eupolicy.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
This Mastodon server is a friendly and respectful discussion space for people working in areas related to EU policy. When you request to create an account, please tell us something about you.

Server stats:

209
active users

#infoblox

0 posts0 participants0 posts today
Infoblox Threat Intel<p>We've seen it before, but it bears highlighting again: current affairs always lead to a domain gold rush! The newly announced "America Party" has already triggered a wave of sketchy-looking domain registrations, many using the .party TLD. Several redirect to rawdiary[.]com, a five-month-old site hosting third-party articles from sources like OANN, Newsmax and Breitbart, as well as more moderate sources like the FT and the BBC. Others are parked. These domains aren’t inherently malicious, but they're certainly opportunistic and built to look like news. Web content flips fast, so here’s a snapshot of domains unlikely to have been registered for anything in good-faith:</p><p>ameirca[.]party<br>amerca[.]party<br>amercia[.]party<br>americs[.]party<br>amerika[.]party<br>ameroca[.]party<br>ameruca[.]party<br>hyperamerica[.]party<br>theunitedstates[.]party<br>americanparty[.]pics<br>americanparty[.]vip<br>americaparty[.]ink<br>americaparty[.]town<br>theamericanparty[.]vip<br>americanparty[.]pro</p><p><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/americaparty" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>americaparty</span></a> <a href="https://infosec.exchange/tags/osint" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>osint</span></a> <a href="https://infosec.exchange/tags/typosquatting" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>typosquatting</span></a></p>
Infoblox Threat Intel<p>Cybercriminals incorporate artificial intelligence (AI) to be more effective across their businesses functions. In most cases, the technology contributes to the actor's code development or augments their socially-engineered attacks. We provided a real example of this last year in September when we published about youtube account hijackers that use deepfake videos of Elon Musk for a crypto giveaway scam (<a href="https://blogs.infoblox.com/threat-intelligence/no-elon-musk-was-not-in-the-us-presidential-debate/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blogs.infoblox.com/threat-inte</span><span class="invisible">lligence/no-elon-musk-was-not-in-the-us-presidential-debate/</span></a>). We recently saw similar techniques deployed by a threat actor that we track as Reckless Rabbit (<a href="https://blogs.infoblox.com/threat-intelligence/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blogs.infoblox.com/threat-inte</span><span class="invisible">lligence/uncovering-actor-ttp-patterns-and-the-role-of-dns-in-investment-scams/</span></a>). However, instead of youtube videos, they directly integrate deepfakes into their websites.<br> <br>Reckless Rabbit began targeting Japanese-speaking users several months ago. They deliver fake web articles that promote non-existent investment programs. These are not your typical scam web pages. They've been enriched with deepfake AI-generated videos of high profile financial leaders including Elon Musk and Masayoshi Son. They also try to add legitimacy to the report by including artificially-drafted and positive reviews from fictitious netizens. Traditionally, the news content was mostly comprised of just text, static images, and links.<br> <br>Prior to this change, they were predominantly targeting internet users in Eastern European countries. They continue to use dictionary-based Registered Domain Generation Algorithm (RDGA) domains and Facebook ads for navigating victims to fake news articles.<br> <br>Reckless Rabbit employs a variety of article lures; below, we've highlighted domains specifically used in their Japanese investment scam campaigns. These sites employ deepfake videos embedded with Japanese captions. The articles impersonate one of Japan's major newspaper companies Yomiuri Shimbun and contain a registration button for the fake investment platform called "Finance Legend". After clicking it, the page redirects the victim to a contact webform. Based on the contents of the articles, presumably, the threat actor will follow up with the victim using the provided contact details and encourage them to make a deposit in exchange for a future return that is much greater than the investment.<br> <br>bullpimpletruth[.]com<br>calmsixgenerous[.]com<br>chivenotepoisonwish[.]com<br>clarinetmonday[.]com<br>deeplyblowgrape[.]com<br>earlycoindadsummer[.]com<br>fertilerare[.]com<br>premiumsquarecircle[.]com<br>purplecombshop[.]com<br>surnamewinter[.]com<br> <br>Attached to this message, we've included a screenshot of the fake news article lure, as well as a screen recording of our interaction with the scam website and deepfake video.<br> <br><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scam</span></a> <a href="https://infosec.exchange/tags/deepfake" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>deepfake</span></a> <a href="https://infosec.exchange/tags/ai" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ai</span></a> <a href="https://infosec.exchange/tags/elonmusk" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>elonmusk</span></a> <a href="https://infosec.exchange/tags/masayoshi" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>masayoshi</span></a> <a href="https://infosec.exchange/tags/japan" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>japan</span></a> <a href="https://infosec.exchange/tags/yomiurishimbun" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>yomiurishimbun</span></a> <a href="https://infosec.exchange/tags/recklessrabbit" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>recklessrabbit</span></a> <a href="https://infosec.exchange/tags/investment" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>investment</span></a> <a href="https://infosec.exchange/tags/rdga" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rdga</span></a> <a href="https://infosec.exchange/tags/ddga" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ddga</span></a></p>
Infoblox Threat Intel<p>Let us introduce "La Fnac". As some of you may already know, La Fnac is a French retailer, and like most large retailers, they want to sell the coolest things that everyone is talking about. That's why, in 2008, they launched their most innovative service yet: an online portal where you could download the latest must-have ringtone for your flip phone.<br> <br>Of course, they didn't build that online portal themselves. They subcontracted that to another company, and to use their services, they set up a subdomain: 'sonneries-logos.fnac[.]com' on their corporate domain to use a CNAME record that the subcontractor then managed.<br>You should know where this is going now. It seems clear that La Fnac forgot to remove this alias from their DNS after the service was retired. Surprisingly, they weren't alone! In 2017 (much later than we expected), when the CNAME record became dangling, there were 2 European tech companies that still had aliases pointed to it.<br> <br>So, when that ringtone download service started seeing activity again in 2025, it wasn't because of a sudden nostalgic resurgence in late naughties ringtones. Obviously, it was hijacked, and used to redirect people to various fake survey scams webpages.<br> <br>The longer a company exists for, the more tech debt it accumulates, which in the case of DNS can mean greater susceptibility to domain hijacking via dangling DNS records. This is not something exclusive to small companies, or companies with smaller tech teams. We've seen this issue affecting large organisations too. If something as cool as downloading ringtones on your flip phone can be forgotten about; don't be surprised when in 20 years, attackers start leveraging the tech debt you are currently procrastinating over.<br> <br><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>phishing</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scam</span></a></p>
Infoblox Threat Intel<p>The actors behind widespread toll smishing text campaigns are back; this time with a new campaign impersonating regional DMV agencies. New templates for the smishing texts urge users to pay outstanding traffic tickets via a malicious URL that leads to fake payment sites. Interestingly, these texts are often sent before the domain hosting the site is even registered.<br> <br>They follow similar RDGA patterns as their other campaigns, often hosting the phishing sites on subdomains of SLDs starting with "gov-" to appear legitimate. Sample domains: dmv[.]gov-nft[.]digital, dmv[.]gov-nfy[.]digital, wisdom[.]gov-endbgv[.]vip, michigan[.]gov-etcj[.]cc, azdot[.]gov-ytns[.]cc<br> <br><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>phishing</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/smishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>smishing</span></a></p>
Renée Burton<p>VexTrio and the malware actors snackable (2/N). </p><p>At the heart of VexTrio is so called "smartlinks". What is that? BlackHatWorld users explain it well. see pics.</p><p>smartlinks are the lipstick for the pig called domain cloaking that is provided by traffic distribution systems (TDS) owned by malicious adtech companies like Los Pollos and Taco Loco (and Adtrafic and and and) </p><p><a href="https://infosec.exchange/tags/VexTrio" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>VexTrio</span></a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> <a href="https://infosec.exchange/tags/tds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tds</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>phishing</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scam</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/adtech" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>adtech</span></a></p>
Renée Burton<p>The Russians aren't coming, they are already here. Without most anyone realizing, they've created an entire malicious adtech industry whose story is just as complex as the Chinese organized crime we're now realizing from their ventures into pig butchering. </p><p>VexTrio is just one Russian organized crime group in the malicious adtech world, but they are a critical one. They have a very "special" relationship with website hackers that defies logic. I'd put my money on a contractual one. all your bases belong to russian adtech hackers.</p><p>Today we've released the first piece of research that may eventually prove whether I am right. This paper is hard. i've been told. I know. We've condensed thousands of hours of research into about 30 pages. <span class="h-card" translate="no"><a href="https://infosec.exchange/@briankrebs" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>briankrebs</span></a></span> tried to make the main points a lot more consumable -- and wrote a fabulous complimentary article : read both! </p><p>There's so much more to say... but at the same time, between ourselves and Brian, we've released a lot of lead material ... and there's more to come. I've emphasized the Russian (technically Eastern European) crime here, but as Brian's article points out there is a whole Italian side too. and more. </p><p>We've given SURBL, Spamhaus, Cloudflare, Domain Tools, several registrars, and many security companies over 100k domains. They are also posted on our open github.</p><p>Super thanks to our collaborators at Qurium, GoDaddy Sucuri Security, and elsewhere. </p><p><a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scam</span></a> <a href="https://infosec.exchange/tags/tds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tds</span></a> <a href="https://infosec.exchange/tags/vextrio" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vextrio</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/InfobloxThreatIntel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InfobloxThreatIntel</span></a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>phishing</span></a> <a href="https://infosec.exchange/tags/spam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>spam</span></a> </p><p><a href="https://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blogs.infoblox.com/threat-inte</span><span class="invisible">lligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/</span></a></p><p><a href="https://krebsonsecurity.com/2025/06/inside-a-dark-adtech-empire-fed-by-fake-captchas/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">krebsonsecurity.com/2025/06/in</span><span class="invisible">side-a-dark-adtech-empire-fed-by-fake-captchas/</span></a></p>
Infoblox Threat Intel<p>Scammers scamming other scammers so they can scam you? We’ve reached peak scam inception!</p><p>Sites like ScamAdviser are helpful for checking if a website is shady — but guess what? The scammers lurk there too.</p><p>They’re leaving negative reviews against other scam sites (because, of course, there is no honor among thieves), as well as legit sites, pretending to be victims. Why? All so they can drop Telegram or WhatsApp contacts for so-called “crypto recovery services” that supposedly helped them get their stolen money back.</p><p>Spoiler Alert: These are just more scams! <br> <br>They’ll say they’ve recovered your lost crypto - then demand a “release fee” or cut to release it. You’ll pay... and never hear from them again.<br> <br><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scam</span></a></p>
Infoblox Threat Intel<p>Selling your car? Scammers still have it 'VIN' for you!<br> <br>We've recently seen a large cluster of domains hosting fake Vehicle Identification Number (VIN) lookup sites — and private car sellers are the target.<br> <br>While this trick isn’t new, it still catches many off guard — especially first-time sellers. Here’s how it usually plays out:<br> <br>- You list your car on platforms like AutoTrader, Craigslist, or Facebook Marketplace.<br>- You're contacted by a keen 'buyer', perhaps asking a few questions to build trust.<br>- The buyer then asks *you* to get a VIN report — but only from a site *they* provide.<br> <br>Red flag: Legitimate buyers wanting to know a vehicle's history are to be expected - they may ask for the VIN to do this themselves - but insisting on a specific site is a classic scam move.<br> <br>Here’s what happens next:<br> <br>- You enter your VIN on the fake site - it teases you with basic info like make and model.<br>- To get the 'full report' you’re asked to pay $20–$40.<br>- At best, you're sent to a legitimate payment provider — but the money goes straight to the scammer.<br>- At worst, you've just entered your card details into a phishing site.<br> <br>Got your report? Good luck contacting that buyer, they're 'Audi 5000' — long gone. As for the report, it's usually worthless — no odometer readings, no previous owners, no insurance history - and of no value to you or a legit buyer.<br> <br>Unsurprisingly, 'VIN' features in their devious domain names, and at the time of writing we identrified a large cluster using it with U.S. states and locations, for example:<br> <br> - goldstatevin[.]com<br> - gulfstatevin[.]com<br> - kansasvin[.]com<br> - misissippivin[.]com<br> - utahvincheck[.]com<br> <br>These have since gone offline, hopefully for good. They're not alone though, the following domains appear to target sellers in Australia and are currently active:<br> <br> - proregocheck[.]com<br> - smartcheckvin[.]com<br> - smartvincheck[.]com<br> - vincheckzone[.]com<br> <br>Tip: If a buyer wants a VIN report, let them sort it out — or use a trusted provider of your own. If they refuse? Tell 'em to hit the road!<br> <br><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scam</span></a></p>
Infoblox Threat Intel<p>Eat, Sleep, Scam, Repeat?<br> <br>Losing your life savings to a crypto scam is devastating — but for many victims, the nightmare doesn’t end there.<br> <br>While recently investigating a network of fake cryptocurrency exchanges, we uncovered something even more twisted: a cluster of scam websites posing as law firms offering 'crypto recovery' services.<br> <br>Yep, the very same scammers who stole the funds are now posing as lawyers, pretending to help victims recover what they lost… for a fee, of course.<br> <br>Preying on victim hope and desperation, these scammers have been known to:</p><p>- Contact victims directly using details obtained during the original scam<br>- Advertise openly on social media<br>- Lurk in public forums, targeting those seeking help from the community<br> <br>Using a mix of lookalike sites impersonating legit legal firms and entirely fake entities, often with stolen names and photos of legitimate legal professionals, here are some recent examples of what we've encountered:<br> <br>- Posing as 'Adam &amp; Shawn Law Group'<br> - adamshawnllp[.]com<br> - adamshawnlaw[.]com<br>- Posing as 'Jefferson Caldwell International Law Firm'<br> - jeffersoncaldwelllawgroup[.]com<br>- Posing as 'Schlueter &amp; Associates'<br> - schlueterlawfirm[.]it[.]com<br>- Posing as 'Zojz &amp; Associates Legal Group'<br> - zojz[.]com<br> - zojz[.]cc</p><p>Not only do these domains share registration characteristics with fake crypto exchanges, but we've also observed site structures, content and design elements across fake law firms, crypto exchanges and task scam sites.<br> <br>Aside from avoiding the initial scams, be cautious of any 'law firm' that:</p><p>- Sends unsolicited emails or DMs offering crypto recovery help<br>- Has a website with no verifiable legal credentials<br>- Pressures you to pay fees upfront, especially to a third-party entity or via crypto<br>- Uses vague or generic testimonials<br> <br><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scam</span></a></p>
Infoblox Threat Intel<p>Last week, Microsoft reported that their Digital Crimes Unit (DCU) and international partners disrupted Lumma Stealer by taking down 2,300 domains critical to the malware's operation. Shortly after, Palo Alto's Unit 42 reported about cyber campaigns that previously dropped Lumma Stealer are now distributing StealC infostealer payloads. We analyzed the DNS infrastructure related to the attacks and discovered a large number of malicious registered domain generation algorithm (RDGA) domains. Based on passive DNS, the threat actor that controls the infrastructure configured the domains to a staging environment via a dedicated Panama IP address (self-signed SSL) before deploying them. We identified 144 unique domains in this IP space, and all of them were detected as "suspicious" by our algorithms 1-2 months before they were activated for malicious activity.<br> <br>Disrupting criminal operations is difficult and they will find ways to resurface. However, this example proves that blocking connections at the DNS level can often protect users against the new versions before they emerge. The infostealer actors made a quick turn, but we were already blocking their path. Our specialty is in DNS analytics, so we use DNS signatures, as opposed to malware signatures, for preemptive security. We love this stuff.<br> <br>Here are some examples of the RDGA domains:<br>2323dot2[.]cfd, 2323dot2[.]cyou, 2323dot2[.]my, 232pip1[.]my, 232pip1[.]sbs, 832pip[.]cfd, 832pip[.]cyou, 832pip[.]my, 832pip[.]sbs, b3cloud[.]cfd, b3cloud[.]cyou, b3cloud[.]my, b3cloud[.]sbs, bin48[.]cfd, bin48[.]cyou, bin48[.]my, bin898293[.]cfd, bin898293[.]cyou, bin898293[.]my, bin898293[.]sbs, bit7dl[.]cfd, bit7dl[.]cyou, bit7dl[.]my, bit7dl[.]sbs, bot113cloud[.]cfd, bot113cloud[.]cyou, bot113cloud[.]my<br> <br>These campaigns share similar TTPs with those that we reported several months ago. The threat actor that we discussed in this post (<a href="https://infosec.exchange/@InfobloxThreatIntel/114027715851469775" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@InfobloxThre</span><span class="invisible">atIntel/114027715851469775</span></a>) also distributed Lumma Stealer and used RDGA domains, but incorporated additional components, such as traffic distribution systems (TDS), web trackers, and cloakers.<br> <br> <br><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/infostealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infostealer</span></a> <a href="https://infosec.exchange/tags/lummastealer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>lummastealer</span></a> <a href="https://infosec.exchange/tags/stealc" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>stealc</span></a> <a href="https://infosec.exchange/tags/tds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tds</span></a> <a href="https://infosec.exchange/tags/tracker" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tracker</span></a> <a href="https://infosec.exchange/tags/cloaker" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cloaker</span></a> <a href="https://infosec.exchange/tags/rdga" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rdga</span></a></p>
Infoblox Threat Intel<p>Our latest blog is out! It covers a rising issue that many major organization experiences: Subdomain hijacking through abandoned cloud resources.<br> <br>This research follows our reporting from earlier in the year about the CDC subdomain hijack. We initially assumed that this was an isolated incident. Well… We were wrong.<br> <br>We tied some of this activity to a threat actor, dubbed Hazy Hawk, who hijacks high-profile subdomains which they use to conduct large-scale scams and malware distribution.</p><p><a href="https://blogs.infoblox.com/threat-intelligence/cloudy-with-a-chance-of-hijacking-forgotten-dns-records-enable-scam-actor/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blogs.infoblox.com/threat-inte</span><span class="invisible">lligence/cloudy-with-a-chance-of-hijacking-forgotten-dns-records-enable-scam-actor/</span></a><br> <br><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scam</span></a> <a href="https://infosec.exchange/tags/HazyHawk" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>HazyHawk</span></a></p>
Infoblox Threat Intel<p>Over the past few years, we've been discussing our research into Traffic Distribution Systems (TDSs), especially those that power malicious adtech. We've created this cheatsheet to help those unfamiliar with TDSs get up to speed. Tell us what you think and if there are any other cheatsheets you feel would be helpful!</p><p><a href="https://infosec.exchange/tags/tds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tds</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a></p>
Infoblox Threat Intel<p>Who doesn't love a bargain? Security Researchers do, especially when they lead to shady stores, dodgy domains, and mysterious merchant accounts!</p><p>Recently, while perusing Facebook Marketplace, I stumbled upon some enticingly low-priced items that led me to intriguing domains promising more great bargains. Having recently schooled a family member that fell for a similar scam, I decided to dig deeper and disrupt these scammy storekeepers.</p><p>Based on my investigation, and my relative's real-world experience, here's how these scams play out:<br>- Scammers use compromised social media accounts to post ads directing victims to fake storefronts.<br>- Popular items are offered at too-good-to-be-true prices, usually under £100/$100, claiming to be excess stock or lost packages needing to be cleared from their warehouses.<br>- Payments are accepted via PayPal and Stripe, using various merchant accounts that seem to change with each checkout process.<br> - PayPal payments involve a secondary domain that also appears to be a fake storefront. The merchant account email addresses use different recently registered domains.<br> - Stripe payments originate from the initial domain with the merchant purporting to be a fashion store LLC that lists yet another suspicious storefront domain.<br>- Order confirmation and tracking details are provided by email after payment to avoid any suspicion. The scammers are also prompt to reply to any inquiries and readily apologize for shipping delays.<br>- Fake tracking information shows your 'package' crawling from (virtual) port to port before being returned to the supplier due to a 'Customs clearance' failure... how convenient!</p><p>This drawn-out process can last over a month, leading many victims to write off the loss and chalk it up to experience. This delaying tactic also benefits the scammers, allowing them to gather as many sales as possible and cash out before complaints are made to the payment processors.</p><p>Recent storefront domains:<br>- amnn[.]shop<br>- eorv[.]shop<br>- eroc[.]shop<br>- uing[.]shop</p><p>Secondary payment domains:<br>- mccjf[.]store<br>- fa71[.]store<br>- mimidai[.]store<br>- hu81[.]store</p><p>PayPal merchant email accounts:<br>- &lt;name&gt;@&lt;subdomain&gt;.alfonsoa[.]vip<br>- &lt;name&gt;@&lt;subdomain&gt;.gualive[.]club</p><p>Stripe merchant domains:<br>- alinakapparel[.]com<br>- biriaievyr[.]com<br>- laurawear[.]com</p><p><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scam</span></a></p>
Infoblox Threat Intel<p>In our new blog, we share a personal experience of being approached for a fake remote job on Telegram and uncover the methods scammers use to deceive and exploit victims. We were eventually able to trick the scammers and withdraw some money before they finally caught onto us!<br> <br>You can find the blog here: <a href="https://blogs.infoblox.com/threat-intelligence/telegram-tango-dancing-with-a-scammer/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blogs.infoblox.com/threat-inte</span><span class="invisible">lligence/telegram-tango-dancing-with-a-scammer/</span></a><br> <br><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scam</span></a> <a href="https://infosec.exchange/tags/pigbutchering" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pigbutchering</span></a> <a href="https://infosec.exchange/tags/crypto" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>crypto</span></a></p>
Infoblox Threat Intel<p>There is another Lizard on the radar! Looming Lizard is an actor creating hundreds of lookalike domains impersonating popular banks and telecommunication companies targeting Spanish speaking countries, such as Mexico. Not only they are lookalikes, but are also RDGAs (Registered DGAs), with new domains created on a daily basis. These are some of the entities they impersonate: </p><p>- Banks: Banorte, BBVA, Citi, HSBC, Itaú, Santander, Scotiabank<br>- Telecommunications: AT&amp;T, BTC, Claro, Liberty, Movistar, Telcel, Tigo <br>- Others: post offices, department stores, energy companies</p><p>For one of the lookalikes to Tigo (tigoppy[.]club), the actor was kind enough and offered the ability to trade our (fake) account points for nice prizes (wink wink). Sample of domains for each mentioned company: </p><p>- banortex[.]vip, banortepmex[.]store, banorteoi[.]icu, banorteoi[.]sbs, banortebc[.]top <br>- bbvamex[.]xin, bbvamex[.]xyz, bbvamxn[.]cyou, bbvamxn[.]store, bbvamxn[.]sbs <br>- citiprr[.]top, citipr[.]top, citipr[.]vip, citiipir[.]top, citiipir[.]vip <br>- mex-hsbc[.]xyz, mexhsbc[.]icu, mex-hsbc[.]icu, mex-hsbc[.]xin, mexhsbck[.]pro <br>- itauupy[.]top, ittau[.]top, itauupyi[.]top, itaui[.]cfd, itaupy[.]top <br>- santander-mex[.]xin, santandermox[.]vip, santander-mex[.]sbs, santander-mex[.]icu, santandermox[.]xyz <br>- scotiabank-mx.xyz, scotiabok[.]xyz, scotiiiai[.]vip, scotiabanukmx[.]sbs, scotiiiai[.]xin <br>- attmiex[.]pro, att-com-mx[.]top, attmmex[.]xyz, att-com-mx[.]xin, attmmex[.]vip <br>- btcbahamass[.]vip, btcbahamasni[.]vip, btcbahamasni[.]xin, btcbahamasi[.]top, btcbahamasni[.]top <br>- claroar[.]top, claroec[.]vip, clarosv[.]top, claropy[.]vip, clarolo[.]top <br>- liberty-cr[.]xyz, liberty-cr[.]vip, liberty-cr[.]icu, liberty-cr[.]xin, liberty-cr[.]cc <br>- movisstar[.]pro, movisstar[.]xyz, movistar-uy[.]xin, movisstar[.]sbs, movistarui[.]icu <br>- telcelsi[.]top, telcelt[.]bond, telcele[.]info, telceln[.]qpon, telcel0[.]online <br>- tiiigopy[.]xyz, tigosv[.]top, tigosv[.]cc, tigosvi[.]top, tigoipy[.]top <br> <br><a href="https://urlscan.io/result/375469cb-d1ac-4b91-8dbe-18c5f42d427d/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">urlscan.io/result/375469cb-d1a</span><span class="invisible">c-4b91-8dbe-18c5f42d427d/</span></a><br><a href="https://urlscan.io/result/019656a1-67b5-7007-acc9-8834551420f7/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">urlscan.io/result/019656a1-67b</span><span class="invisible">5-7007-acc9-8834551420f7/</span></a> <br> <br><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/lookalike" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>lookalike</span></a> <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>phishing</span></a> <a href="https://infosec.exchange/tags/rdga" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rdga</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scam</span></a></p>
Infoblox Threat Intel<p>Infoblox Threat Intel had the opportunity to collaborate with the United Nations Office on Drugs and Crime (<a href="https://infosec.exchange/tags/UNODC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>UNODC</span></a>) for their latest report on South East Asian Crime. The report is titled "Inflection Point". It is a great in-depth analysis of the triads and how they fuel the current scam epidemic. </p><p>Organized crime is booming - as you can see with the picture below which shows the growth in the physical footprint of the compounds they operate.<br> <br>Our part of the collaboration (pages 37-42 of the 90+ page report) were around a single actor that we can track in <a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> -- naturally!<br> <br>We analysed a number of illegal Chinese-operated gambling websites and soon found out they were operated by the same 'gambling provider' we named Vault Viper. Vault viper develops its very own "secure gambling browser". Of course it's <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a>. <br> <br>Through DNS, we discovered the companies behind Vault Viper were in fact controlled by Suncity - a criminal junket whose founder has been convicted of laundering billions of dollars.<br> <br> <a href="https://www.unodc.org/roseap/en/2025/04/cyberfraud-inflection-point-mekong/story.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">unodc.org/roseap/en/2025/04/cy</span><span class="invisible">berfraud-inflection-point-mekong/story.html</span></a><br> <br>Illegal gambling is not harmless fun. It fuels some of the largest criminal networks in the world. <br> <br>The entire report is worth reading to get the latest view from experts on the world of organized crime in Asia that is running <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scam</span></a>, <a href="https://infosec.exchange/tags/pigbutchering" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pigbutchering</span></a>, <a href="https://infosec.exchange/tags/humantrafficking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>humantrafficking</span></a>, <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a>, <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a>, <a href="https://infosec.exchange/tags/illegalgambling" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>illegalgambling</span></a>, illegal porn and who knows what else. The image below shows just how much it has grown in a few years from physical footprints. <br> <br>We'll be releasing a detailed report on Vault Viper in the coming months. <br> <br><a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a><br><a href="https://infosec.exchange/tags/organizedcrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>organizedcrime</span></a> <a href="https://infosec.exchange/tags/china" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>china</span></a></p>
Infoblox Threat Intel<p>“Your device has been blocked due to illegal activity” — 🙄 sure it has. After fat-fingering github[.]com, we were redirected to a domain running a fake Microsoft tech support scams: pop-ups that lock your browser, shout scary messages, and push you to call a “support” number (aka the scammer who’ll walk you through installing remote access tools). </p><p>They're hosted on legit infra like Azure blobs or Cloudflare Pages. That one redirect led to uncovering 1,200+ other domains hosting identical fake support pages. Of course, whenever a redirect like this happens, there's a malicious traffic distribution system (TDS) involved.<br> <br>Examples include:<br>- tenecitur.z1.web.core.windows[.]net</p><p>- neon-kleicha-36b137[.]netlify[.]app</p><p>- us6fixyourwindowsnow[.]pages[.]dev</p><p>- microsoft-coral-app-6xv89.ondigitalocean[.]app</p><p><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scam</span></a> <a href="https://infosec.exchange/tags/tds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tds</span></a></p>
Infoblox Threat Intel<p>Scams Taking Their Toll? </p><p>We've previously posted about toll-themed domains being used in mass smishing campaigns targeting drivers in the US, but they're not the only ones being taken for a ride. While recently investigating a huge cluster of scam domains sharing many similar traits, we've noticed toll scams targeting drivers far and wide, including in Australia, Hong Kong, New Zealand, Portugal, Saudi Arabia, Singapore, Taiwan and the United Arab Emirates.<br> <br>Think you're safe because you didn't click submit? Think again! These crafty wheeler-dealers are using the JavaScript Socket.io library for real-time communications, meaning text is sent to the scammers as you type!<br> <br>Examining these back-and-forth communications suggests that your data is being sent to a chat room, and the server response includes 'online-count-user,' showing you're not the only one interacting with the scam at that moment.<br> <br>Regional examples:<br>- AU - inforequestl[.]icu<br>- HK - hketcupdate[.]top<br>- NZ - niztagoovt[.]com<br>- PT - visitorsa-pt[.]click<br>- SA - absher[.]qpon<br>- SG - lta-gov-sg[.]top<br>- TW - fetollc[.]top<br>- AE - dubaipoieh[.]com<br> <br><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scam</span></a> <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>phishing</span></a></p>
Infoblox Threat Intel<p>Going to RSA? We’re giving a 2 hour hands-on learning lab on traffic distribution systems (TDS). Malicious actors use these to hide their activity from security teams and deliver tailored content to victims.<br> <br>Not going to RSA? We’ve written a number of articles on this topic (some included below) and we’re happy to answer questions about TDSs here on Mastodon.<br> <br><a href="https://blogs.infoblox.com/threat-intelligence/from-click-to-chaos-bouncing-around-in-malicious-traffic-distribution-systems/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blogs.infoblox.com/threat-inte</span><span class="invisible">lligence/from-click-to-chaos-bouncing-around-in-malicious-traffic-distribution-systems/</span></a><br><a href="https://www.infoblox.com/resources/webinars/dns-threat-briefing-q1-2025/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">infoblox.com/resources/webinar</span><span class="invisible">s/dns-threat-briefing-q1-2025/</span></a><br><a href="https://www.infoblox.com/resources/webinars/traffic-distribution-systems-at-the-heart-of-cybercrime/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">infoblox.com/resources/webinar</span><span class="invisible">s/traffic-distribution-systems-at-the-heart-of-cybercrime/</span></a><br><a href="https://www.infoblox.com/resources/webinars/the-big-ruse/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">infoblox.com/resources/webinar</span><span class="invisible">s/the-big-ruse/</span></a><br> <br><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/RSAC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RSAC</span></a> <a href="https://infosec.exchange/tags/RSAC25" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RSAC25</span></a></p>
Infoblox Threat Intel<p>Parked domains are used in all sorts of interesting ways. Recently we saw a set used in the sender addresses of spam delivery formbook malware. The emails disguised as salary updates, purchase orders, fines, and vendor enrollments. The sender addresses typically appear to be from HR or some other official group associated with the subject.<br> <br>The domains associated with these formbook campaigns are lookalikes, designed to impersonate legitimate brands in an attempt to dupe the victim. Some examples of the brands we have seen lookalikes for include Blue-Maritime and Vanity Case Group.<br> <br>The spam itself appears to run through actor-controlled relays (SPF failures, etc) and originate in AS203557 (Dataclub / Latvia). We see the same actor delivering Formbook via various campaigns for over a year targeting users from different regions, including the Middle East, India, and the United States.<br> <br>Because the domains are parked, it is hard to confirm whether the spam actor controls them or is just digging around parking lots.<br> <br>Fun fact: Formbook malware is known to use parked domains for decoy C2 urls as well. <br> <br>IOCs: blu-maritlme[.]com, thevenitycase[.]com<br>Example filename: Gross Misconduct.rar<br>Sha256: 09590f63531e7e5d7b8e86a55e1e3014cc86c99694c94a29c95215acac227c89<br> <br><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> <a href="https://infosec.exchange/tags/formbook" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>formbook</span></a> <a href="https://infosec.exchange/tags/spam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>spam</span></a></p>