iQ Risk Alert Reports

Highlighting potentially malicious domain name patterns

December 9, 2024

Across Multiple TLDs: Yes (6)

Pattern: The domains follow a consistent pattern starting with "com-track" followed by random combinations of letters, typically 3-5 characters in length. Many combinations appear to use letters that are adjacent on the keyboard (e.g., vwx, wxc, fvc). The prefix "com-track" could be attempting to mimic tracking or shipping-related services, potentially for phishing campaigns targeting logistics or package delivery services.

Sample Domains:

com-trackxnvwh
com-tracknxw
com-trackxjhfc
com-trackvcw
com-trackxbw
com-trackxwc
com-trackutdxm
com-tracknvx
com-trackinswvh
com-trackvhf
com-trackcshx
com-trackhxk
com-trackbxw
com-trackmfhww
com-trackgmxr
com-trackxnr
com-trackxhg

Note: This list is a snippet of a larger dataset and not exhaustive.

About this Data: This report was generated using advanced algorithms and techniques to identify patterns and anomalies indicative of malicious activity. While this data has been carefully analysed, it is possible that some domains may be false positives. For more info, visit https://iq.global/iq-risk-score

December 2, 2024

Across Multiple TLDs: Yes (4)

Pattern: The domains show multiple variations of Canada Post's name, combining English "Canada Post" and French "Postes Canada" with various suffixes.

They primarily use these patterns:

"canadapost-postescanada" followed by two or three letters
"canadaespost-postescanada" followed by single letters or words
"canadaespost-postcanada" variations


The extensive use of different combinations and the bilingual approach (English/French) suggests a sophisticated phishing campaign targeting Canadian postal service users. Many domains include location identifiers or random letter combinations.

Sample Domains:

canadaespost-postescanada
canadaespost-postescanadal
canadaespost-postescanadar
canadaespost-postescanadas
canadapost-postescanata
canadaespost-postescanadac
canadaespost-postescanadap
canadapost-postescanadaga
canadapost-postescanama
canadaespost-postescanadasafe
canadapost-postescanadaal
canadapost-postescanasa
canadapost-postescanadaba
canadaespost-postescanadad
canadaespost-postcanada

Note: This list is a snippet of a larger dataset and not exhaustive.

About this Data: This report was generated using advanced algorithms and techniques to identify patterns and anomalies indicative of malicious activity. While this data has been carefully analysed, it is possible that some domains may be false positives. For more info, visit https://iq.global/iq-risk-score

November 27, 2024

Across Multiple TLDs: Yes (6)

Pattern: The domains consistently use variations of "usps-us" or "us-usps" followed by short letter combinations or location references (like nyc, wa, tex). They appear to be impersonating the United States Postal Service (USPS) with various geographic or random identifiers. The use of multiple TLDs such as .top, .mom,  .xyz, .live, and the inclusion of location-specific abbreviations suggests a sophisticated phishing campaign targeting USPS customers across different regions.

Sample Domains:

usps-us-nyci
usps-us-nyc
usps-us-wa
usps-us-gamco
usps-us-mobu
usps-us-li
usps-us-icuk
usps-us-lol
usps-us-yue
us-usps-si
usps-us-auxamg
usps-us-yuem
us-usps-zi

Note: This list is a snippet of a larger dataset and not exhaustive.

About this Data: This report was generated using advanced algorithms and techniques to identify patterns and anomalies indicative of malicious activity. While this data has been carefully analysed, it is possible that some domains may be false positives. For more info, visit https://iq.global/iq-risk-score

November 21, 2024

Across Multiple TLDs: Yes (8)

Pattern: The domains appear to be targeting information about VTAMA (tapinarof), a prescription medicine, and FDA drug approvals. The use of multiple TLDs  suggests a sophisticated campaign possibly aimed at capturing traffic related to drug approval information or potentially distributing unauthorised pharmaceutical products.

Sample Domains:

vtama-approval-drugs-131027
vtama-approval-drugs-1140
vtama-approval-drug-131618
vtama-approval-drug-131619
vtama-approval-drug-131017
fda-approval-drugs-130216
fda-approval-drugs-130215
fda-approval-drugs-130214
fda-approval-drugs-13010219
fda-approval-drugs-13010218
fda-approval-drugs-13010216
fda-approval-drugs-13010221

Note: This list is a snippet of a larger dataset and not exhaustive.

About this Data: This report was generated using advanced algorithms and techniques to identify patterns and anomalies indicative of malicious activity. While this data has been carefully analysed, it is possible that some domains may be false positives. For more info, visit https://iq.global/iq-risk-score

November 5, 2024

Across Multiple TLDs: Yes (4)

Pattern: The domains consistently use variations and misspellings of "google" as their base, followed by seemingly random letter combinations or words. This pattern suggests a malicious campaign targeting Google's brand name. The use of multiple TLDs  indicates an attempt to capture traffic across different domain extensions.

Sample Domains:

googleelplly
googleellly
googleeply
googleelply
googlekyxf
googleepaly
googleevip
googledleamo
googleyrkd
googlefiery

Note: This list is a snippet of a larger dataset and not exhaustive.

About this Data: This report was generated using advanced algorithms and techniques to identify patterns and anomalies indicative of malicious activity. While this data has been carefully analysed, it is possible that some domains may be false positives. For more info, visit https://iq.global/iq-risk-score

October 31, 2024

Across Multiple TLDs: Yes (2)

Pattern: The domains consistently use variations of "canadapost-postescanada" followed by one or more letters. They appear to be impersonating or targeting Canada Post, the country's primary postal operator. The use of both English "Canada Post" and French "Postes Canada" in the domain names suggests an attempt to appear legitimate to both English and French-speaking Canadians. This pattern could be indicative of a phishing campaign targeting Canadian postal service users.

Sample Domains:

canadapost-postescanadahg
canadapost-postescanadahk
canadapost-postescanadacg
canadapost-postescanadahu
canadapost-postescanadahs
canadapost-postescanadah
canadapost-postescanadaoi
canadapost-postescanadaca
canadapost-postescanadaew

Note: This list is a snippet of a larger dataset and not exhaustive.

About this Data: This report was generated using advanced algorithms and techniques to identify patterns and anomalies indicative of malicious activity. While this data has been carefully analysed, it is possible that some domains may be false positives. For more info, visit https://iq.global/iq-risk-score

October 25, 2024

Across Multiple TLDs: Yes (5)

Pattern: The domains consistently use variations of "lasereyesurgery" followed by numbers. They appear to be targeting individuals interested in or searching for information about laser eye surgery. The use of multiple TLDs  suggests an attempt to cast a wide net and potentially capture traffic across various domain extensions.

Sample Domains:

lasereyesurgery09
lasereyesurgery03
lasereyesurgery025
lasereyesurgery020
lasereyesurgery205
lasereyesurgery002
lasereyesurgery418
lasereyesurgery347

Note: This list is a snippet of a larger dataset and not exhaustive.

About this Data: This report was generated using advanced algorithms and techniques to identify patterns and anomalies indicative of malicious activity. While this data has been carefully analysed, it is possible that some domains may be false positives. For more info, visit https://iq.global/iq-risk-score

October 23, 2024

Across Multiple TLDs: Yes (2)

Pattern: The domains follow a consistent pattern of "newsi-october" followed by a number.  The combination of "newsi" (potentially short for "news") and "october" might suggest a campaign related to news or information distribution, possibly targeting a specific time period or event in October.

Sample Domains:

newsi-october179
newsi-october188
newsi-october187
newsi-october138
newsi-october158
newsi-october157
newsi-october186
newsi-october137

Note: This list is a snippet of a larger dataset and not exhaustive.

About this Data: This report was generated using advanced algorithms and techniques to identify patterns and anomalies indicative of malicious activity. While this data has been carefully analysed, it is possible that some domains may be false positives. For more info, visit https://iq.global/iq-risk-score

October 18, 2024

Across Multiple TLDs: No

Pattern: The domains follow a consistent pattern of "startup-business-" followed by a five-digit number. All domains use the .bond TLD, which may be an attempt to associate with financial instruments or investment opportunities. This pattern suggests a potential large-scale campaign targeting individuals interested in startup businesses or investments.

Sample Domains:

startup-business-92732
startup-business-98135
startup-business-92850
startup-business-22260
startup-business-30390
startup-business-35523
startup-business-50422
startup-business-63890
startup-business-78955

Note: This list is a snippet of a larger dataset and not exhaustive.

About this Data: This report was generated using advanced algorithms and techniques to identify patterns and anomalies indicative of malicious activity. While this data has been carefully analysed, it is possible that some domains may be false positives. For more info, visit https://iq.global/iq-risk-score

October 16, 2024

Across Multiple TLDs: Yes (4)

Pattern: The domains follow a pattern of "personal-loans" or "loans-personal" followed by numbers and occasionally a country code. They appear to be targeting individuals seeking personal loans, potentially for phishing or scam purposes.

Sample Domains:

personal-loans-6631
personal-loans-6661
personal-loans-4811239
personal-loans-78852
personal-loans-15042
personal-loans-70052
personal-loans-0017
personal-loans-00252
loans-personal-6149601

Note: This list is a snippet of a larger dataset and not exhaustive.

About this Data: This report was generated using advanced algorithms and techniques to identify patterns and anomalies indicative of malicious activity. While this data has been carefully analysed, it is possible that some domains may be false positives. For more info, visit https://iq.global/iq-risk-score

September 26, 2024

Across Multiple TLDs: Yes(7)

Pattern: The majority of domain names in this list appear to be typosquatting variations of "Netflix", a popular streaming service. These domains use slight misspellings or alterations of the Netflix brand name, which could be an attempt to deceive users into visiting fraudulent websites. Some domains incorporate additional words or letters that may be related to streaming or entertainment services.

Sample Domains:

netflox
netfllix
netfflix
netsflix
netfapx
netlix
netfilx
nettaflix
netflxsup
netfllx
lottox
netroflix
netiflix

Note: This list is a snippet of a larger dataset and not exhaustive.

About this Data: This report was generated using advanced algorithms and techniques to identify patterns and anomalies indicative of malicious activity. While this data has been carefully analysed, it is possible that some domains may be false positives. For more info, visit https://iq.global/iq-risk-score

September 20, 2024

Across Multiple TLDs: No

Pattern: The domain names follow a consistent pattern of "click" followed by a 3-letter combination and ending with "wages". This pattern suggests a bulk registration of domains potentially related to a click-based wage or payment system. The use of similar domain structures could indicate an attempt to create multiple entry points for a website, possibly for affiliate marketing, or potentially for phishing purposes.

Sample Domains:

clickebwwages
clickdapwages
clickqhtwages
clicknxrwages
clickpiqwages
clickiwcwages
clickifwwages
clickftnwages
clickgzkwages
clickhsuwages
clickjvtwages
clickklswages
clicklmrwages
clickmnqwages
clickoptwages
clickpzswages
clickqyrwages
clickrsqwages
clickstpwages
clickuvowages

Note: This list is a snippet of a larger dataset and not exhaustive.

About this Data: This report was generated using advanced algorithms and techniques to identify patterns and anomalies indicative of malicious activity. While this data has been carefully analysed, it is possible that some domains may be false positives. For more info, visit https://iq.global/iq-risk-score

August 30, 2024

Across Multiple TLDs: No

Pattern: The domain names follow a consistent pattern of "pokerdom-casino-" followed by a 2-3 letter/number combination. This pattern suggests a bulk registration of domains related to the "Pokerdom Casino" brand. The use of various suffixes could indicate an attempt to create multiple entry points for a gambling-related website or potentially for phishing purposes.

Sample Domains:

pokerdom-casino-dap
pokerdom-casino-bop
pokerdom-casino-wep
pokerdom-casino-hup
pokerdom-casino-gep
pokerdom-casino-pik
pokerdom-casino-yep
pokerdom-casino-pih
pokerdom-casino-bof
pokerdom-casino-tof
pokerdom-casino-wek
pokerdom-casino-toh
pokerdom-casino-rusf
pokerdom-casino-boo
pokerdom-casino-hug
pokerdom-casino-wed
pokerdom-casino-rusd
pokerdom-casino-piv
pokerdom-casino-wes
pokerdom-casino-piz

Note: This list is a snippet of a larger dataset and not exhaustive.

About this Data: This report was generated using advanced algorithms and techniques to identify patterns and anomalies indicative of malicious activity. While this data has been carefully analysed, it is possible that some domains may be false positives. For more info, visit https://iq.global/iq-risk-score

August 22, 2024

Across Multiple TLDs: Yes (7)

Pattern: The pattern consists of 6-digit numbers (occasionally 5 or 7 digits) used as domain names. These numeric domains are registered across multiple TLD. The  volume of similar numeric domains suggests a coordinated, automated registration effort, which is often associated with potentially malicious activities. Registering the same numeric patterns across various top-level domains could be an attempt to create redundancy or evade blocking/filtering measures

Sample Domains:

684858
684867
684148
684589
684971
688658
693718
683599
683867
743558
665858
479858
657808
481858
686868
486858
684361
788428
479708
688438

Note: This list is a snippet of a larger dataset and not exhaustive.

About this Data: This report was generated using advanced algorithms and techniques to identify patterns and anomalies indicative of malicious activity. While this data has been carefully analysed, it is possible that some domains may be false positives. For more info, visit https://iq.global/iq-risk-score

August 20, 2024

Across Multiple TLDs: No

Pattern: Once again we're seeing usage of multiple casino brand names. The pattern consists of various online casino brand names (e.g., "vavada", "lev", "leonbets", "kent", "gama", "eldorado", "champion", "r7", "pokerdom", "jozz") followed by "-casino-" and a three-letter combination. Some variations include numbers or slightly different formats.

Sample Domains:

vavada-casino-vnj

vavada-casino-oxd

lev-casino-rph

lev-casino-jiz

leonbets-casino-y5o4

kent-casino-rtr

gama-casino-vpa

gama-casino-sqs

eldorado-casino-doz

champion-casino-lyh

r7-casino-zis

pokerdom-casino-huj

pokerdom-3psk22

leonbets-casino-k9cd

jozz-casino-tjo

gama-casino-gkw

eldorado-casino-xu

eldorado-casino-vwl

eldorado-casino-teb

eldorado-casino-rhl


Note: This list is a snippet of a larger dataset and not exhaustive.

About this Data: This report was generated using advanced algorithms and techniques to identify patterns and anomalies indicative of malicious activity. While this data has been carefully analysed, it is possible that some domains may be false positives. For more info, visit https://iq.global/iq-risk-score

August 14, 2024

Across Multiple TLDs: No

Pattern: The pattern consists of cleaning service keywords (primarily "housecleaning", but also "guttercleaning", "windowcleaning", and "washpressurecleaning") followed by "-vort" or "-vortps", then a combination of letters and numbers (e.g., "tta5", "ttp1", "ffpal3"), and ending with location identifiers and sequential numbers.

Sample Domains:

housecleaning-vortps-tta5-and
housecleaning-vortps-tta5-adi
housecleaning-vortps-tt-nky
housecleaning-vortps-tta3-rmv-ae
housecleaning-vortps-tta5-nky-ca
housecleaning-vort-ttp1-bob
housecleaning-vortps-tta5-man-5-ca
housecleaning-vortps-tta5-sam-ca
housecleaning-vortps-tta3-nky-us
housecleaning-vort-p1-bob
housecleaning-vortps-tta6-bob
housecleaning-vort-ff-nky
guttercleaning-vortps-tta3-nky
windowcleaning-vortps-tta6-mks-gb
discoverwashpressurecleaning-vortps-tta5-sam-us
discovercleaningservices-vortps-tta6-nky
guttercleaning-vortps-tta3-mks-us
washpressurecleaning-vortps-tta3-adi-us

Note: This list is a snippet of a larger dataset and not exhaustive.

About this Data: This report was generated using advanced algorithms and techniques to identify patterns and anomalies indicative of malicious activity. While this data has been carefully analysed, it is possible that some domains may be false positives. For more info, visit https://iq.global/iq-risk-score

August 13, 2024

Across Multiple TLDs: No

Pattern: The pattern consists of "leonbets-casino-" followed by a combination of 4 characters, typically including lowercase letters and numbers. In some cases, "bk-" is inserted before the 4-character combination.

Sample Domains:

leonbets-casino-f2im

leonbets-casino-h2vy

leonbets-casino-y2ne

leonbets-casino-n2tc

leonbets-casino-ju3k

leonbets-casino-esy5

leonbets-casino-joxp

leonbets-casino-ma3s

leonbets-casino-uexr

leonbets-casino-ucm3

leonbets-casino-3oxb

leonbets-casino-vn5y

leonbets-casino-vbm2

leonbets-casino-pf9o

leonbets-casino-m42v

leonbets-casino-g6sv

leonbets-casino-g5na

leonbets-casino-a7ob

leonbets-casino-mg7u

leonbets-casino-m9p8

Note: This list is a snippet of a larger dataset and not exhaustive.

About this Data: This report was generated using advanced algorithms and techniques to identify patterns and anomalies indicative of malicious activity. While this data has been carefully analysed, it is possible that some domains may be false positives. For more info, visit https://iq.global/iq-risk-score

August 7, 2024

Across Multiple TLDs: No

Pattern: The pattern consists of service-related keywords (e.g., "airconditionercompany", "securityservices", "concreterepaircompany") followed by "-vort-" or "-vortps-", then a combination of letters and numbers (e.g., "ttp1", "tta5", "ffpio"), and ending with location identifiers and sequential numbers.

Sample Domains:

airconditionercompany-vort-ttp1-kea-adtr

securityservices-vort-ttp1-kea-adtr

concreterepaircompany-vort-ttp1-kea-adtr

foundationrepair-vort-ttp1-kea-adtr

asphaltpaving-vort-ttp1-kea-adtr

paintingcontractors-vort-ttp1-kea-adtr

warehoadtreservices-vort-ttp1-kea-adtr

cleaningservices-vort-ttp1-kea-adtr

packingandmovingservices-vort-ttp1-kea-adtr

concreterepaircompany-vort-ttp1-sam-adtr-us

airconditionercompany-vort-ttp1-sam-adtr-us

caregiver-vort-ttp1-sam-adtr-us

cleanerservices-vort-ttp1-sam-adtr-us

airconditioning-vort-ttp1-vvs-adtr-us

landscapingservices-vort-ttp1-vvs-adtr-us

paintingcontractors-vortps-tta5-adi

homeremodeling-vort-ffkerch-sda-us

caregiver-vort-ffpio-kea-us

basementwaterproofing-vort-ffpio-kea-us

packingservices-vort-ffpio-kea-mx

Note: This list is a snippet of a larger dataset and not exhaustive.

About this Data: This report was generated using advanced algorithms and techniques to identify patterns and anomalies indicative of malicious activity. While this data has been carefully analysed, it is possible that some domains may be false positives. For more info, visit https://iq.global/iq-risk-score

August 6, 2024

Across Multiple TLDs: Yes, 1

Pattern: The pattern consists of casino brand names ("pokerdom", "gama", "kent") followed by "-casino-" and a three-letter combination. The three-letter combinations appear to be randomly generated.

Sample Domains:

pokerdom-casino-weh

pokerdom-casino-toh

pokerdom-casino-pih

pokerdom-casino-wey

pokerdom-casino-wes

pokerdom-casino-wea

pokerdom-casino-weu

pokerdom-casino-geo

pokerdom-casino-ehu

pokerdom-casino-boi

gama-casino-pnc

gama-casino-mfp

gama-casino-rpx

gama-casino-fvk

gama-casino-gkn

kent-casino-plx

kent-casino-bkw

kent-casino-rd

kent-casino-dwb

kent-casino-vbz

Note: This list is a snippet of a larger dataset and not exhaustive.

About this Data: This report was generated using advanced algorithms and techniques to identify patterns and anomalies indicative of malicious activity. While this data has been carefully analysed, it is possible that some domains may be false positives. For more info, visit https://iq.global/iq-risk-score

August 1, 2024

Date: 01-08-2024

Across Multiple TLDs: Yes, 1

Pattern: The pattern consists of cleaning service keywords (primarily "housecleaning", but also "guttercleaning" and "windowcleaning") followed by "-vort" or "-vortps", then a combination of letters and numbers (e.g., "ttp1", "tta3", "ffpal1"), and ending with location identifiers and sequential numbers.

Sample Domains:

housecleaning-vort-ttp1-bob

housecleaning-vort-p1-bob

housecleaning-vortps-tta3-bob

housecleaning-vort-ttg2-bob

housecleaning-vort-ffpal1-bob

housecleaning-vortps-tta6-bob

housecleaning-vortps-tta5-bob

housecleaning-vortps-tta5-adi

housecleaning-vortps-tt-nky

housecleaning-vortps-tta3-sam-us

housecleaning-vortps-tta5-sam-ca

housecleaning-vortps-tta3-rmv-ae

housecleaning-vortps-tta3-rmv-us

housecleaning-vortps-tta3-nky-us

housecleaning-vort-ff-nky

housecleaning-vortps-tta5-man-1-ca

housecleaning-vortps-tta6-bob-fr

housecleaning-vort-ttp1-asl-us

housecleaning-vort-ffpal-man

windowcleaning-vortps-tta6-mks-gb

Note: This list is a snippet of a larger dataset and not exhaustive.

About this Data: This report was generated using advanced algorithms and techniques to identify patterns and anomalies indicative of malicious activity. While this data has been carefully analysed, it is possible that some domains may be false positives. For more info, visit https://iq.global/iq-risk-score