Home / Industry

60+ PayPal Potential Typosquatting Domains Detected in the Beginning of June

PayPal is still one of the most imitated brands on the Internet. From 1-8 June 2020, the Typosquatting Data Feed detected a total of 64 PayPal lookalike domains. The domains appeared on the data feed because they became part of the Domain Name System (DNS) on the same day similar ones were. While such occurrences can be a result of PayPal's brand protection strategy, it could also mean that threat actors are planning to use them in phishing attacks.

The latter is not an unlikely scenario, especially since IBM X-Force has been releasing different warnings related to various PayPal squatting campaigns. In a little over a year, it issued four notices on these dates:

With this in mind, what can we say about these newly detected domain names?

What We Know About 1 — 8 June's Newly Registered PayPal Domain Names

Of the 64 domains, half have since been dropped. Listed below are the domains detected within the specified date range that remain active:

  1. paypalticket91661[.]info
  2. paypal-team[.]space
  3. paypal-service[.]website
  4. paypalticket91644[.]info
  5. mypaypal[.]online
  6. paypal-service[.]site
  7. team-paypal[.]space
  8. paypalticket91640[.]info
  9. paypal-service[.]space
  10. paypal-updateconfirmationsaccounts[.]com
  11. paypal-updateconfirmationsaccount[.]com
  12. paypal-support[.]space
  13. team-paypal[.]website
  14. paypalticket91645[.]info
  15. paypalticket91642[.]info
  16. paypalticket91664[.]info
  17. paypal-updateconfirmationaccount[.]com
  18. paypal-updateconfirmationaccounts[.]com
  19. team-paypal[.]site
  20. paypalticket91647[.]info
  21. paypalticket91643[.]info
  22. paypalticket91646[.]info
  23. mypaypal[.]website
  24. paypalticket91663[.]info
  25. paypalticket91665[.]info
  26. paypal-team[.]website
  27. paypalticket91660[.]info
  28. mypaypal[.]site
  29. paypalticket91641[.]info
  30. paypal-team[.]site
  31. pay-pal-support[.]xyz
  32. paypal-support[.]website

Are These Typosquatting Domains?

We can't say for sure if any of the 32 domains are typosquatting or malicious domains as PayPal could have registered some of them as part of its typosquatting or brand protection strategy. These domain names could also have been purchased for domaining purposes.

However, we did compare their WHOIS records with that of the legitimate paypal[.]com website via Bulk WHOIS Lookup. Here's what we found out:

  • Their domain registrars include Epic LLC, GoDaddy, Wix.Com Ltd., and Registrar of Domain Names REG.RU, LLC.

  • The registrant names, organizations, and contact information were all anonymized or protected for privacy, or left blank.

  • All domains were registered either in Sweden or Russia, with only one exception. Pay-pal-support[.]xyz was registered in the U.S.

  • On the other hand, the WHOIS details of the official paypal[.]com are as follows:

    Registrar: MarkMonitor, Inc.
    Registrant organization: Paypal Inc.
    Registrant address: 2211 North First Street, San Jose, California

All other information such as the email address, telephone, and technical and administrative details are also provided. As such, there is a glaring difference between the WHOIS records of the legitimate PayPal domain and its lookalikes.

A Look into PayPal's Typosquatting Protection Strategy

Another reason for treating these 32 typosquatting domains as suspicious is the fact that PayPal uses the same WHOIS details for a large number (if not all) of its other domains. We found 2,451 domains that use the same registration details as paypal[.]com.

We were able to look into PayPal's typosquatting strategy with the help of Reverse WHOIS Search. Utilizing its advanced search feature, we specified the following search terms:

Out of the almost 2,500 domains, only seven were registered between 1 May and 9 June 2020. And only one of them can be deemed a lookalike.

Integrating Typosquatting Data Feed could help PayPal protect its brand and its users promptly. By contacting the owners or even the registrars of these domains, PayPal can save its users from becoming victims of phishing, fraud, and other cybercrime.

What Can Victims Lose?

On 8 June, a user with the Twitter handle @JetmanPR warned his followers about a phishing email he received. The email was supposedly from PayPal, alerting him about suspicious activities on his PayPal account.

Image taken from Twitter

The email is fake based on the email domain and the glaring grammatical errors in the message. The PayPal user thankfully didn't fall for the ruse. Others were not as lucky.

In May, a woman almost lost £11,000 to scammers after clicking a malicious link embedded in a message that was supposedly from PayPal. Luckily, her bank's fraud team was alerted and fixed everything.


PayPal squatting seemingly remains prevalent, as shown by the Typosquatting Data Feed. PayPal is already educating users about phishing and provides them with an avenue to report such acts. As an additional effort, keeping track of PayPal-inspired domain registrations is possible with Typosquatting Data Feed.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider – Whois API, Inc. (whoisxmlapi) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.  Visit Page

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Cybersecurity

Sponsored byVerisign

Cybercrime

Sponsored byThreat Intelligence Platform

Whois

Sponsored byWhoisXML API

New TLDs

Sponsored byAfilias

DNS Security

Sponsored byAfilias

Brand Protection

Sponsored byAppdetex

Domain Names

Sponsored byVerisign