This blog originally appeared in July 2020 on the Area 1 Security website, and was issued in advance of Cloudflare's acquisition of Area 1 Security on April 1, 2022. Learn more.
Each day, hundreds of thousands of new domains are registered by users around the world. Unfortunately, the simplicity of domain registration makes it simple for attackers to register fraudulent domains for use in phishing campaigns. In fact, according to ICANN, nearly 5.45% of newly registered domains per day are malicious (including phishing, botnets, and malware). This means there are 25,070 newly registered malicious domains per day on average.
On July 16th, 2020, an email appearing to be from the Bill & Melinda Gates Foundation was sent to numerous recipients, seeking donations for the Foundation in Bitcoin. The email enticed potential donors by offering to double any donations received within seven days. The sender domain of the email was strikingly similar to the legitimate foundation’s domain, gatesfoundation.org.
Aside from one letter, the malicious sender domain could easily pass for one belonging to the Gates Foundation. The attacker cleverly employed typosquatting when creating the domain name, just minutes before sending the email. Without close scrutiny, the domain’s typo is indistinguishable from the legitimate domain. The attacker also set up an SPF record for the domain in order to ensure reliable delivery of their attack. Interestingly, this phish was sent just a day after Bill Gates’ Twitter account was hacked and used to tweet a message nearly identical to this email.
Benign Domain: gatesfoundation.org
Malicious Domain: gatesfoundatlon[.]com
Malicious Domain Age: 2020-07-16 17:00:54 +0000 UTC
SPF Record:
gatesfoundatlon[.]com. 1759 IN TXT "v=spf1 include:spf.privateemail.com ~all"
Bitcoin address: 18XJzrgPqYhKKeR2j4vz6wPQorK3sNuNxs
Whois Record for gatesfoundatlon[.]com
Domain name: gatesfoundatlon[.]com
Registry Domain ID: 2546450570_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 0001-01-01T00:00:00.00Z
Creation Date: 2020-07-16T17:00:54.00Z
Registrar Registration Expiration Date: 2021-07-16T17:00:54.00Z
Registrar: NAMECHEAP INC
Registrar IANA ID: 1068
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.6613102107
Reseller: NAMECHEAP INC
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: addPeriod https://icann.org/epp#addPeriod
Registry Registrant ID:
Registrant Name: WhoisGuard Protected
Registrant Organization: WhoisGuard, Inc.
Registrant Street: P.O. Box 0823-03411
Registrant City: Panama
Registrant State/Province: Panama
Registrant Postal Code:
Registrant Country: PA
Registrant Phone: +507.8365503
Registrant Phone Ext:
Registrant Fax: +51.17057182
Registrant Fax Ext:
Registrant Email: [email protected]
Registry Admin ID:
Admin Name: WhoisGuard Protected
Admin Organization: WhoisGuard, Inc.
Admin Street: P.O. Box 0823-03411
Admin City: Panama
Admin State/Province: Panama
Admin Postal Code:
Admin Country: PA
Admin Phone: +507.8365503
Admin Phone Ext:
Admin Fax: +51.17057182
Admin Fax Ext:
Admin Email: [email protected]
Registry Tech ID:
Tech Name: WhoisGuard Protected
Tech Organization: WhoisGuard, Inc.
Tech Street: P.O. Box 0823-03411
Tech City: Panama
Tech State/Province: Panama
Tech Postal Code:
Tech Country: PA
Tech Phone: +507.8365503
Tech Phone Ext:
Tech Fax: +51.17057182
Tech Fax Ext:
Tech Email: [email protected]
Name Server: dns1.registrar-servers.com
Name Server: dns2.registrar-servers.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2020-07-15T23:22:34.80Z <<<
Twitter Message From July 15, 2020:
Area 1 uses multiple analysis techniques that leverage insight gained from proactive web crawling and early identification of attacker campaign infrastructure, to detect and stop email from spoofed domains and accounts. Using preemptive threat hunting and a broad set of proprietary analysis techniques, Area 1 identifies phishing campaigns, including malicious newly registered domains, that other defenses miss.