishing tests / cybersecurity training projects, but with many more found to resolve to placeholder pages or just currently to be inactive.

As a more robust deep-dive, we next consider the existence of arbitrary subdomains on any of the 1,239 domains featuring ‘high-risk’ keywords, through the use of a discovery script[8],[9] (which uses a range of data-sources, including information on SSL certificates, and other databases) designed to identify those subdomains which have been explicitly configured (and, accordingly, are likely to have been intended for active use, which is highly probably fraudulent in the cases where brand references are identified). 

Through this analysis, 835 active subdomains / hostnames were identified. Again, almost none were found to resolve to active infringing content as of the time of analysis, apart from two examples impersonating news websites as part of an apparent campaign to promote an online casino website (Figure 2).

Figure 2: Examples of fake news websites promoting an online casino 

Hostnames:

cnn.com-securityguardwins.net

usatoday.com-securityguardwins.net

One further example (apple.com-secureweb.info) was found to re-direct to a URL making a specific reference to the term ‘login’, and which is therefore highly likely to have been associated with phishing activity, even though the site content was no longer present.

None of the remainder currently resolved to any significant content of concern, although a significant proportion generated browser warning messages warning of ‘dangerous’ content which was presumably formerly present. 

Also of note are the significant numbers of identified subdomains (above and beyond the handful of active examples referenced above) including brand-specific references, highly suggestive of fraudulent intent. These include:
 

For domain names containing the specific ‘high-risk’ keyword ‘account’ (59 domains):

18 subdomains containing ‘paypal’ 

9 containing ‘apple’ (or misspellings)

2 containing ‘youtube’

2 containing ‘intuit’

1 containing ‘facebook’

For domain names containing other ‘high-risk’ keywords (1,180 domains):

313 subdomains containing ‘usps’

45 containing ‘apple’

32 containing ‘xfnity’ [sic]

31 containing ‘icloud’ or ‘lcloud’ (with a lower-case ‘L’)

2 each containing ‘net(-)flix’, ‘amazn’ [sic], ‘postbank’, and ‘quickenloans’

Many of these have clear potential for deception and fraudulent use, with examples of identified configured hostnames including:

apple.com-account-alert.com

apps-paypal.com-account-help.center

www.paypal.com-accounts.com

paypal.com-myaccount.net

www.paypal.com-useraccount.info

appleid.apple.com-verificationform-accountid.com

usps.com-tracking.vip

netflix.com-appsign.com

www.login-xfnity.com-auth-id-573472314645.com

www.apple.com-id.app

www.mail.quickenloans.com-securemessage.center

www.icloud.com-signin.info

Extending this analysis out to the 632 ‘moderate risk’ ‘com-’ domains, we find an additional 1,390 configured active subdomains. As previously, many of these are inactive, but even these in some cases highlight another attractive aspect of this style of scam; namely that it allows multiple brands to be targeted using a single domain name (as evidenced by the presence of groups of examples such as ww16.timhortons.com-freevouchers.online, ww16.ikea.com-freevouchers.online and ww16.mvideo.com-freevouchers.online). 

However, 291 of the hostnames do generate some sort of live website response. Some of these do appear to pertain to content associated with legitimate hosting services (e.g. a number of subdomains of com-online.com, which appears to be a German provider of digital media services); however, there do seem to be a number of other examples where the content appears to comprise instances of brand impersonation, as shown in Figure 3[10].

Figure 3: Examples of live site content identified on subdomains of domains featuring ‘moderate risk’ keywords, and which appear to constitute cases of brand impersonation

Hostnames and (in brackets) identity of apparently impersonated brand in each case (top to bottom):

pay.com-support.services

(pay.com)

hiup.com-official.asia

(hiup.com.vn)

varilin.com-official.asia

(Varilin – healthcare product)

cn.com-pinggu.online

(China Agricultural University – actually en.cau.edu.cn)

jordan.com-online.shop

(Coach – main website actually coach.com, not jordan.com)

Conclusion

The analysis highlights how these types of non-brand-specific domain names can be utilised in the construction of highly effective infringements. Whilst almost none of the hostnames resolved to live fraudulent content as of the date of analysis, the nature of many of the hostnames is highly suggestive of fraudulent intent, and it is likely that many have previously been utilised for short-lived campaigns (as seen by the browser warning pages present in many cases), or have not yet been ‘weaponised’ (highlighting the importance of ongoing content tracking). It is also noteworthy that the analysis will only be seeing a tiny proportion of the ‘universe’ of potential examples of such scams, in view of the fact that we are considering only a subset of the potentially relevant domain names (gTLD ‘com-’s only), the direct checks are focusing only on a limited group of brands, the subdomain detection will not be comprehensive, we have been considering only the homepages of the sites in question, and we are browsing only from desktop devices (where some sites may be intended only to be viewable from mobile browsers, for example). 

The detection of these types of scams presents an additional level of difficulty compared with the identification of branded domain names, since they are not straightforwardly identified through standard domain-monitoring techniques. Accordingly, an awareness of this type of infringement can be extremely valuable, even if additional monitoring approaches – such as the use of passive DNS analysis and certificate transparency analysis, as well as the types of tools and databases outlined in this study, potentially also together with the use of other techniques, such as the use of spam traps and direct subdomain checks (including for misspellings) – are required to actually detect the relevant subdomains which might be associated with the types of domains relevant to this type of scam. 

The issues presented in this study are also relevant to the idea of threat quantification[11],[12], where – for example – ‘com-’ domains (and others amenable to use in similar ways) should be considered particularly high-risk, and probably comprise an area worthy of specific monitoring, in wider holistic brand-monitoring services. 
 

[1] ‘Patterns in Brand Monitoring’ (D.N. Barnett, Business Expert Press, 2025), Chapter 7: ‘Creation of deceptive URLs’

[2] The subdomain of a URL is the portion prior to the domain name, and separated from it by a dot (‘.’) (e.g. ‘www’ in ‘www.iamstobbs.com’), and the hostname is the subdomain name and domain name combined.

[3] https://www.circleid.com/posts/20210615-phishing-scams-how-to-spot-them-and-stop-them/

[4] https://circleid.com/posts/20220504-the-world-of-the-subdomain

[5] A gTLD is a generic top-level domain (i.e. domain extension), and includes legacy examples such as .com, .net, etc., and a group of around 1,100 new extensions (‘new-gTLDs’) which have launched in the period since 2012.

[6] ‘Moderate concern’ keywords: bank, connect, extranet, help, listing, official, online, pack*, server, support, sys*, tech; ‘high concern’ keywords: account, auth, -id, parce*, secur*, sign, track.

[7] https://www.stationx.net/phishing-statistics/ – i.e. linkedin, dhl, google, microsoft, fedex, whatsapp, amazon, maersk, aliexpress, apple.

[8] https://github.com/aboul3la/Sublist3r

[9] https://circleid.com/posts/20240528-exploring-the-domain-of-subdomain-discovery

[10] N.B. Some additional examples were identified displaying cPanel, or cPanel Webmail or WHM log-in pages; it is unclear whether these also comprise instances of brand impersonation or whether they may be legitimate domain configuration pages.

[11] ‘Patterns in Brand Monitoring’ (D.N. Barnett, Business Expert Press, 2025), Chapter 5: ‘Prioritization criteria for specific types of content’

[12] ‘“Notorious IP Addresses” and initial steps towards the formulation of an overall threat score for websites’, Stobbs blog [link TBC]