Thanksgiving is right around the corner. With it, of course, come celebrations with family and friends and the biggest Black Friday sales. All seems well and good but that's not always the case, isn't it? Because cyber threat actors always take advantage of the biggest holidays and sales to lure more victims to their eagerly waiting traps -- malicious domains and subdomains.

The WhoisXML API research team is always on the lookout for current and potential threat sources in a bid to make the Internet a safer place for all. That said, we recently took a DNS deep dive in search of domains and subdomains that could serve as attack vectors for Thanksgiving- and Black Friday-themed cyber attacks.

Our in-depth investigation led to the discovery of:

A sample of the additional artifacts obtained from our analysis is available for download from our website.

For this study, we obtained our datasets for expansion analysis from our First Watch Malicious Domains Data Feed. We specifically searched for domains containing the text strings blackfriday and thanksgiving and uncovered a sample of 2,091 and 233 domains, respectively, as of 13 November 2024.

A bulk WHOIS lookup query for the 2,091 blackfriday domains showed that only 1,541 had current WHOIS records. The results for the 1,541 domains showed that:

Meanwhile, a bulk WHOIS lookup query for the 233 thanksgiving domains revealed that only 175 had current WHOIS records. The results for the 175 domains showed that:

Next, we combined all the blackfriday and thanksgiving domains, with or without current WHOIS records, ending up with a total of 2,324 domains. We queried them on Threat Intelligence API and found that four of them were associated with various threats. An example is blackfriday-best-deals[.]com, which has already been tagged as an indicator of compromise (IoC) for generic threats and phishing.

The bulk WHOIS lookups we performed earlier for the blackfriday and thanksgiving domains uncovered 219 email addresses from their current WHOIS records after duplicates were filtered out. Upon closer scrutiny, we determined that 32 of these email addresses were public.

Querying the 32 public email addresses on Reverse WHOIS API resulted in the discovery of 318 email-connected domains after duplicates and the original domains were removed. Threat Intelligence API showed that one of them -- feiraochevro[.]com -- was associated with a cyber attack.

DNS lookups for the 2,324 original domains with current WHOIS records revealed that they resolved to 1,250 unique IP addresses -- 464 IPv6 addresses and 786 IPv4 addresses. We focused on the 786 IPv4 addresses for the rest of our analysis.

Threat Intelligence API queries for the 786 IP addresses showed that 635 were associated with various threats. Take a look at five examples below.

A bulk IP geolocation lookup for the 786 IP addresses showed that:

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.