Probing Credential Phishing-Related Domain Names | WhoisXML API

Threat Reports

A Look at Thousands of Credential Phishing-Related Domain Names

Cofense researchers found that more than half of the millions of emails they analyzed were credential phishing emails.1 To see how prevalent these are in the domain world, we extracted domains that contain account-related text strings, such as “login,” “signin,” and “password.” When used alongside popular company names like PayPal and Amazon, these account-related text strings can make phishing emails appear more credible.

We collated our findings in a spreadsheet containing:

  • Thousands of domains possibly targeting PayPal users, containing the text string “paypal” and “activation” “password” “login” “signin” and “ticket”
  • Thousands of domains possibly targeting Amazon users and sellers, containing the text string “amazon” and “shop” “password” “login” “signin” and “payment”
  • Thousands of malicious domains in the dataset, indicating that a significant number of the uncovered domains have already been used in cyber attacks
  • Top 10 TLD distribution volume of the malicious domains

Download the spreadsheet now to access the complete list of identified artifacts that can be used to conduct additional enrichment and threat analysis.


  • [1]
Try our WhoisXML API for free
Get started