Live Webinar: Join us for a deep dive into P2P messaging scams like never before. Register now  

Resources > Blog > New Year, New Scams - Health product scam campaigns abusing cheap TLDs

New Year, New Scams – Health product scam campaigns abusing cheap TLDs

In recent months, we’ve noticed an increased number of high-volume health product campaigns that exploit cheap top-level domains (TLDs), reaching up to 60% of a TLD’s daily domain registrations.

This blog looks at current trends around health product scams and examines some of the TLDs providing domain names for these large campaigns.  

Dragons’ Dens and Shark Tanks

Health product scams frequently take the form of fake news articles, often impersonating specific newspapers and featuring celebrity endorsements from well-known media figures who have supposedly used the products that are targeted. In this sense, they are similar to the cryptocurrency investment scams we’ve blogged about previously.

Recent scams impersonate organizations such as Fox News, the Daily Mail, The Today Show, and the New York Times, with the latest campaign of health product scams centered around products backed by the judges from the popular TV series Shark Tank (in the US) or Dragons’ Den (in the UK).

A screenshot of a website claiming to be supported by Shark Tank

These articles then use affiliate links to direct users to landing pages that sell products, especially weight loss gummies that purport to induce ketosis, but also other products such as skincare creams, erectile dysfunction supplements, and teeth whitening kits.  

The products (and even the landing pages selling them) may be legal. Still, fake news articles that lure victims to these sites frequently misrepresent the product with false claims and often profit from affiliate marketing. In fact, in the US, the Federal Trade Commission released a consumer warning following the Shark Tank campaigns, which leads with the headline ‘Did your favorite Shark Tank celebrity really endorse THAT? Probably not.’

We often see these types of scams advertised on social media platforms such as Facebook, where accounts have been compromised using credentials captured by a phishing website, similar to how LinusTechTips was compromised to share cryptoscams. These compromised Facebook accounts then bulk-post images and videos advertising the products, tagging the compromised user’s friends, to reach as many news feeds as possible.

A screenshot of an advert posted by a compromised facebook account.

TLDs: how low can you go?

Back in 1994, RFC 1591 described the structure of DNS at that time, with there being two types of TLDs (country-specific and generic). The generic TLDs available at the time were EDU, COM, NET, ORG, GOV, MIL, and INT. The RFC says that “It is extremely unlikely that any other TLDs will be created”.  

This declaration has not stood the test of time. 

The root zone has grown to hold a huge number of TLDs, the vast majority of which are gTLDs.

Graph showing number of TLDs by year

Registrar offers domains for as low as $0.99 per year. This is as cheap as domain names have been since Freenom halted registrations of its free domains earlier this year.

The cheap domain pricing on these TLDs allows criminals to cost-effectively spread their campaigns over a large number of domains. This makes it harder to perform countermeasures against cyber-attacks, as the campaign can be spread across more infrastructure. Fortunately, Netcraft leverages extensive automation to effectively take down large cybercrime campaigns.


The .sbs TLD was originally registered by the Australian Special Broadcasting Service (SBS) for private use in 2014. In 2020, SBS terminated the TLD, and it was acquired by ShortDot to be launched as a gTLD. It’s now branded as ‘side by side’, and marketed as an option for “social welfare, progressive, and/or virtual-oriented” entities. Domains under .sbs can be registered for as little as $0.99.

There was a huge spike in .sbs use in the summer of 2023, with 1,579 distinct IP addresses hosting health product scams in June and 6,725 in July. In the preceding 12 months, we blocked on average 110 attacks on .sbs every month.  

Graph showing IP addresses with new blocked attacks on .sbs per month

The campaigns scaled with seemingly randomly generated domain names, e.g. kemlovkc[.]sbs, keqpmdlc[.]sbs and kepxbolc[.]sbs. The attacks peaked on the 30th June with 799 out of 1,722 (46.40%) of .sbs domain registrations used for health product scams.

Graph showing percentage of daily .sbs registrations with health product scams


The .cloud TLD, originally registered in 2014, is managed by the Italian company Aruba PEC SpA, a wholly owned subsidiary of the same Aruba S.p.A. Similar to .sbs, .cloud domains can also be registered for as little as $0.99.

We detected a huge spike in health product scams using this TLD in April and May 2023.

Graph showing IP addresses with new blocked attacks on .cloud per month.

Randomly generated domain names were also used for these campaigns, e.g., ketoepiwuh511[.]cloud,     ketouqijora611[.]cloud, ketobovata711[.]cloud. This peaked on the 26th of May with 786 out of 1317 (59.68%) of .cloud domain registrations used for health product scams.

Graph showing percentage of daily .cloud registrations with health product scams.

How can Netcraft help?

On average, Netcraft blocks over 7,000 health product scams per month (by number of IP addresses). We scan the zone files – comprising the complete records of every registered domain – of the vast majority of TLDs, as well as monitoring Certificate Transparency logs. This gives us broad visibility and coverage over these scam campaigns.  

Netcraft’s cybercrime detection operates 24/7 to discover phishing, health scams, fake shops, and other forms of online fraud through extensive automation, AI, machine learning, and human insight. Our disruption & takedown service ensures that malicious content is blocked and removed quickly and efficiently—typically within hours.  

To find out how Netcraft’s platform can protect your brand and your customers, you can request a demo at, or find out more by visiting our solutions for the healthcare sector.