This article investigates the potential threats associated with Christmas-themed domains, revealing a significant number of malicious domains and IP addresses. The findings highlight the importance of vigilance during the holiday shopping season to avoid scams.
#HolidayScams #ThreatIntelligence #DomainAnalysis
- 22,923 Christmas-themed domains were analyzed for potential threats.
- 1,331 email-connected domains were identified.
- 3,229 unique IP addresses were found, with 2,529 classified as malicious.
- 21,035 IP-connected domains were discovered, with 96 deemed malicious.
- 1,436 string-connected subdomains were identified.
- 84% of the domains were newly created in the current year.
- The domains were registered across 65 countries, with Iceland leading.
- A total of 17,188 domains had historical IP resolutions.
- Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
- Phishing (T1566): Involves sending fraudulent emails to trick recipients into revealing personal information.
- Credential Dumping (T1003): Extracts account login and password information from compromised systems.
- [domain] 12daysofchristmas[.]info
- [domain] artificialchristmastreesale[.]co[.]uk
- [domain] 5nashvillechristmasbus[.]com
- [domain] yourfunny[.]christmas
- [domain] zen[.]christmas
For many across the globe, Christmas represents a joyous time of celebration and giving. But it can also be a time for worry, especially for those unfortunate enough to get scammed while doing their holiday shopping.
This year, we scoured the DNS for domains and subdomains that contained the text string christmas to identify potentially harmful properties and other connected artifacts.
Jumping off a list of 22,923 christmas domains obtained on 26 November 2024 from First Watch Malicious Domains Data Feed, our in-depth DNS investigation found:
- 1,331 email-connected domains
- 3,229 IP addresses, 2,529 of which turned out to be malicious
- 21,035 IP-connected domains, 96 of which turned out to be malicious
- 1,436 string-connected subdomains
A sample of the additional artifacts obtained from our analysis is available for download from our website.
A Look at the christmas Domains
As mentioned earlier, we began our foray into the DNS in search of Christmas-themed threats by obtaining 22,923 domains containing the string christmas that are either already or likely to turn malicious in the future.
We queried the 22,923 christmas domains on Bulk WHOIS Lookup and found that only 17,051 had current WHOIS records. Take a look at our specific findings below.
- They were spread among 172 different registrars led by Spaceship, which accounted for 10,248 domains. GoDaddy with 1,663 domains; Namecheap with 1,563; NameSilo with 1,251; and 1API with 338 completed the top 5. A total of 1,973 domains were distributed among 167 other registrars, while the remaining 15 didn’t have current registrar data.
-
They were created between 1996 and 2024. Around 84% of the domains, however, were newly created, just this year.
-
They were registered in 65 different countries led by Iceland, which accounted for 11,499 domains. The other top registrant countries were the U.S. with 4,333 domains; Canada with 143; China with 100; the U.K. with 67; Italy with 66; the Netherlands with 45; Germany with 42; Japan with 31; and Spain with 27. A total of 262 domains were registered in 55 other countries, while 436 didn’t have current registrant country data.
We then queried the 22,923 christmas domains on DNS Chronicle API and found that 17,188 had historical IP resolutions ranging from 1 to 20 per domain. In total, the 17,188 domains had 168,578 recorded events from 4 October 2019 to 8 November 2024. Take a look at five examples below.
| DOMAIN | START DATE | LAST DATE | NUMBER OF IP RESOLUTIONS |
|---|---|---|---|
| 12daysofchristmas[.]info | 29 February 2020 | 18 November 2024 | 105 |
| artificialchristmastreesale[.]co[.]uk | 11 July 2024 | 11 November 2024 | 5 |
| nashvillechristmasbus[.]com | 20 February 2020 | 12 October 2024 | 71 |
| yourfunny[.]christmas | 5 May 2024 | 13 October 2024 | 10 |
| zen[.]christmas | 25 December 2023 | 19 November 2024 | 12 |
Hunt for christmas Domain Connections
After analyzing the sample of 22,923 christmas domains, we took a DNS deep dive for potentially connected artifacts.
Our bulk WHOIS lookup earlier provided 629 email addresses after duplicates were filtered out, 73 of which turned out to be public addresses. A query for the public email addresses on Reverse WHOIS API yielded 1,331 email-connected domains after duplicates and the original domains from First Watch Malicious Domains Data Feed were removed.
Next, we queried the 22,923 christmas domains on DNS Lookup API and found that they actively resolved to 3,229 unique IP addresses. A Threat Intelligence API query for the 3,229 IP addresses revealed that 2,529 of them have already been weaponized.
This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.
Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.
Full Research: https://circleid.com/posts/silent-night-deadly-sites-how-christmas-cyber-threats-lurk-in-the-dns