Day Old Domains
As a result of analyzing online fraud and malicious content over many years, there are several truisms that we know are never wrong. One of them is simple…. DAY OLD DOMAINS ARE MALICIOUS!
A domain is the name purchased from a Registrar, such as GoDaddy, that will be used to represent a website. It is possible to purchase and hold onto a domain name without putting up a website. That practice is called “parking.” There are lots of parked domains, some for resale by the domain owners. But most domains are used to represent a website and “name servers” learn where to point people when they click a link to get to your website because that domain name is registered and associated with an Internet address. (IP address)
Here is an example of what we mean by day old domains… “Do you suffer from yeast infections?” This email, sent from newsletter “@” sellergo[.]info, wants to help by offering a trial to a supplement from Nutra Prosper called Fresh Flora. Except that this email didn’t come from the manufacturers of this supplement! [NOTE: TDS is not endorsing Nutra Prosper or Fresh Flora supplement. Consumers would be wise to do their “due diligence” and read reviews from legitimate websites about this unregulated product.]
We visited a WHOIS tool to see when the domain sellergo[.]info was registered. Unsurprisingly, we learned that it was registered in India the day before we received this email. (See the screenshot below.) Legitimate businesses often register their domains months, and even a year in advance of the appearance of their website. One example is the domain TheDailyScam.com. We knew we wanted that name for our website and registered it in late March, 2012. However, it took us more than a year to build our website to accompany that domain. Building a good website takes time. By contrast, when people are contacted from, or receive links to domain names that are a day old or even just a few weeks old, those domains (and any website found there) are automatically suspicious!
Here’s another example... And we want you to practice using a WHOIS so you can see how easy it is! Check out this email from “Gwendolyn” about a new position available at Apple Computer, or so it seems. It’s important to look at BOTH the domain name that follows the “@” symbol of the FROM address, as well as the domain that appears when you mouse-over the primary link(s) in the email. On January 6, this email came from the domain containdeadly[.]club and the links point to another domain called eveninglog[.]site.
While there are many WHOIS tools across the Internet, some are better than others. Our favorite tool is WHOIS.sc. (WHOIS.sc limits the number of lookups you can make in a day unless you register for an account. You also may have to check the “CAPTCHA” that reads “I am not a robot” to prove you are a human being.) Visit WHOIS.sc and enter the domain names from the previous paragraph WITHOUT brackets around the periods. Look for the date that the record was created! How do these dates compare with the email going out on January 6?
Hopefully you’ve discovered that both domains were registered less than 24 hours before this email was sent! Criminals have a short window to misuse domains before they are identified and shut down or blacklisted. That’s the primary reason why they rely heavily on newly registered domains as a means to infect people’s computers. Keep in mind that this does not mean a legitimate and older website cannot be hacked and used for malicious purposes! It happens all the time, but it is harder for criminals to hack a website than it is to register a new malicious domain.
Think you’ve got it? Here’s one more example for you to try your skills using a WHOIS. The subject line in this email is really strange… “What strangers are thinking when they see you.” It’s about body shaming and trying to manipulate people who are overweight to click what they think is a link to a YouTube video. However, the link points to the domain softwin[.]us. This email hit our inbox on January 3, 2020. When was the domain registered? (See answer in the screenshot below.) And in case there was any doubt, the Zulu URL Risk Analyzer tells us that there is an 80% chance that the links in this email are malicious.
Daily Scam Home Page