iQ Risk Alert Reports
Highlighting potentially malicious domain name patterns
Across Multiple TLDs: Yes (6)
Pattern: The domains follow a consistent pattern starting with "com-track" followed by random combinations of letters, typically 3-5 characters in length. Many combinations appear to use letters that are adjacent on the keyboard (e.g., vwx, wxc, fvc). The prefix "com-track" could be attempting to mimic tracking or shipping-related services, potentially for phishing campaigns targeting logistics or package delivery services.
Sample Domains:
com-trackxnvwh
com-tracknxw
com-trackxjhfc
com-trackvcw
com-trackxbw
com-trackxwc
com-trackutdxm
com-tracknvx
com-trackinswvh
com-trackvhf
com-trackcshx
com-trackhxk
com-trackbxw
com-trackmfhww
com-trackgmxr
com-trackxnr
com-trackxhg
Note: This list is a snippet of a larger dataset and not exhaustive.
About this Data: This report was generated using advanced algorithms and techniques to identify patterns and anomalies indicative of malicious activity. While this data has been carefully analysed, it is possible that some domains may be false positives. For more info, visit https://iq.global/iq-risk-score
Across Multiple TLDs: Yes (4)
Pattern: The domains show multiple variations of Canada Post's name, combining English "Canada Post" and French "Postes Canada" with various suffixes.
They primarily use these patterns:
"canadapost-postescanada" followed by two or three letters
"canadaespost-postescanada" followed by single letters or words
"canadaespost-postcanada" variations
The extensive use of different combinations and the bilingual approach (English/French) suggests a sophisticated phishing campaign targeting Canadian postal service users. Many domains include location identifiers or random letter combinations.
Sample Domains:
canadaespost-postescanada
canadaespost-postescanadal
canadaespost-postescanadar
canadaespost-postescanadas
canadapost-postescanata
canadaespost-postescanadac
canadaespost-postescanadap
canadapost-postescanadaga
canadapost-postescanama
canadaespost-postescanadasafe
canadapost-postescanadaal
canadapost-postescanasa
canadapost-postescanadaba
canadaespost-postescanadad
canadaespost-postcanada
Note: This list is a snippet of a larger dataset and not exhaustive.
About this Data: This report was generated using advanced algorithms and techniques to identify patterns and anomalies indicative of malicious activity. While this data has been carefully analysed, it is possible that some domains may be false positives. For more info, visit https://iq.global/iq-risk-score
Across Multiple TLDs: Yes (6)
Pattern: The domains consistently use variations of "usps-us" or "us-usps" followed by short letter combinations or location references (like nyc, wa, tex). They appear to be impersonating the United States Postal Service (USPS) with various geographic or random identifiers. The use of multiple TLDs such as .top, .mom, .xyz, .live, and the inclusion of location-specific abbreviations suggests a sophisticated phishing campaign targeting USPS customers across different regions.
Sample Domains:
usps-us-nyci
usps-us-nyc
usps-us-wa
usps-us-gamco
usps-us-mobu
usps-us-li
usps-us-icuk
usps-us-lol
usps-us-yue
us-usps-si
usps-us-auxamg
usps-us-yuem
us-usps-zi
Note: This list is a snippet of a larger dataset and not exhaustive.
About this Data: This report was generated using advanced algorithms and techniques to identify patterns and anomalies indicative of malicious activity. While this data has been carefully analysed, it is possible that some domains may be false positives. For more info, visit https://iq.global/iq-risk-score
Across Multiple TLDs: Yes (8)
Pattern: The domains appear to be targeting information about VTAMA (tapinarof), a prescription medicine, and FDA drug approvals. The use of multiple TLDs suggests a sophisticated campaign possibly aimed at capturing traffic related to drug approval information or potentially distributing unauthorised pharmaceutical products.
Sample Domains:
vtama-approval-drugs-131027
vtama-approval-drugs-1140
vtama-approval-drug-131618
vtama-approval-drug-131619
vtama-approval-drug-131017
fda-approval-drugs-130216
fda-approval-drugs-130215
fda-approval-drugs-130214
fda-approval-drugs-13010219
fda-approval-drugs-13010218
fda-approval-drugs-13010216
fda-approval-drugs-13010221
Note: This list is a snippet of a larger dataset and not exhaustive.
About this Data: This report was generated using advanced algorithms and techniques to identify patterns and anomalies indicative of malicious activity. While this data has been carefully analysed, it is possible that some domains may be false positives. For more info, visit https://iq.global/iq-risk-score
Across Multiple TLDs: Yes (4)
Pattern: The domains consistently use variations and misspellings of "google" as their base, followed by seemingly random letter combinations or words. This pattern suggests a malicious campaign targeting Google's brand name. The use of multiple TLDs indicates an attempt to capture traffic across different domain extensions.
Sample Domains:
googleelplly
googleellly
googleeply
googleelply
googlekyxf
googleepaly
googleevip
googledleamo
googleyrkd
googlefiery
Note: This list is a snippet of a larger dataset and not exhaustive.
About this Data: This report was generated using advanced algorithms and techniques to identify patterns and anomalies indicative of malicious activity. While this data has been carefully analysed, it is possible that some domains may be false positives. For more info, visit https://iq.global/iq-risk-score
Across Multiple TLDs: Yes (2)
Pattern: The domains consistently use variations of "canadapost-postescanada" followed by one or more letters. They appear to be impersonating or targeting Canada Post, the country's primary postal operator. The use of both English "Canada Post" and French "Postes Canada" in the domain names suggests an attempt to appear legitimate to both English and French-speaking Canadians. This pattern could be indicative of a phishing campaign targeting Canadian postal service users.
Sample Domains:
canadapost-postescanadahg
canadapost-postescanadahk
canadapost-postescanadacg
canadapost-postescanadahu
canadapost-postescanadahs
canadapost-postescanadah
canadapost-postescanadaoi
canadapost-postescanadaca
canadapost-postescanadaew
Note: This list is a snippet of a larger dataset and not exhaustive.
About this Data: This report was generated using advanced algorithms and techniques to identify patterns and anomalies indicative of malicious activity. While this data has been carefully analysed, it is possible that some domains may be false positives. For more info, visit https://iq.global/iq-risk-score
Across Multiple TLDs: Yes (5)
Pattern: The domains consistently use variations of "lasereyesurgery" followed by numbers. They appear to be targeting individuals interested in or searching for information about laser eye surgery. The use of multiple TLDs suggests an attempt to cast a wide net and potentially capture traffic across various domain extensions.
Sample Domains:
lasereyesurgery09
lasereyesurgery03
lasereyesurgery025
lasereyesurgery020
lasereyesurgery205
lasereyesurgery002
lasereyesurgery418
lasereyesurgery347
Note: This list is a snippet of a larger dataset and not exhaustive.
About this Data: This report was generated using advanced algorithms and techniques to identify patterns and anomalies indicative of malicious activity. While this data has been carefully analysed, it is possible that some domains may be false positives. For more info, visit https://iq.global/iq-risk-score
Across Multiple TLDs: Yes (2)
Pattern: The domains follow a consistent pattern of "newsi-october" followed by a number. The combination of "newsi" (potentially short for "news") and "october" might suggest a campaign related to news or information distribution, possibly targeting a specific time period or event in October.
Sample Domains:
newsi-october179
newsi-october188
newsi-october187
newsi-october138
newsi-october158
newsi-october157
newsi-october186
newsi-october137
Note: This list is a snippet of a larger dataset and not exhaustive.
About this Data: This report was generated using advanced algorithms and techniques to identify patterns and anomalies indicative of malicious activity. While this data has been carefully analysed, it is possible that some domains may be false positives. For more info, visit https://iq.global/iq-risk-score
Across Multiple TLDs: No
Pattern: The domains follow a consistent pattern of "startup-business-" followed by a five-digit number. All domains use the .bond TLD, which may be an attempt to associate with financial instruments or investment opportunities. This pattern suggests a potential large-scale campaign targeting individuals interested in startup businesses or investments.
Sample Domains:
startup-business-92732
startup-business-98135
startup-business-92850
startup-business-22260
startup-business-30390
startup-business-35523
startup-business-50422
startup-business-63890
startup-business-78955
Note: This list is a snippet of a larger dataset and not exhaustive.
About this Data: This report was generated using advanced algorithms and techniques to identify patterns and anomalies indicative of malicious activity. While this data has been carefully analysed, it is possible that some domains may be false positives. For more info, visit https://iq.global/iq-risk-score
Across Multiple TLDs: Yes (4)
Pattern: The domains follow a pattern of "personal-loans" or "loans-personal" followed by numbers and occasionally a country code. They appear to be targeting individuals seeking personal loans, potentially for phishing or scam purposes.
Sample Domains:
personal-loans-6631
personal-loans-6661
personal-loans-4811239
personal-loans-78852
personal-loans-15042
personal-loans-70052
personal-loans-0017
personal-loans-00252
loans-personal-6149601
Note: This list is a snippet of a larger dataset and not exhaustive.
About this Data: This report was generated using advanced algorithms and techniques to identify patterns and anomalies indicative of malicious activity. While this data has been carefully analysed, it is possible that some domains may be false positives. For more info, visit https://iq.global/iq-risk-score
Across Multiple TLDs: Yes(7)
Pattern: The majority of domain names in this list appear to be typosquatting variations of "Netflix", a popular streaming service. These domains use slight misspellings or alterations of the Netflix brand name, which could be an attempt to deceive users into visiting fraudulent websites. Some domains incorporate additional words or letters that may be related to streaming or entertainment services.
Sample Domains:
netflox
netfllix
netfflix
netsflix
netfapx
netlix
netfilx
nettaflix
netflxsup
netfllx
lottox
netroflix
netiflix
Note: This list is a snippet of a larger dataset and not exhaustive.
About this Data: This report was generated using advanced algorithms and techniques to identify patterns and anomalies indicative of malicious activity. While this data has been carefully analysed, it is possible that some domains may be false positives. For more info, visit https://iq.global/iq-risk-score
Across Multiple TLDs: No
Pattern: The domain names follow a consistent pattern of "click" followed by a 3-letter combination and ending with "wages". This pattern suggests a bulk registration of domains potentially related to a click-based wage or payment system. The use of similar domain structures could indicate an attempt to create multiple entry points for a website, possibly for affiliate marketing, or potentially for phishing purposes.
Sample Domains:
clickebwwages
clickdapwages
clickqhtwages
clicknxrwages
clickpiqwages
clickiwcwages
clickifwwages
clickftnwages
clickgzkwages
clickhsuwages
clickjvtwages
clickklswages
clicklmrwages
clickmnqwages
clickoptwages
clickpzswages
clickqyrwages
clickrsqwages
clickstpwages
clickuvowages
Note: This list is a snippet of a larger dataset and not exhaustive.
About this Data: This report was generated using advanced algorithms and techniques to identify patterns and anomalies indicative of malicious activity. While this data has been carefully analysed, it is possible that some domains may be false positives. For more info, visit https://iq.global/iq-risk-score
Across Multiple TLDs: No
Pattern: The domain names follow a consistent pattern of "pokerdom-casino-" followed by a 2-3 letter/number combination. This pattern suggests a bulk registration of domains related to the "Pokerdom Casino" brand. The use of various suffixes could indicate an attempt to create multiple entry points for a gambling-related website or potentially for phishing purposes.
Sample Domains:
pokerdom-casino-dap
pokerdom-casino-bop
pokerdom-casino-wep
pokerdom-casino-hup
pokerdom-casino-gep
pokerdom-casino-pik
pokerdom-casino-yep
pokerdom-casino-pih
pokerdom-casino-bof
pokerdom-casino-tof
pokerdom-casino-wek
pokerdom-casino-toh
pokerdom-casino-rusf
pokerdom-casino-boo
pokerdom-casino-hug
pokerdom-casino-wed
pokerdom-casino-rusd
pokerdom-casino-piv
pokerdom-casino-wes
pokerdom-casino-piz
Note: This list is a snippet of a larger dataset and not exhaustive.
About this Data: This report was generated using advanced algorithms and techniques to identify patterns and anomalies indicative of malicious activity. While this data has been carefully analysed, it is possible that some domains may be false positives. For more info, visit https://iq.global/iq-risk-score
Across Multiple TLDs: Yes (7)
Pattern: The pattern consists of 6-digit numbers (occasionally 5 or 7 digits) used as domain names. These numeric domains are registered across multiple TLD. The volume of similar numeric domains suggests a coordinated, automated registration effort, which is often associated with potentially malicious activities. Registering the same numeric patterns across various top-level domains could be an attempt to create redundancy or evade blocking/filtering measures
Sample Domains:
684858
684867
684148
684589
684971
688658
693718
683599
683867
743558
665858
479858
657808
481858
686868
486858
684361
788428
479708
688438
Note: This list is a snippet of a larger dataset and not exhaustive.
About this Data: This report was generated using advanced algorithms and techniques to identify patterns and anomalies indicative of malicious activity. While this data has been carefully analysed, it is possible that some domains may be false positives. For more info, visit https://iq.global/iq-risk-score
Across Multiple TLDs: No
Pattern: Once again we're seeing usage of multiple casino brand names. The pattern consists of various online casino brand names (e.g., "vavada", "lev", "leonbets", "kent", "gama", "eldorado", "champion", "r7", "pokerdom", "jozz") followed by "-casino-" and a three-letter combination. Some variations include numbers or slightly different formats.
Sample Domains:
vavada-casino-vnj
vavada-casino-oxd
lev-casino-rph
lev-casino-jiz
leonbets-casino-y5o4
kent-casino-rtr
gama-casino-vpa
gama-casino-sqs
eldorado-casino-doz
champion-casino-lyh
r7-casino-zis
pokerdom-casino-huj
pokerdom-3psk22
leonbets-casino-k9cd
jozz-casino-tjo
gama-casino-gkw
eldorado-casino-xu
eldorado-casino-vwl
eldorado-casino-teb
eldorado-casino-rhl
Note: This list is a snippet of a larger dataset and not exhaustive.
About this Data: This report was generated using advanced algorithms and techniques to identify patterns and anomalies indicative of malicious activity. While this data has been carefully analysed, it is possible that some domains may be false positives. For more info, visit https://iq.global/iq-risk-score
Across Multiple TLDs: No
Pattern: The pattern consists of cleaning service keywords (primarily "housecleaning", but also "guttercleaning", "windowcleaning", and "washpressurecleaning") followed by "-vort" or "-vortps", then a combination of letters and numbers (e.g., "tta5", "ttp1", "ffpal3"), and ending with location identifiers and sequential numbers.
Sample Domains:
housecleaning-vortps-tta5-and
housecleaning-vortps-tta5-adi
housecleaning-vortps-tt-nky
housecleaning-vortps-tta3-rmv-ae
housecleaning-vortps-tta5-nky-ca
housecleaning-vort-ttp1-bob
housecleaning-vortps-tta5-man-5-ca
housecleaning-vortps-tta5-sam-ca
housecleaning-vortps-tta3-nky-us
housecleaning-vort-p1-bob
housecleaning-vortps-tta6-bob
housecleaning-vort-ff-nky
guttercleaning-vortps-tta3-nky
windowcleaning-vortps-tta6-mks-gb
discoverwashpressurecleaning-vortps-tta5-sam-us
discovercleaningservices-vortps-tta6-nky
guttercleaning-vortps-tta3-mks-us
washpressurecleaning-vortps-tta3-adi-us
Note: This list is a snippet of a larger dataset and not exhaustive.
About this Data: This report was generated using advanced algorithms and techniques to identify patterns and anomalies indicative of malicious activity. While this data has been carefully analysed, it is possible that some domains may be false positives. For more info, visit https://iq.global/iq-risk-score
Across Multiple TLDs: No
Pattern: The pattern consists of "leonbets-casino-" followed by a combination of 4 characters, typically including lowercase letters and numbers. In some cases, "bk-" is inserted before the 4-character combination.
Sample Domains:
leonbets-casino-f2im
leonbets-casino-h2vy
leonbets-casino-y2ne
leonbets-casino-n2tc
leonbets-casino-ju3k
leonbets-casino-esy5
leonbets-casino-joxp
leonbets-casino-ma3s
leonbets-casino-uexr
leonbets-casino-ucm3
leonbets-casino-3oxb
leonbets-casino-vn5y
leonbets-casino-vbm2
leonbets-casino-pf9o
leonbets-casino-m42v
leonbets-casino-g6sv
leonbets-casino-g5na
leonbets-casino-a7ob
leonbets-casino-mg7u
leonbets-casino-m9p8
Note: This list is a snippet of a larger dataset and not exhaustive.
About this Data: This report was generated using advanced algorithms and techniques to identify patterns and anomalies indicative of malicious activity. While this data has been carefully analysed, it is possible that some domains may be false positives. For more info, visit https://iq.global/iq-risk-score
Across Multiple TLDs: No
Pattern: The pattern consists of service-related keywords (e.g., "airconditionercompany", "securityservices", "concreterepaircompany") followed by "-vort-" or "-vortps-", then a combination of letters and numbers (e.g., "ttp1", "tta5", "ffpio"), and ending with location identifiers and sequential numbers.
Sample Domains:
airconditionercompany-vort-ttp1-kea-adtr
securityservices-vort-ttp1-kea-adtr
concreterepaircompany-vort-ttp1-kea-adtr
foundationrepair-vort-ttp1-kea-adtr
asphaltpaving-vort-ttp1-kea-adtr
paintingcontractors-vort-ttp1-kea-adtr
warehoadtreservices-vort-ttp1-kea-adtr
cleaningservices-vort-ttp1-kea-adtr
packingandmovingservices-vort-ttp1-kea-adtr
concreterepaircompany-vort-ttp1-sam-adtr-us
airconditionercompany-vort-ttp1-sam-adtr-us
caregiver-vort-ttp1-sam-adtr-us
cleanerservices-vort-ttp1-sam-adtr-us
airconditioning-vort-ttp1-vvs-adtr-us
landscapingservices-vort-ttp1-vvs-adtr-us
paintingcontractors-vortps-tta5-adi
homeremodeling-vort-ffkerch-sda-us
caregiver-vort-ffpio-kea-us
basementwaterproofing-vort-ffpio-kea-us
packingservices-vort-ffpio-kea-mx
Note: This list is a snippet of a larger dataset and not exhaustive.
About this Data: This report was generated using advanced algorithms and techniques to identify patterns and anomalies indicative of malicious activity. While this data has been carefully analysed, it is possible that some domains may be false positives. For more info, visit https://iq.global/iq-risk-score
Across Multiple TLDs: Yes, 1
Pattern: The pattern consists of casino brand names ("pokerdom", "gama", "kent") followed by "-casino-" and a three-letter combination. The three-letter combinations appear to be randomly generated.
Sample Domains:
pokerdom-casino-weh
pokerdom-casino-toh
pokerdom-casino-pih
pokerdom-casino-wey
pokerdom-casino-wes
pokerdom-casino-wea
pokerdom-casino-weu
pokerdom-casino-geo
pokerdom-casino-ehu
pokerdom-casino-boi
gama-casino-pnc
gama-casino-mfp
gama-casino-rpx
gama-casino-fvk
gama-casino-gkn
kent-casino-plx
kent-casino-bkw
kent-casino-rd
kent-casino-dwb
kent-casino-vbz
Note: This list is a snippet of a larger dataset and not exhaustive.
About this Data: This report was generated using advanced algorithms and techniques to identify patterns and anomalies indicative of malicious activity. While this data has been carefully analysed, it is possible that some domains may be false positives. For more info, visit https://iq.global/iq-risk-score
Date: 01-08-2024
Across Multiple TLDs: Yes, 1
Pattern: The pattern consists of cleaning service keywords (primarily "housecleaning", but also "guttercleaning" and "windowcleaning") followed by "-vort" or "-vortps", then a combination of letters and numbers (e.g., "ttp1", "tta3", "ffpal1"), and ending with location identifiers and sequential numbers.
Sample Domains:
housecleaning-vort-ttp1-bob
housecleaning-vort-p1-bob
housecleaning-vortps-tta3-bob
housecleaning-vort-ttg2-bob
housecleaning-vort-ffpal1-bob
housecleaning-vortps-tta6-bob
housecleaning-vortps-tta5-bob
housecleaning-vortps-tta5-adi
housecleaning-vortps-tt-nky
housecleaning-vortps-tta3-sam-us
housecleaning-vortps-tta5-sam-ca
housecleaning-vortps-tta3-rmv-ae
housecleaning-vortps-tta3-rmv-us
housecleaning-vortps-tta3-nky-us
housecleaning-vort-ff-nky
housecleaning-vortps-tta5-man-1-ca
housecleaning-vortps-tta6-bob-fr
housecleaning-vort-ttp1-asl-us
housecleaning-vort-ffpal-man
windowcleaning-vortps-tta6-mks-gb
Note: This list is a snippet of a larger dataset and not exhaustive.
About this Data: This report was generated using advanced algorithms and techniques to identify patterns and anomalies indicative of malicious activity. While this data has been carefully analysed, it is possible that some domains may be false positives. For more info, visit https://iq.global/iq-risk-score