Why Scanning for Expired Domains Belonging to Big Banks Is so Hot

Published on March 9, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

A growing number of cyber-adventurers spend time in “dumpster diving,” looking for valuable domains that have been left to expire and are up for grabs. Typically, these individuals are searching for domains that used to belong to big financial service providers. As a recent report by Cisco Talos details, these domains are excellent sources of email attack data, and in many cases, they still receive a notable volume of legitimate traffic.

In their analysis, Talos researchers take the example of chartbank.net. The domain once belonged to a Massachusetts-based financial services provider who changed ownership at some point, leaving the original domain to its fate (expiration). The email addresses for the domain still exist in contact databases, and as such, the domain still receives email communication from other users and organizations that were contacts of employees at Chart Bank.

Source: Cisco Talos

This means taking over the expired domain opens up access to populated email archives often containing sensitive or valuable data. There’s an obvious potential for phishing and scamming attacks that arises from this case - and it’s not the only thing that makes expired domains a treasure for those looking to engage in malicious activities.

Because of the legitimate traffic that these domains still receive, a remnant of the past “glorious” times, there’s a very clear potential for monetization. One can very easily register these websites to advertising network services and make money out of them without having to do much else. Talos tested this in practice with the domain they’ve found, and in just two weeks, they recorded 1.1 million requests from 236,776 unique IP addresses.

Source: Cisco Talos

Another notable example of a domain type that is a valuable find is that of “mining pool” domains. The Talos team found an expired one on “minexmr1.com,” registered it, and noticed that it received traffic on ports 3333 and 5555.

After listening there, the researchers realized that there were still mining clients running xmrig and seeking Monero mining jobs. A person finding that could have very easily replaced the server with a crypto-mining proxy and harness all the goodies without giving anything back to the mining clients.

Source: Cisco Talos

The Internet as an entity is over 32 years old today. Naturally, many websites have changed hands, domains were lost in time, owners passed away suddenly, others forgot or lost interest, and businesses changed focus or closed. In conclusion, there’s a lot to be found for those doing domain dumpster diving, and some of it is quite valuable.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: