Cyber Monday 2017: Fast Flux DNS and Other Cyber Threats to Brands

By Josh Bourne

On November 23, 2016, FairWinds distributed Cyber Monday 2016: Typosquatting – A Threat to Brands and Consumers, a report on how typosquatting impacts 50 of the leading internet retail brands.

FairWinds re-evaluated the 2016 dataset for Cyber Monday 2017: Fast Flux DNS and Other Cyber Threats to Brands. The biggest take away from this year’s analysis is that the number of infringing domains hosted on a Fast Flux DNS platform has more than doubled.

This time last year, we reported 39% of third-party owned typos of the top internet retailers’ primary domain in .COM were hosting malware, phishing, and affiliate program ripoff sites via Fast Flux DNS.

Now, the figure is 80%. The growth came from 828 domains that have been migrated from predominately pay-per-click (PPC) content at this time in 2016 to a Fast Flux DNS platform today.

What is Fast Flux DNS?

As we’ve described in the past, Fast Flux DNS is a hosting platform that monetizes web traffic via an array of results, which change based on factors including the IP address of the visitor.

For example, just prior to posting this blog,, a “missing dot” typo, resolved to the content below suggesting the visitor download the latest copy of Adobe Flash. Needless to say, the download was not the latest copy of Adobe Flash.

Moments later, the same domain resolved to and then, and in both instances the URL included an affiliate ID for the purpose of tracking the session and receiving a commission on the visitor’s purchases.

How does the 2016 Data Compare to the 2017 Data?

While the resolution of the 4,667 .COM typographical variant domains reviewed in 2016 and again in 2017 has changed immensely, very little has changed in terms of ownership:

It is noteworthy that several brands did recover a small set of infringing domains over the past year.

However, most of them were low-value domains as all but one receive no detectable traffic and 66% of the 21 were held by a service that promises to reclaim taken domains in exchange for a period of time when they are granted the right to monetize traffic via the trademark owner’s own affiliate program.

Among the 252 previously cybersquatter-owned domains that became available in the last 12 months, there is essentially no traffic associated with them. This is a clear signal that squatters are cutting domains that do not perform.

One domain,, that was registered to the correct company last Cyber Monday, but was released and subsequently squatted has been enrolled in Fast Flux DNS.

True to the platform, serves up a revolving set of results including a malware version of Adobe Flash update and the company’s own affiliate program. However, since the domain receives no detectable traffic, J. C. Penney Corporation made a reasonable decision not to renew this particular typo.

As of Cyber Monday morning 2017, the domain resolves to with affiliate ID session tracking to earn commissions for the platform and domain owner on all items purchased by visitors.

 The Shift to Fast Flux DNS

With the shift from PPC to Fast Flux DNS parking, there is a case to be made to wipe out all of the infringing domains that are serving up malicious content, but it is not cost effective.

Now more than ever, companies must apply a thoughtful and holistic strategy to their enforcement programs.

Of the 1,602 infringing typo domains in the Cyber Monday 2017 dataset that are currently hosted on the Fast Flux DNS platform:

  • Just 20% (336 domains) receive detectable traffic, averaging 7,349 visitors per month.
  • An eye-catching 80% (1,989,000 visitors) of the monthly traffic across all of the infringements is associated with just the top 30 typosquatted domains.

This is not a surprising finding, as we have seen this kind of unequal distribution in domain datasets over last 10+ years.

When looking at typosquatted domains of leading internet retailers, the shift from PPC to Fast Flux DNS monetization has clearly arrived and it is a significant threat that must be addressed.  This data show that careful target selection and swift action is the immediate solution.

Latest Posts

Scroll to Top