Q2 2021 Top 10 Most Impersonated Brands in Domains

Q2 2021 Top 10 Most Impersonated Brands in Domains 1

What are the top 10 most impersonated brands in Q2 2021 in terms of spoof domains?

Phishing, monetary gain and supply chain attacks characterise cybercrime - Opera News

Cybercriminals often use spoof domains to impersonate world-renowned brands to trick Internet users into giving their confidential information to them. In addition, they also use these spoof domains as attack vectors to perform cyberattacks, such as malware distribution, ransomware, virus etc.

The easiest way for cybercriminals to do so is to take advantage of the reputation of famous brands. Therefore, they love to impersonate these brands by using domains that contain the brands’ names, use similar typo which involves a brand name or the more advance method of hosting content that mimics the brand’s content. It is important to prevent all these threats by implementing digital brand protection measures.

Cybercriminals love to impersonate famous brands and here are the top 10 most impersonated brands in Q2 2021.

Q2 2021 Top 10 Most Impersonated Brands in Domains 2

The graph above shows that these brands are the most impersonated brands when it comes to spoof domains. It is quite a problem because this means cybercriminals are intentionally registering spoof domains related to these brands to defraud end users. In other words, the domain attack surface size of these brands is large, because there are many spoof domains related to their brand name. As a result, they tend to be more vulnerable and have a higher chance of being taken advantage by cybercriminals to damage their brand reputation and image.

As a part of cybersecurity measures, there is a continual and never-ending process known as domain attack surface discovery. In this process, cybersecurity professionals discover spoof domain and subdomain names related to a brand that can be used as attack vectors to launch cyberattacks. The larger the domain attack surface, the more vulnerable a brand is. On the other hand, the more attack vectors discovered by cybersecurity professionals, the higher the chance to mitigate a cybersecurity incident.

In this blog, we will address these main questions to give you a better idea of what is the domain attack surface for 10 most spoofed brands:

  1. What percentage of the domains discovered can be publicly attributed to the brands they contain?
  2. What top-level domains are mainly used?
  3. Are any of them already considered malicious?

The brands mentioned here are based on a study by Check Point’s Brand Phishing Report. The report lists companies that are found to be the most imitated brands by hackers in their phishing campaigns.

How large is the total domain attack surface size accumulated across these 10 brands?

The 10 brands accumulated over 42,000 domains and subdomains as per the data sample prepared by WhoisXML API, a domain research, WHOIS, DNS, and threat intelligence API and data provider. These domains were added from 1 July to 3 August 2021, roughly at least 12,000 domains and 30,000 subdomains, added within a span of only four weeks. A more detailed breakup for the numbers of each brand is shown in the chart below.

Q2 2021 Top 10 Most Impersonated Brands in Domains 3

Although Microsoft is the most impersonated brand, the chart clearly shows that Amazon has a much larger domain attack surface, compared to Microsoft. Amazon is used in close to 12,000 domains and subdomains, compared to Microsoft at roughly 1,000 domains and subdomains. Some examples of the domains and subdomains are shown in the image below:

Q2 2021 Top 10 Most Impersonated Brands in Domains 4

How many of these domains and subdomains are publicly attributable to the brands they contain?

Highly skilled & well-funded: The new booming threat in cybercrime |  2021-03-01 | Security Magazine

For the discovered 42,000 domains and subdomains, some of them are likely owned by the brand’s owners, whereas most of them are spoof domains. WhoisXML API did some investigation by checking the registrant email addresses of the brands’ official domains from WHOIS Search and WHOIS History Search. The email addresses were then compared to the WHOIS records of these 42,000 domains through Bulk WHOIS Lookup.

60% of these domains return a result, and the rest could not be verified probably due to them already dropped by the owner. Of these domains that return a result, only 24 domains or 0.09% of the 42,000 domains use the same official registrant email addresses as the brands’ official domains. Hence, the investigation’s conclusion is that 99.91% of these 42,000 domains are spoof and cannot be publicly attributed to the brands and could have been registered and managed by other entities, including cybercriminals.

What is the distribution of the top-level domain (TLD) among these domains?

WhoisXML API also found something interesting when analysing the TLD distribution of these 42,000 domains. It found out that for these 10 most imitated brands, 35% of them falls under the .com space, while the rest are distributed across 209 other TLDs, including country-code TLDs. The top 10 TLDs are shown below:

Q2 2021 Top 10 Most Impersonated Brands in Domains 5

How malicious are these domains?

Expired Domains Leading Users to Malicious Websites

WhoisXML API also did some further investigation to check the malicious status of these domains. It took 30% of the samples and ran threat analysis on these domains to see if they have been reported as malicious. Disturbingly enough, 68% of these samples which were analysed for threats are listed on blocklist sites, such as VirusTotal and Google Safe Browsing. These domains are usually only 1 to 2 months old at the time of writing, and have already been reported as malicious.


Q2 2021 Top 10 Most Impersonated Brands in Domains 6

In summary, the top 10 most impersonated brands in Q2 2021 have been linked to around 42,000 of spoof domains and subdomains. These domains were added in just a short 4 weeks only, and almost all of them cannot be publicly attributed to the brands they contain. To make things worse, 30% of the samples used to perform threat analysis are malicious. This study shows the severity of domain spoofing is not to be taken lightly, and that a large domain attack surface is very real and pose significant threats. WebNIC would like to ask you to make sure to take cybersecurity seriously for your business or your customers’ business. As a starter, you may check out our Sectigo Web service, a modern all-in-one and comprehensive web security service.

About WebNIC


WebNIC operates a digital reseller platform covering primarily domain name registration for over 800 TLDs, web security services, email and cloud services. With offices in Singapore, Kuala Lumpur, Beijing, Taipei and Jakarta, we serve 5,000 active resellers in over 70 countries. With over 20 years’ experience, we accelerate our partner’s growth through a robust platform, attentive support and wholesale pricing. To join us and become a reseller, live chat with us or email us at inquiry@info.webnic.cc.