Phishing via "com-" prefix domains
Phishing is always a "whack the mole" like game. Attackers come up with new ways to fool victims. Security tools are often a step behind. Messages claiming to collect unpaid tolls are one current common theme among phishing (smishing?) messages. I just received another one today:

The FBI's Internet Crime Complaint Center warned of these types of messages last April [1]. The message was pretty easily identified as fraud by the "From" number, a phone number in the Phillipines. But I found the domain clever.
Florida's toll system is commonly referred to as "Sunpass", and the legitimate website is sunpass.com. The scammer attempted to emulate this name by using a domain that starts with "com-". An unsuspecting user may consider this a valid sunpass.com address.
So I looked at our "newly registered domains" data to see how many "com-*" domains we have, and this prefix looks indeed popular, usually followed by a few random characters:
Here are a few example:
com-typopn.top
com-tyuiop.top
com-uilqsc.top
com-vfgbnj.top
com-wsxder.top
com-xyuoph.top
com-ywbl.top
com-yzgv.top
com-zfrulb.top pish
Looking at the Top 10 TLDs used for these domains, the usual "dirty" gTLDs like "top" and "XYZ" stick out, but "com", "info" and "us" are also included:
| TLD | Count | 
|---|---|
| top | 16,606 | 
| com | 12,293 | 
| xyz | 3005 | 
| info | 2731 | 
| cfd | 2413 | 
| vip | 2217 | 
| sbs | 1461 | 
| xin | 1453 | 
| us | 1245 | 
| online | 1140 | 
The registrations vary over time, but as of November last year, the registrations have increased somewhat.

Overall, it is likely worthwhile to add a query to your DNS logs to review lookups for these domains. I found 10% of the domains from the last few days in Phishtank. Many of the remaining were confirmed malicious as well. Luckily, many appear to have already been taken down. However, I have not spotted a valid side among the last 1,000 registered domains.
[1] https://www.ic3.gov/PSA/2024/PSA240412
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
| Application Security: Securing Web Apps, APIs, and Microservices | Dallas | Dec 1st - Dec 6th 2025 | 
 
              
Comments