Press Releases

DomainTools Uncovers Spoofed Media Domains in “State of the Domain” Study

SEATTLE, WA, February 20, 2019DomainTools, the leader in domain name and DNS-based cyber threat intelligence, today announced the results of its quarterly “State of the Domain” research. The study analyzed some of the top media outlets in the U.S. to determine their susceptibility to domain-squatting and spoofed domains, which may be used for the dissemination of disinformation campaigns or other malicious activities. Based on analysis of news sources including The New York Times, USA Today, CSO, The Washington Post, Krebs on Security, and more, DomainTools discovered nearly 200 fraudulent domains that were nearly identical to the publications’ legitimate domain names.

“As distrust of traditional media continues to grow, and individuals continue to consume social networks as trusted news sources, protecting the public from disinformation campaigns has become pertinent to the democratic process,” said Corin Imai, senior security advisor, DomainTools. “Our research underscores the need for media outlets to leverage cyber threat intelligence and maintain vigilance over efforts to undermine their credibility. Further, educational campaigns that raise awareness about these issues will continue to be necessary in mitigating risks that come with malicious activity targeted at legitimate media sources.”

The research sheds light on how malicious actors use typo-squatting and spoofing on domains as tactics to carry out malicious campaigns. These campaigns can potentially exfiltrate personally identifiable information, download malware to a device, or spoof news sites to spread disinformation to the public. Imai further explained the method by which these campaigns are successful: “Phishing carried out by typosquatting domain campaigns are particularly worrisome as they allow for seemingly trusted websites, with legitimate SSL certificates, to trick Internet users into a false sense of security. Part of what makes these domains appear legitimate is the attackers re-purpose once valid Internet real-estate. Attackers ‘squat’ on old, once legitimate domains, which buys them time to iron out any inconsistencies with their attack infrastructure. This tactic, coupled with the median global dwell time of 101 days, allows them to ‘fly under the radar’ for a period of time.”

DomainTools phishing detection solution, PhishEye, enables organizations to identify existing and new domains that spoof legitimate brands, products, organizations, or other key terms, so that you can carry out defensive or investigative actions against them. Additionally, PhishEye uses Risk Score to bubble up especially nefarious domains in order to help prioritize threats and assess potential risk.

Those who consume news online are advised to keep a watchful eye out for domains that mimic leading news sources with unassuming typos or disguised letters (e.g., ‘rn’ written to appear like the letter ‘m’). Some examples of fraudulent domains with a Risk Score of 70+ (scores of 70-99 indicate domains share proximity to malicious infrastructure) in this research include:

  • nytimesofficial[.]com
  • usatosday[.]com
  • washinqtonpost[.]com
  • bistonglobe[.]com
  • krebsonsecurity[.]org
  • chicagotribunesnews[.]com
  • newsdag[.]com
  • cosonline[.]cn
  • nydaiylnews[.]com

DomainTools offers best practices for consumers and media organizations alike when faced with uncertainty about a suspicious link:

  • Exercise scrutiny, and take a closer look at the email sender
  • Take a more careful look at domains in emails and hover the mouse over a hyperlink before clicking
  • When browsing online to get caught up to speed on the daily news, consider going directly to the source instead of a third-party site as a safer alternative
  • Flag suspicious emails or newsletters and send those straight to the spam folder

About DomainTools

DomainTools helps security analysts turn threat data into threat intelligence. We take indicators from your network, including domains and IPs, and connect them with nearly every active domain on the Internet. Those connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure. Fortune 1000 companies, global government agencies, and leading security solution vendors use the DomainTools platform as a critical ingredient in their threat investigation and mitigation work. Learn more about how to connect the dots on malicious activity at or follow us on Twitter: @domaintools.