The U.S. Independence Day comes with both fireworks and the best deals. On this holiday, retailers usually offer big discounts. At this time when people may opt to shop online, several publications like TechRadar and Business Insider even curated a list of 4th of July deals from different retailers.

Several days before the celebration, however, we detected thousands of newly registered domains (NRDs) containing the word “deal.” While this might be coincidental, we decided to take a closer look at these registrations aided by bulk domain lookup, DNS lookup, and IP geolocation tools.

What a Bulk Domain Lookup Can Tell Us About the “Deal” Registered Names

On 1 July 2020, the Typosquatting Data Feed detected a total of 3,224 domain names that contain the word “deal.” In fact, there were 3,606 domains present in the complete list of newly registered domains on 1 July whose name contain “deal”. The typosquatting feed collects groups of domains registered on the same day in which each domain name is similar to the others in the same group; the 3,224 domains were thus members of the groups. Notably, 2,996 of them were members of a single such group, while the rest were registered in different batches.

Around 3,205 of these domain names used the .top generic top-level domain (gTLD). While we can’t assume that these domains are automatically suspicious or dangerous, it’s relevant to note that the badness index of .top is at 31.8%.

All of the domains also follow the same format—[xxx]deal[.]top—where “xxx” is a random three-letter combination, possibly indicating the registrants’ intentions to own the majority of these combinations.

A few examples of the domains are shown in the image below:

Checking the Domains’ WHOIS Records Using Bulk WHOIS Lookup

Aside from the apparent similarities in gTLD use and domain format, the domain names also shared some commonalities. We obtained the WHOIS records of a majority of them with the help of our bulk domain lookup tool and found the following:

• Domain registrar: The registrar of circa 99% of the domains is Chengdu West Dimension Digital. The rest of the domains were distributed among Alibaba Cloud Computing; GMO Internet, Inc.; One[.]com; and Tucows, Inc. Chengdu West Dimension Digital; Alibaba Cloud Computing; and GMO Internet, Inc. are among the five registrars that constitute 95% of blacklisted domain names in the .top space.

  

• Registrant organization: While the registrant names have been redacted, the registrant organization of circa 99% of the domains is Ji Ping Xie. A search for the name yielded inconclusive results, so we can’t confirm if such an organization exists or if it may refer to an individual.

  

• Registrant address: The registrant state of all domains that belong to Chengdu West Dimension Digital is Fu Jian in China. All other contact and address details have been redacted for privacy.

Digging Deeper: DNS Lookup and IP Geolocation

All of the details discussed above could be enough to raise a red flag among organizations with stringent cybersecurity measures. Still, some security teams and investigators may want to investigate further.

For instance, we found multiple domain names that resolve to IP addresses that belong to the same IP range with the help of DNS Lookup. The IP addresses are 69[.]30[.]210[.]3, 69[.]30[.]210[.]4, and 69[.]30[.]210[.]6. Some of the domains that resolve to these IP addresses are:

• tijdeal[.]top
• tngdeal[.]top
• xyqdeal[.]top
• pybdeal[.]top
• clideal[.]top

IP Geolocation Lookup revealed that these IP addresses are owned by Kansas City-based WholeSale Internet, and share the same GeoNames ID 12047177. WholeSale Internet offers dedicated servers, including up to five usable IPv4 addresses, depending on the selected plan.

It’s hard to draw definite conclusions about the nature of these “deal” NRDs. The timing of the registrations may have been coincidental with the U.S. Independence Day. Still, monitoring these domain names until they have proven legitimate (or potentially malicious) is certainly a relevant cybersecurity practice.