home.social

#infoblox — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #infoblox, aggregated by home.social.

  1. Boss too tough? Salary too low? If you're after a new gig, look no further 💼

    We’re tracking a recruitment‑themed phishing campaign that opens with hope of a career upgrade and ends in stolen credentials.

    Victims are targeted through emails spammed out by “recruiters” impersonating real people — LinkedIn profiles copied in full, including photos and current recruiter identities. The lure leans on exciting big‑name brands including FIFA, UEFA, Nike and Spotify to anchor legitimacy before prompting victims to schedule an interview using a bogus Calendly page 👔 💫

    About time they noticed your stellar performance, right? But this interview comes with a catch 🎣 To seal the deal, you'll need to log in with your company email.

    The mechanics:
    • Initial outreach primes the role and rapport with some feel-good shmoozing
    • Link to schedule your interview lands on a cloned Calendly recruitment portal
    • Follow‑on contact nudges the victim through staged redirects
    • Your credentials submit their 30-day notice ⚠️

    Behind the scenes:
    • Convincing lookalike domains generated at scale (RDGAs), rotated aggressively
    • Layered redirect chains to blur origin and intent
    • Compromised or fraudulently obtained Salesforce Marketing Cloud used for delivery, helping mails sail past controls
    • Lure pages clone the Pinpoint ATS — attribution supported by Pinpoint’s own Cloudinary account ID (pinpointhq) embedded in assets
    • Domain validation logic limits logins to business email providers, excluding free webmail services

    Sad to say, the only thing getting “shortlisted” here is your inbox for another round of credential theft.

    IOCs
    • brand-jobs[.]com
    • brand-careers[.]com
    • hr-brand[.]com
    • brand-talenthub[.]com

    These campaigns remain active, with the actor spinning up new lures impersonating other major brands. We regret to inform you, it seems they'll be moving forward with other candidates 😩

    Better luck next time.

    #dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #phishing

  2. ⚽ Looking for FIFA World Cup tickets without the queue?

    We're continuously tracking a surge in convincing FIFA lookalike sites we first posted on last month, but this isn't your typical phishing game — it's full‑blown counterfeit ticketing, run like a high‑volume e‑commerce operation.

    Premier League theatrics. Sunday league legitimacy 🎭

    The flow:
    • Land on a polished FIFA clone
    • Auto‑localized content (language, region, pricing)
    • "Checkout" pushed through rotating payment domains

    Behind the curtain:
    • ⚡ High domain churn — fresh registrations daily
    • 🔄 Payment infrastructure swapped in/out to dodge disruption
    • 🪞 Near-perfect mirroring of official FIFA content

    There are indicators pointing to Chinese‑origin operators (hosting patterns, code artifacts), but targeting is global—and scalable.

    The interesting bit? This isn't about stealing creds.

    It's about conversion at scale. Auto-localisation + disposable infrastructure = throughput over stealth.

    No ticket. No refund. Reliable revenue stream.

    While this actor keeps kickin' and churning out new domains, we'll be here tracking the infrastructure... and yes it's because we can't afford a real ticket to the game.

    #dns #threatintel #cybersecurity #infosec #scam #phishing #infoblox #infobloxthreatintel #WorldCup2026 #FIFA

  3. ⚽ Looking for FIFA World Cup tickets without the queue?

    We're continuously tracking a surge in convincing FIFA lookalike sites we first posted on last month, but this isn't your typical phishing game — it's full‑blown counterfeit ticketing, run like a high‑volume e‑commerce operation.

    Premier League theatrics. Sunday league legitimacy 🎭

    The flow:
    • Land on a polished FIFA clone
    • Auto‑localized content (language, region, pricing)
    • "Checkout" pushed through rotating payment domains

    Behind the curtain:
    • ⚡ High domain churn — fresh registrations daily
    • 🔄 Payment infrastructure swapped in/out to dodge disruption
    • 🪞 Near-perfect mirroring of official FIFA content

    There are indicators pointing to Chinese‑origin operators (hosting patterns, code artifacts), but targeting is global—and scalable.

    The interesting bit? This isn't about stealing creds.

    It's about conversion at scale. Auto-localisation + disposable infrastructure = throughput over stealth.

    No ticket. No refund. Reliable revenue stream.

    While this actor keeps kickin' and churning out new domains, we'll be here tracking the infrastructure... and yes it's because we can't afford a real ticket to the game.

    #dns #threatintel #cybersecurity #infosec #scam #phishing #infoblox #infobloxthreatintel #WorldCup2026 #FIFA

  4. ⚽ Looking for FIFA World Cup tickets without the queue?

    We're continuously tracking a surge in convincing FIFA lookalike sites we first posted on last month, but this isn't your typical phishing game — it's full‑blown counterfeit ticketing, run like a high‑volume e‑commerce operation.

    Premier League theatrics. Sunday league legitimacy 🎭

    The flow:
    • Land on a polished FIFA clone
    • Auto‑localized content (language, region, pricing)
    • "Checkout" pushed through rotating payment domains

    Behind the curtain:
    • ⚡ High domain churn — fresh registrations daily
    • 🔄 Payment infrastructure swapped in/out to dodge disruption
    • 🪞 Near-perfect mirroring of official FIFA content

    There are indicators pointing to Chinese‑origin operators (hosting patterns, code artifacts), but targeting is global—and scalable.

    The interesting bit? This isn't about stealing creds.

    It's about conversion at scale. Auto-localisation + disposable infrastructure = throughput over stealth.

    No ticket. No refund. Reliable revenue stream.

    While this actor keeps kickin' and churning out new domains, we'll be here tracking the infrastructure... and yes it's because we can't afford a real ticket to the game.

    #dns #threatintel #cybersecurity #infosec #scam #phishing #infoblox #infobloxthreatintel #WorldCup2026 #FIFA

  5. Recovery Scam Season: Second Time’s the Charm? 🎣

    Fallen victim to online fraud and now seeing ads promising to get your money back—fast, guaranteed, no upfront fees?
    ⚠️ 📵 Yeah… about that.

    Victims around the world are being re-targeted by asset recovery scams impersonating INTERPOL, law enforcement agencies, law firms, and other trusted orgs. We've been tracking an actor deploying some slick AI-generated video ads boosted by fake news pages funneling users to polished lure sites promising miracle turnarounds. Talk about a sequel nobody asked for. 🎬

    Here’s the playbook:
    • 🎥 Fake ads pushing recovery services, often impersonating law enforcement →
    • 🌐 Lookalike recovery domains instructing victims to submit contact info →
    • 📞 Outreach via Email, WhatsApp etc. →
    • 🤝 Trust building + fake progress →
    • 💳 “Processing” and "release" fees (and more… and more) until you're rinsed... again.

    Through DNS telemetry, we’ve been tracking this cluster for months—connecting the dots across campaigns long before takedowns hit timelines.

    META recently pulled some INTERPOL-themed ads after Hong Kong media coverage—but plenty remain. The Russian-speaking actor behind this is pivoting fast, spinning up new brands, domains, and “legal services” at scale.

    Recent examples:
    ⛔ europolhelp[.]live
    ⛔ recovery-protocol[.]net
    ⛔ fbi-support[.]live
    ⛔ baseinfo[.]biz

    Still waiting on our recovered funds. Until then, we’ll keep tracking—because while threat actors evolve, DNS remembers.🧠

    #ThreatIntel #Scam #CyberSecurity #DNS #Infoblox #crypto #cybercrime

  6. Recovery Scam Season: Second Time’s the Charm? 🎣

    Fallen victim to online fraud and now seeing ads promising to get your money back—fast, guaranteed, no upfront fees?
    ⚠️ 📵 Yeah… about that.

    Victims around the world are being re-targeted by asset recovery scams impersonating INTERPOL, law enforcement agencies, law firms, and other trusted orgs. We've been tracking an actor deploying some slick AI-generated video ads boosted by fake news pages funneling users to polished lure sites promising miracle turnarounds. Talk about a sequel nobody asked for. 🎬

    Here’s the playbook:
    • 🎥 Fake ads pushing recovery services, often impersonating law enforcement →
    • 🌐 Lookalike recovery domains instructing victims to submit contact info →
    • 📞 Outreach via Email, WhatsApp etc. →
    • 🤝 Trust building + fake progress →
    • 💳 “Processing” and "release" fees (and more… and more) until you're rinsed... again.

    Through DNS telemetry, we’ve been tracking this cluster for months—connecting the dots across campaigns long before takedowns hit timelines.

    META recently pulled some INTERPOL-themed ads after Hong Kong media coverage—but plenty remain. The Russian-speaking actor behind this is pivoting fast, spinning up new brands, domains, and “legal services” at scale.

    Recent examples:
    ⛔ europolhelp[.]live
    ⛔ recovery-protocol[.]net
    ⛔ fbi-support[.]live
    ⛔ baseinfo[.]biz

    Still waiting on our recovered funds. Until then, we’ll keep tracking—because while threat actors evolve, DNS remembers.🧠

    #ThreatIntel #Scam #CyberSecurity #DNS #Infoblox #crypto #cybercrime

  7. Recovery Scam Season: Second Time’s the Charm? 🎣

    Fallen victim to online fraud and now seeing ads promising to get your money back—fast, guaranteed, no upfront fees?
    ⚠️ 📵 Yeah… about that.

    Victims around the world are being re-targeted by asset recovery scams impersonating INTERPOL, law enforcement agencies, law firms, and other trusted orgs. We've been tracking an actor deploying some slick AI-generated video ads boosted by fake news pages funneling users to polished lure sites promising miracle turnarounds. Talk about a sequel nobody asked for. 🎬

    Here’s the playbook:
    • 🎥 Fake ads pushing recovery services, often impersonating law enforcement →
    • 🌐 Lookalike recovery domains instructing victims to submit contact info →
    • 📞 Outreach via Email, WhatsApp etc. →
    • 🤝 Trust building + fake progress →
    • 💳 “Processing” and "release" fees (and more… and more) until you're rinsed... again.

    Through DNS telemetry, we’ve been tracking this cluster for months—connecting the dots across campaigns long before takedowns hit timelines.

    META recently pulled some INTERPOL-themed ads after Hong Kong media coverage—but plenty remain. The Russian-speaking actor behind this is pivoting fast, spinning up new brands, domains, and “legal services” at scale.

    Recent examples:
    ⛔ europolhelp[.]live
    ⛔ recovery-protocol[.]net
    ⛔ fbi-support[.]live
    ⛔ baseinfo[.]biz

    Still waiting on our recovered funds. Until then, we’ll keep tracking—because while threat actors evolve, DNS remembers.🧠

    #ThreatIntel #Scam #CyberSecurity #DNS #Infoblox #crypto #cybercrime

  8. Recovery Scam Season: Second Time’s the Charm? 🎣

    Fallen victim to online fraud and now seeing ads promising to get your money back—fast, guaranteed, no upfront fees?
    ⚠️ 📵 Yeah… about that.

    Victims around the world are being re-targeted by asset recovery scams impersonating INTERPOL, law enforcement agencies, law firms, and other trusted orgs. We've been tracking an actor deploying some slick AI-generated video ads boosted by fake news pages funneling users to polished lure sites promising miracle turnarounds. Talk about a sequel nobody asked for. 🎬

    Here’s the playbook:
    • 🎥 Fake ads pushing recovery services, often impersonating law enforcement →
    • 🌐 Lookalike recovery domains instructing victims to submit contact info →
    • 📞 Outreach via Email, WhatsApp etc. →
    • 🤝 Trust building + fake progress →
    • 💳 “Processing” and "release" fees (and more… and more) until you're rinsed... again.

    Through DNS telemetry, we’ve been tracking this cluster for months—connecting the dots across campaigns long before takedowns hit timelines.

    META recently pulled some INTERPOL-themed ads after Hong Kong media coverage—but plenty remain. The Russian-speaking actor behind this is pivoting fast, spinning up new brands, domains, and “legal services” at scale.

    Recent examples:
    ⛔ europolhelp[.]live
    ⛔ recovery-protocol[.]net
    ⛔ fbi-support[.]live
    ⛔ baseinfo[.]biz

    Still waiting on our recovered funds. Until then, we’ll keep tracking—because while threat actors evolve, DNS remembers.🧠

    #ThreatIntel #Scam #CyberSecurity #DNS #Infoblox #crypto #cybercrime

  9. Recovery Scam Season: Second Time’s the Charm? 🎣

    Fallen victim to online fraud and now seeing ads promising to get your money back—fast, guaranteed, no upfront fees?
    ⚠️ 📵 Yeah… about that.

    Victims around the world are being re-targeted by asset recovery scams impersonating INTERPOL, law enforcement agencies, law firms, and other trusted orgs. We've been tracking an actor deploying some slick AI-generated video ads boosted by fake news pages funneling users to polished lure sites promising miracle turnarounds. Talk about a sequel nobody asked for. 🎬

    Here’s the playbook:
    • 🎥 Fake ads pushing recovery services, often impersonating law enforcement →
    • 🌐 Lookalike recovery domains instructing victims to submit contact info →
    • 📞 Outreach via Email, WhatsApp etc. →
    • 🤝 Trust building + fake progress →
    • 💳 “Processing” and "release" fees (and more… and more) until you're rinsed... again.

    Through DNS telemetry, we’ve been tracking this cluster for months—connecting the dots across campaigns long before takedowns hit timelines.

    META recently pulled some INTERPOL-themed ads after Hong Kong media coverage—but plenty remain. The Russian-speaking actor behind this is pivoting fast, spinning up new brands, domains, and “legal services” at scale.

    Recent examples:
    ⛔ europolhelp[.]live
    ⛔ recovery-protocol[.]net
    ⛔ fbi-support[.]live
    ⛔ baseinfo[.]biz

    Still waiting on our recovered funds. Until then, we’ll keep tracking—because while threat actors evolve, DNS remembers.🧠

    #ThreatIntel #Scam #CyberSecurity #DNS #Infoblox #crypto #cybercrime

  10. Stolen phones - and specifically iPhones - have robust anti-theft protections. They are worthless once they're flagged - locked to their owner. So why are millions still being stolen every year?
    In this paper, we uncover a thriving underground marketplace focused on unlocking stolen phones. It is powered by:

    Lookalike domains impersonating Apple, Xiaomi, Samsung and other brands
    Smishing campaigns targeting device owners
    Pay‑as‑you‑go “unlocking” tools sold on Telegram
    By pivoting on DNS data, we identified 10,000+ malicious domains and a growing ecosystem turning locked devices into profit at scale.

    👉 Read how this supply chain works—from theft to resale—and why it’s growing fast. infoblox.com/blog/threat-intel

    #ThreatIntel #CyberSecurity #Phishing #MobileSecurity #iOS #Smishing #dns #threatintelligence #cybercrime #infosec #infoblox #infobloxthreatintel #threatintelligence #cybercrime  #infosec #infoblox #infobloxthreatintel

  11. Stolen phones - and specifically iPhones - have robust anti-theft protections. They are worthless once they're flagged - locked to their owner. So why are millions still being stolen every year?
    In this paper, we uncover a thriving underground marketplace focused on unlocking stolen phones. It is powered by:

    Lookalike domains impersonating Apple, Xiaomi, Samsung and other brands
    Smishing campaigns targeting device owners
    Pay‑as‑you‑go “unlocking” tools sold on Telegram
    By pivoting on DNS data, we identified 10,000+ malicious domains and a growing ecosystem turning locked devices into profit at scale.

    👉 Read how this supply chain works—from theft to resale—and why it’s growing fast. infoblox.com/blog/threat-intel

    #ThreatIntel #CyberSecurity #Phishing #MobileSecurity #iOS #Smishing #dns #threatintelligence #cybercrime #infosec #infoblox #infobloxthreatintel #threatintelligence #cybercrime  #infosec #infoblox #infobloxthreatintel

  12. Stolen phones - and specifically iPhones - have robust anti-theft protections. They are worthless once they're flagged - locked to their owner. So why are millions still being stolen every year?
    In this paper, we uncover a thriving underground marketplace focused on unlocking stolen phones. It is powered by:

    Lookalike domains impersonating Apple, Xiaomi, Samsung and other brands
    Smishing campaigns targeting device owners
    Pay‑as‑you‑go “unlocking” tools sold on Telegram
    By pivoting on DNS data, we identified 10,000+ malicious domains and a growing ecosystem turning locked devices into profit at scale.

    👉 Read how this supply chain works—from theft to resale—and why it’s growing fast. infoblox.com/blog/threat-intel

    #ThreatIntel #CyberSecurity #Phishing #MobileSecurity #iOS #Smishing #dns #threatintelligence #cybercrime #infosec #infoblox #infobloxthreatintel #threatintelligence #cybercrime  #infosec #infoblox #infobloxthreatintel

  13. Stolen phones - and specifically iPhones - have robust anti-theft protections. They are worthless once they're flagged - locked to their owner. So why are millions still being stolen every year?
    In this paper, we uncover a thriving underground marketplace focused on unlocking stolen phones. It is powered by:

    Lookalike domains impersonating Apple, Xiaomi, Samsung and other brands
    Smishing campaigns targeting device owners
    Pay‑as‑you‑go “unlocking” tools sold on Telegram
    By pivoting on DNS data, we identified 10,000+ malicious domains and a growing ecosystem turning locked devices into profit at scale.

    👉 Read how this supply chain works—from theft to resale—and why it’s growing fast. infoblox.com/blog/threat-intel

    #ThreatIntel #CyberSecurity #Phishing #MobileSecurity #iOS #Smishing #dns #threatintelligence #cybercrime #infosec #infoblox #infobloxthreatintel #threatintelligence #cybercrime  #infosec #infoblox #infobloxthreatintel

  14. Stolen phones - and specifically iPhones - have robust anti-theft protections. They are worthless once they're flagged - locked to their owner. So why are millions still being stolen every year?
    In this paper, we uncover a thriving underground marketplace focused on unlocking stolen phones. It is powered by:

    Lookalike domains impersonating Apple, Xiaomi, Samsung and other brands
    Smishing campaigns targeting device owners
    Pay‑as‑you‑go “unlocking” tools sold on Telegram
    By pivoting on DNS data, we identified 10,000+ malicious domains and a growing ecosystem turning locked devices into profit at scale.

    👉 Read how this supply chain works—from theft to resale—and why it’s growing fast. infoblox.com/blog/threat-intel

    #ThreatIntel #CyberSecurity #Phishing #MobileSecurity #iOS #Smishing #dns #threatintelligence #cybercrime #infosec #infoblox #infobloxthreatintel #threatintelligence #cybercrime  #infosec #infoblox #infobloxthreatintel

  15. WhatsApp, Japan, and a 500% Traffic Spike! 💹 🚨

    To be honest, we thought threat actors were tripping when we saw a new WhatsApp phishing campaign targeting Japanese citizens. Don't they know LINE is the app in Japan? Well, we were surprised because this campaign is actually working…

    The campaign doesn't only impersonate WhatsApp through its phishing page, but also through the lookalike domains it uses. Around 2k "WhatsApp" domain name variations are involved. The actor also leverages RDGAs – mostly for subdomains. Domains like web-rka-whatsapp[.]com[.]cn have up to 32 RDGA subdomains!

    Upon visiting one of these lookalike domains, the user is fingerprinted and only forwarded to the phishing page if they match the intended profile — otherwise they get redirected to sites like bing[.]com or microsoft[.]com. As we show at the image below (with an AI-translated version), the malicious landing page simulates the WhatsApp login screen and encourages victims to scan a malicious QR code with their phone to log in.

    When we found the cluster, we genuinely didn't think this campaign would land in Japan — but we were wrong. In the last 6 months, traffic to these domains has increased more than 500%, and it continues to rise.

    What impact would these top quality lookalikes have if the campaigns were directed at countries where WhatsApp is actually the preferred messaging app?

    Domain sample:
    whatsappweb[.]net
    whatapapp[.]com
    whatsptapp[.]com
    leropaxi-whatsapp[.]com[.]cn

    #dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #Phishing #Quishing #WhatsApp #LINE #Japan #脅威情報 #フィッシング詐欺 #QRコード詐欺 #DNSセキュリティ #Infoblox脅威情報 #WhatsApp #LINEセキュリティ #日本 #サイバーセキュリティ

  16. WhatsApp, Japan, and a 500% Traffic Spike! 💹 🚨

    To be honest, we thought threat actors were tripping when we saw a new WhatsApp phishing campaign targeting Japanese citizens. Don't they know LINE is the app in Japan? Well, we were surprised because this campaign is actually working…

    The campaign doesn't only impersonate WhatsApp through its phishing page, but also through the lookalike domains it uses. Around 2k "WhatsApp" domain name variations are involved. The actor also leverages RDGAs – mostly for subdomains. Domains like web-rka-whatsapp[.]com[.]cn have up to 32 RDGA subdomains!

    Upon visiting one of these lookalike domains, the user is fingerprinted and only forwarded to the phishing page if they match the intended profile — otherwise they get redirected to sites like bing[.]com or microsoft[.]com. As we show at the image below (with an AI-translated version), the malicious landing page simulates the WhatsApp login screen and encourages victims to scan a malicious QR code with their phone to log in.

    When we found the cluster, we genuinely didn't think this campaign would land in Japan — but we were wrong. In the last 6 months, traffic to these domains has increased more than 500%, and it continues to rise.

    What impact would these top quality lookalikes have if the campaigns were directed at countries where WhatsApp is actually the preferred messaging app?

    Domain sample:
    whatsappweb[.]net
    whatapapp[.]com
    whatsptapp[.]com
    leropaxi-whatsapp[.]com[.]cn

    #dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #Phishing #Quishing #WhatsApp #LINE #Japan #脅威情報 #フィッシング詐欺 #QRコード詐欺 #DNSセキュリティ #Infoblox脅威情報 #WhatsApp #LINEセキュリティ #日本 #サイバーセキュリティ

  17. WhatsApp, Japan, and a 500% Traffic Spike! 💹 🚨

    To be honest, we thought threat actors were tripping when we saw a new WhatsApp phishing campaign targeting Japanese citizens. Don't they know LINE is the app in Japan? Well, we were surprised because this campaign is actually working…

    The campaign doesn't only impersonate WhatsApp through its phishing page, but also through the lookalike domains it uses. Around 2k "WhatsApp" domain name variations are involved. The actor also leverages RDGAs – mostly for subdomains. Domains like web-rka-whatsapp[.]com[.]cn have up to 32 RDGA subdomains!

    Upon visiting one of these lookalike domains, the user is fingerprinted and only forwarded to the phishing page if they match the intended profile — otherwise they get redirected to sites like bing[.]com or microsoft[.]com. As we show at the image below (with an AI-translated version), the malicious landing page simulates the WhatsApp login screen and encourages victims to scan a malicious QR code with their phone to log in.

    When we found the cluster, we genuinely didn't think this campaign would land in Japan — but we were wrong. In the last 6 months, traffic to these domains has increased more than 500%, and it continues to rise.

    What impact would these top quality lookalikes have if the campaigns were directed at countries where WhatsApp is actually the preferred messaging app?

    Domain sample:
    whatsappweb[.]net
    whatapapp[.]com
    whatsptapp[.]com
    leropaxi-whatsapp[.]com[.]cn

    #dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #Phishing #Quishing #WhatsApp #LINE #Japan #脅威情報 #フィッシング詐欺 #QRコード詐欺 #DNSセキュリティ #Infoblox脅威情報 #WhatsApp #LINEセキュリティ #日本 #サイバーセキュリティ

  18. WhatsApp, Japan, and a 500% Traffic Spike! 💹 🚨

    To be honest, we thought threat actors were tripping when we saw a new WhatsApp phishing campaign targeting Japanese citizens. Don't they know LINE is the app in Japan? Well, we were surprised because this campaign is actually working…

    The campaign doesn't only impersonate WhatsApp through its phishing page, but also through the lookalike domains it uses. Around 2k "WhatsApp" domain name variations are involved. The actor also leverages RDGAs – mostly for subdomains. Domains like web-rka-whatsapp[.]com[.]cn have up to 32 RDGA subdomains!

    Upon visiting one of these lookalike domains, the user is fingerprinted and only forwarded to the phishing page if they match the intended profile — otherwise they get redirected to sites like bing[.]com or microsoft[.]com. As we show at the image below (with an AI-translated version), the malicious landing page simulates the WhatsApp login screen and encourages victims to scan a malicious QR code with their phone to log in.

    When we found the cluster, we genuinely didn't think this campaign would land in Japan — but we were wrong. In the last 6 months, traffic to these domains has increased more than 500%, and it continues to rise.

    What impact would these top quality lookalikes have if the campaigns were directed at countries where WhatsApp is actually the preferred messaging app?

    Domain sample:
    whatsappweb[.]net
    whatapapp[.]com
    whatsptapp[.]com
    leropaxi-whatsapp[.]com[.]cn

    #dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #Phishing #Quishing #WhatsApp #LINE #Japan #脅威情報 #フィッシング詐欺 #QRコード詐欺 #DNSセキュリティ #Infoblox脅威情報 #WhatsApp #LINEセキュリティ #日本 #サイバーセキュリティ

  19. WhatsApp, Japan, and a 500% Traffic Spike! 💹 🚨

    To be honest, we thought threat actors were tripping when we saw a new WhatsApp phishing campaign targeting Japanese citizens. Don't they know LINE is the app in Japan? Well, we were surprised because this campaign is actually working…

    The campaign doesn't only impersonate WhatsApp through its phishing page, but also through the lookalike domains it uses. Around 2k "WhatsApp" domain name variations are involved. The actor also leverages RDGAs – mostly for subdomains. Domains like web-rka-whatsapp[.]com[.]cn have up to 32 RDGA subdomains!

    Upon visiting one of these lookalike domains, the user is fingerprinted and only forwarded to the phishing page if they match the intended profile — otherwise they get redirected to sites like bing[.]com or microsoft[.]com. As we show at the image below (with an AI-translated version), the malicious landing page simulates the WhatsApp login screen and encourages victims to scan a malicious QR code with their phone to log in.

    When we found the cluster, we genuinely didn't think this campaign would land in Japan — but we were wrong. In the last 6 months, traffic to these domains has increased more than 500%, and it continues to rise.

    What impact would these top quality lookalikes have if the campaigns were directed at countries where WhatsApp is actually the preferred messaging app?

    Domain sample:
    whatsappweb[.]net
    whatapapp[.]com
    whatsptapp[.]com
    leropaxi-whatsapp[.]com[.]cn

    #dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #Phishing #Quishing #WhatsApp #LINE #Japan #脅威情報 #フィッシング詐欺 #QRコード詐欺 #DNSセキュリティ #Infoblox脅威情報 #WhatsApp #LINEセキュリティ #日本 #サイバーセキュリティ

  20. "Run a quick DNS speed test" they said… 🤔

    One click on dns-speed.tail-f[.]de and your browser helpfully fans out ~5,000 HTTPS handshakes to "random" Cisco Top 1M domains in ~30 seconds.

    That randomness is doing a lot of work.

    Across a handful of runs we saw clients touching:

    - Government + defence: *.uscourts.gov, multiple .gov TLDs, and .mil hosts (incl. disa[.]mil, onr[.]navy[.]mil)
    - Microsoft sovereign/GCC High endpoints (dodsuite, usgovcloudapi, etc.)
    - Enterprise collaboration: 100+ Webex, Zoom infra, SharePoint/OneDrive tenants
    - Identity surfaces: 130+ auth/login patterns, Okta/Auth0/Duo tenants
    - Autodiscover for named orgs (useful for pre‑populating phish kits)
    - ~150 banking domains, globally distributed

    All from a page load. No content fetched, just "harmless" handshakes.

    What's interesting isn't malice so much as side‑effects. A "neutral" performance test becomes:

    - A spray of client IPs into sensitive identity and gov endpoints
    - Noisy, hard‑to‑explain telemetry for defenders ("why is this workstation touching DISA?")
    - Occasional redirects into less friendly corners of the web, courtesy of the long tail

    The stated aim is realism (avoid vendor‑optimised test servers). In practice, you inherit the internet's entire distribution of good, bad, and broken—and push it through end‑user browsers.

    It's a reminder that at scale, "just measuring" can look a lot like reconnaissance… or at least generate it for someone else.

    #dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel

  21. "Run a quick DNS speed test" they said… 🤔

    One click on dns-speed.tail-f[.]de and your browser helpfully fans out ~5,000 HTTPS handshakes to "random" Cisco Top 1M domains in ~30 seconds.

    That randomness is doing a lot of work.

    Across a handful of runs we saw clients touching:

    - Government + defence: *.uscourts.gov, multiple .gov TLDs, and .mil hosts (incl. disa[.]mil, onr[.]navy[.]mil)
    - Microsoft sovereign/GCC High endpoints (dodsuite, usgovcloudapi, etc.)
    - Enterprise collaboration: 100+ Webex, Zoom infra, SharePoint/OneDrive tenants
    - Identity surfaces: 130+ auth/login patterns, Okta/Auth0/Duo tenants
    - Autodiscover for named orgs (useful for pre‑populating phish kits)
    - ~150 banking domains, globally distributed

    All from a page load. No content fetched, just "harmless" handshakes.

    What's interesting isn't malice so much as side‑effects. A "neutral" performance test becomes:

    - A spray of client IPs into sensitive identity and gov endpoints
    - Noisy, hard‑to‑explain telemetry for defenders ("why is this workstation touching DISA?")
    - Occasional redirects into less friendly corners of the web, courtesy of the long tail

    The stated aim is realism (avoid vendor‑optimised test servers). In practice, you inherit the internet's entire distribution of good, bad, and broken—and push it through end‑user browsers.

    It's a reminder that at scale, "just measuring" can look a lot like reconnaissance… or at least generate it for someone else.

    #dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel

  22. "Run a quick DNS speed test" they said… 🤔

    One click on dns-speed.tail-f[.]de and your browser helpfully fans out ~5,000 HTTPS handshakes to "random" Cisco Top 1M domains in ~30 seconds.

    That randomness is doing a lot of work.

    Across a handful of runs we saw clients touching:

    - Government + defence: *.uscourts.gov, multiple .gov TLDs, and .mil hosts (incl. disa[.]mil, onr[.]navy[.]mil)
    - Microsoft sovereign/GCC High endpoints (dodsuite, usgovcloudapi, etc.)
    - Enterprise collaboration: 100+ Webex, Zoom infra, SharePoint/OneDrive tenants
    - Identity surfaces: 130+ auth/login patterns, Okta/Auth0/Duo tenants
    - Autodiscover for named orgs (useful for pre‑populating phish kits)
    - ~150 banking domains, globally distributed

    All from a page load. No content fetched, just "harmless" handshakes.

    What's interesting isn't malice so much as side‑effects. A "neutral" performance test becomes:

    - A spray of client IPs into sensitive identity and gov endpoints
    - Noisy, hard‑to‑explain telemetry for defenders ("why is this workstation touching DISA?")
    - Occasional redirects into less friendly corners of the web, courtesy of the long tail

    The stated aim is realism (avoid vendor‑optimised test servers). In practice, you inherit the internet's entire distribution of good, bad, and broken—and push it through end‑user browsers.

    It's a reminder that at scale, "just measuring" can look a lot like reconnaissance… or at least generate it for someone else.

    #dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel

  23. "Run a quick DNS speed test" they said… 🤔

    One click on dns-speed.tail-f[.]de and your browser helpfully fans out ~5,000 HTTPS handshakes to "random" Cisco Top 1M domains in ~30 seconds.

    That randomness is doing a lot of work.

    Across a handful of runs we saw clients touching:

    - Government + defence: *.uscourts.gov, multiple .gov TLDs, and .mil hosts (incl. disa[.]mil, onr[.]navy[.]mil)
    - Microsoft sovereign/GCC High endpoints (dodsuite, usgovcloudapi, etc.)
    - Enterprise collaboration: 100+ Webex, Zoom infra, SharePoint/OneDrive tenants
    - Identity surfaces: 130+ auth/login patterns, Okta/Auth0/Duo tenants
    - Autodiscover for named orgs (useful for pre‑populating phish kits)
    - ~150 banking domains, globally distributed

    All from a page load. No content fetched, just "harmless" handshakes.

    What's interesting isn't malice so much as side‑effects. A "neutral" performance test becomes:

    - A spray of client IPs into sensitive identity and gov endpoints
    - Noisy, hard‑to‑explain telemetry for defenders ("why is this workstation touching DISA?")
    - Occasional redirects into less friendly corners of the web, courtesy of the long tail

    The stated aim is realism (avoid vendor‑optimised test servers). In practice, you inherit the internet's entire distribution of good, bad, and broken—and push it through end‑user browsers.

    It's a reminder that at scale, "just measuring" can look a lot like reconnaissance… or at least generate it for someone else.

    #dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel

  24. Send an SMS to confirm you're a human? That's strange. How about dozens of SMS, to locations all over the world? That sounds more like a hot take on International Revenue Share Fraud (IRSF). Infoblox Threat Intel has come across an operation that defrauds both individuals and telecoms by way of social engineering victims through the use of a fake CAPTCHA process.

    With IRSF, fraudsters generate their revenue by driving call or SMS traffic to numbers to which they have revenue sharing agreements with the local telecoms. Historically, this has been done by methods like hacking an organization's PBX system, or using bots to abuse services that generate one-time-passwords, and directing that call or SMS traffic to numbers under their control.

    This operation, however, takes advantage of individuals' familiarity with the CAPTCHA process, by adding a multi-stage requirement to send bulk SMS to get access to games, videos, or adult content - because of course, these things are so hard to access online otherwise.
    In this case, the victims are two-fold. First, it impacts the people who get unexpected international SMS charges on their bill, and then the telecoms who both pay termination fees to the international destinations telecom, and who also possibly absorb the cost of the chargeback.

    Read more about our investigation into this new flavour of scam, including the specific domains and infrastructure we uncovered, here: infoblox.com/blog/threat-intel

     #threatintel #cybercrime #threatintelligence #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #phishing #IRSF #telecom #captcha

  25. Send an SMS to confirm you're a human? That's strange. How about dozens of SMS, to locations all over the world? That sounds more like a hot take on International Revenue Share Fraud (IRSF). Infoblox Threat Intel has come across an operation that defrauds both individuals and telecoms by way of social engineering victims through the use of a fake CAPTCHA process.

    With IRSF, fraudsters generate their revenue by driving call or SMS traffic to numbers to which they have revenue sharing agreements with the local telecoms. Historically, this has been done by methods like hacking an organization's PBX system, or using bots to abuse services that generate one-time-passwords, and directing that call or SMS traffic to numbers under their control.

    This operation, however, takes advantage of individuals' familiarity with the CAPTCHA process, by adding a multi-stage requirement to send bulk SMS to get access to games, videos, or adult content - because of course, these things are so hard to access online otherwise.
    In this case, the victims are two-fold. First, it impacts the people who get unexpected international SMS charges on their bill, and then the telecoms who both pay termination fees to the international destinations telecom, and who also possibly absorb the cost of the chargeback.

    Read more about our investigation into this new flavour of scam, including the specific domains and infrastructure we uncovered, here: infoblox.com/blog/threat-intel

     #threatintel #cybercrime #threatintelligence #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #phishing #IRSF #telecom #captcha

  26. Send an SMS to confirm you're a human? That's strange. How about dozens of SMS, to locations all over the world? That sounds more like a hot take on International Revenue Share Fraud (IRSF). Infoblox Threat Intel has come across an operation that defrauds both individuals and telecoms by way of social engineering victims through the use of a fake CAPTCHA process.

    With IRSF, fraudsters generate their revenue by driving call or SMS traffic to numbers to which they have revenue sharing agreements with the local telecoms. Historically, this has been done by methods like hacking an organization's PBX system, or using bots to abuse services that generate one-time-passwords, and directing that call or SMS traffic to numbers under their control.

    This operation, however, takes advantage of individuals' familiarity with the CAPTCHA process, by adding a multi-stage requirement to send bulk SMS to get access to games, videos, or adult content - because of course, these things are so hard to access online otherwise.
    In this case, the victims are two-fold. First, it impacts the people who get unexpected international SMS charges on their bill, and then the telecoms who both pay termination fees to the international destinations telecom, and who also possibly absorb the cost of the chargeback.

    Read more about our investigation into this new flavour of scam, including the specific domains and infrastructure we uncovered, here: infoblox.com/blog/threat-intel

     #threatintel #cybercrime #threatintelligence #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #phishing #IRSF #telecom #captcha

  27. Send an SMS to confirm you're a human? That's strange. How about dozens of SMS, to locations all over the world? That sounds more like a hot take on International Revenue Share Fraud (IRSF). Infoblox Threat Intel has come across an operation that defrauds both individuals and telecoms by way of social engineering victims through the use of a fake CAPTCHA process.

    With IRSF, fraudsters generate their revenue by driving call or SMS traffic to numbers to which they have revenue sharing agreements with the local telecoms. Historically, this has been done by methods like hacking an organization's PBX system, or using bots to abuse services that generate one-time-passwords, and directing that call or SMS traffic to numbers under their control.

    This operation, however, takes advantage of individuals' familiarity with the CAPTCHA process, by adding a multi-stage requirement to send bulk SMS to get access to games, videos, or adult content - because of course, these things are so hard to access online otherwise.
    In this case, the victims are two-fold. First, it impacts the people who get unexpected international SMS charges on their bill, and then the telecoms who both pay termination fees to the international destinations telecom, and who also possibly absorb the cost of the chargeback.

    Read more about our investigation into this new flavour of scam, including the specific domains and infrastructure we uncovered, here: infoblox.com/blog/threat-intel

     #threatintel #cybercrime #threatintelligence #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #phishing #IRSF #telecom #captcha

  28. Trust this “Amazon” phishing email in Japan—and you’re Prime sashimi 🎣 🍣

    Looking into our malspam data, we identified an active campaign impersonating Amazon and targeting Japanese citizens. The emails use subjects such as 「至急 Amazonプライム会員情報の確認」 (“Urgent: Confirm Amazon Prime member information”).

    The URLs within the emails ultimately lead to an Amazon phishing page, but only after routing victims through a TDS. Interestingly, instead of keeping the TDS step invisible, the actors chose to show it off—repackaging it as a reassuring security check.

    Upon clicking the link within the email, victims are first redirected to an RDGA TDS domain, where fingerprinting occurs. If the user does not match the targeting criteria (e.g., connecting from outside Japan), access is blocked. If they do match, potential victims are redirected to a second RDGA domain.
    This second and last domain is not a TDS domain, but funny enough, these actors decided they would emulate it anyway!

    At that step victims are already at the landing page but instead of immediately displaying a standard Amazon phishing page, the website displays a CAPTCHA and fake console interface simulating environment fingerprinting checks to “make sure your environment and connection is safe” before "proceeding to the landing page". Ironically, part of their message is true: fingerprinting did happen one domain earlier. It just wasn’t for the user’s benefit—it was to make sure the environment was safe… for the scammers. A few seconds later, without added user interaction needed, a fake Amazon login page is displayed.

    Domains samples:
    qqc10c[.]cyou
    51wang11c[.]cyou

    #dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #phishing #amazon #malspam #email #fingerprinting #japan

  29. Trust this “Amazon” phishing email in Japan—and you’re Prime sashimi 🎣 🍣

    Looking into our malspam data, we identified an active campaign impersonating Amazon and targeting Japanese citizens. The emails use subjects such as 「至急 Amazonプライム会員情報の確認」 (“Urgent: Confirm Amazon Prime member information”).

    The URLs within the emails ultimately lead to an Amazon phishing page, but only after routing victims through a TDS. Interestingly, instead of keeping the TDS step invisible, the actors chose to show it off—repackaging it as a reassuring security check.

    Upon clicking the link within the email, victims are first redirected to an RDGA TDS domain, where fingerprinting occurs. If the user does not match the targeting criteria (e.g., connecting from outside Japan), access is blocked. If they do match, potential victims are redirected to a second RDGA domain.
    This second and last domain is not a TDS domain, but funny enough, these actors decided they would emulate it anyway!

    At that step victims are already at the landing page but instead of immediately displaying a standard Amazon phishing page, the website displays a CAPTCHA and fake console interface simulating environment fingerprinting checks to “make sure your environment and connection is safe” before "proceeding to the landing page". Ironically, part of their message is true: fingerprinting did happen one domain earlier. It just wasn’t for the user’s benefit—it was to make sure the environment was safe… for the scammers. A few seconds later, without added user interaction needed, a fake Amazon login page is displayed.

    Domains samples:
    qqc10c[.]cyou
    51wang11c[.]cyou

    #dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #phishing #amazon #malspam #email #fingerprinting #japan

  30. Trust this “Amazon” phishing email in Japan—and you’re Prime sashimi 🎣 🍣

    Looking into our malspam data, we identified an active campaign impersonating Amazon and targeting Japanese citizens. The emails use subjects such as 「至急 Amazonプライム会員情報の確認」 (“Urgent: Confirm Amazon Prime member information”).

    The URLs within the emails ultimately lead to an Amazon phishing page, but only after routing victims through a TDS. Interestingly, instead of keeping the TDS step invisible, the actors chose to show it off—repackaging it as a reassuring security check.

    Upon clicking the link within the email, victims are first redirected to an RDGA TDS domain, where fingerprinting occurs. If the user does not match the targeting criteria (e.g., connecting from outside Japan), access is blocked. If they do match, potential victims are redirected to a second RDGA domain.
    This second and last domain is not a TDS domain, but funny enough, these actors decided they would emulate it anyway!

    At that step victims are already at the landing page but instead of immediately displaying a standard Amazon phishing page, the website displays a CAPTCHA and fake console interface simulating environment fingerprinting checks to “make sure your environment and connection is safe” before "proceeding to the landing page". Ironically, part of their message is true: fingerprinting did happen one domain earlier. It just wasn’t for the user’s benefit—it was to make sure the environment was safe… for the scammers. A few seconds later, without added user interaction needed, a fake Amazon login page is displayed.

    Domains samples:
    qqc10c[.]cyou
    51wang11c[.]cyou

    #dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #phishing #amazon #malspam #email #fingerprinting #japan

  31. Trust this “Amazon” phishing email in Japan—and you’re Prime sashimi 🎣 🍣

    Looking into our malspam data, we identified an active campaign impersonating Amazon and targeting Japanese citizens. The emails use subjects such as 「至急 Amazonプライム会員情報の確認」 (“Urgent: Confirm Amazon Prime member information”).

    The URLs within the emails ultimately lead to an Amazon phishing page, but only after routing victims through a TDS. Interestingly, instead of keeping the TDS step invisible, the actors chose to show it off—repackaging it as a reassuring security check.

    Upon clicking the link within the email, victims are first redirected to an RDGA TDS domain, where fingerprinting occurs. If the user does not match the targeting criteria (e.g., connecting from outside Japan), access is blocked. If they do match, potential victims are redirected to a second RDGA domain.
    This second and last domain is not a TDS domain, but funny enough, these actors decided they would emulate it anyway!

    At that step victims are already at the landing page but instead of immediately displaying a standard Amazon phishing page, the website displays a CAPTCHA and fake console interface simulating environment fingerprinting checks to “make sure your environment and connection is safe” before "proceeding to the landing page". Ironically, part of their message is true: fingerprinting did happen one domain earlier. It just wasn’t for the user’s benefit—it was to make sure the environment was safe… for the scammers. A few seconds later, without added user interaction needed, a fake Amazon login page is displayed.

    Domains samples:
    qqc10c[.]cyou
    51wang11c[.]cyou

    #dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #phishing #amazon #malspam #email #fingerprinting #japan

  32. Trust this “Amazon” phishing email in Japan—and you’re Prime sashimi 🎣 🍣

    Looking into our malspam data, we identified an active campaign impersonating Amazon and targeting Japanese citizens. The emails use subjects such as 「至急 Amazonプライム会員情報の確認」 (“Urgent: Confirm Amazon Prime member information”).

    The URLs within the emails ultimately lead to an Amazon phishing page, but only after routing victims through a TDS. Interestingly, instead of keeping the TDS step invisible, the actors chose to show it off—repackaging it as a reassuring security check.

    Upon clicking the link within the email, victims are first redirected to an RDGA TDS domain, where fingerprinting occurs. If the user does not match the targeting criteria (e.g., connecting from outside Japan), access is blocked. If they do match, potential victims are redirected to a second RDGA domain.
    This second and last domain is not a TDS domain, but funny enough, these actors decided they would emulate it anyway!

    At that step victims are already at the landing page but instead of immediately displaying a standard Amazon phishing page, the website displays a CAPTCHA and fake console interface simulating environment fingerprinting checks to “make sure your environment and connection is safe” before "proceeding to the landing page". Ironically, part of their message is true: fingerprinting did happen one domain earlier. It just wasn’t for the user’s benefit—it was to make sure the environment was safe… for the scammers. A few seconds later, without added user interaction needed, a fake Amazon login page is displayed.

    Domains samples:
    qqc10c[.]cyou
    51wang11c[.]cyou

    #dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #phishing #amazon #malspam #email #fingerprinting #japan

  33. #Tatort #DNS: Wie das #Internet seine Angreifer verrät mit Renée Burton - #TheyTalkTech – mit Eckert und Wolfangel - #Podcast:

    Das #Telefonbuch des #Internets kennt keine Geheimnisse. Wenn man weiß, wie man es liest. Renée Burton hat 22 Jahre beim #US-Geheimdienst #NSA verbracht und wechselte dann die Seite.

    Als #Head_of_Threat_Intelligence bei der #IT-Security Firma #Infoblox analysiert sie Billionen von #DNS-Anfragen und findet darin, was andere übersehen:...

    frauen-technik.podigee.io/77-n

  34. #Tatort #DNS: Wie das #Internet seine Angreifer verrät mit Renée Burton - #TheyTalkTech – mit Eckert und Wolfangel - #Podcast:

    Das #Telefonbuch des #Internets kennt keine Geheimnisse. Wenn man weiß, wie man es liest. Renée Burton hat 22 Jahre beim #US-Geheimdienst #NSA verbracht und wechselte dann die Seite.

    Als #Head_of_Threat_Intelligence bei der #IT-Security Firma #Infoblox analysiert sie Billionen von #DNS-Anfragen und findet darin, was andere übersehen:...

    frauen-technik.podigee.io/77-n

  35. #Tatort #DNS: Wie das #Internet seine Angreifer verrät mit Renée Burton - #TheyTalkTech – mit Eckert und Wolfangel - #Podcast:

    Das #Telefonbuch des #Internets kennt keine Geheimnisse. Wenn man weiß, wie man es liest. Renée Burton hat 22 Jahre beim #US-Geheimdienst #NSA verbracht und wechselte dann die Seite.

    Als #Head_of_Threat_Intelligence bei der #IT-Security Firma #Infoblox analysiert sie Billionen von #DNS-Anfragen und findet darin, was andere übersehen:...

    frauen-technik.podigee.io/77-n

  36. #Tatort #DNS: Wie das #Internet seine Angreifer verrät mit Renée Burton - #TheyTalkTech – mit Eckert und Wolfangel - #Podcast:

    Das #Telefonbuch des #Internets kennt keine Geheimnisse. Wenn man weiß, wie man es liest. Renée Burton hat 22 Jahre beim #US-Geheimdienst #NSA verbracht und wechselte dann die Seite.

    Als #Head_of_Threat_Intelligence bei der #IT-Security Firma #Infoblox analysiert sie Billionen von #DNS-Anfragen und findet darin, was andere übersehen:...

    frauen-technik.podigee.io/77-n

  37. #Tatort #DNS: Wie das #Internet seine Angreifer verrät mit Renée Burton - #TheyTalkTech – mit Eckert und Wolfangel - #Podcast:

    Das #Telefonbuch des #Internets kennt keine Geheimnisse. Wenn man weiß, wie man es liest. Renée Burton hat 22 Jahre beim #US-Geheimdienst #NSA verbracht und wechselte dann die Seite.

    Als #Head_of_Threat_Intelligence bei der #IT-Security Firma #Infoblox analysiert sie Billionen von #DNS-Anfragen und findet darin, was andere übersehen:...

    frauen-technik.podigee.io/77-n

  38. From call scripts and scams to command and control—Southeast Asia’s scam centres are levelling up.

    In our latest research with Chong Lua Dao, we track a sophisticated Android banking trojan directly to the K99 Triumph City scam compound in Sihanoukville, Cambodia, and the high-ranking political elites behind it.

    Using a combination of technical analysis, infrastructure patterns, and operational visibility provided by former captives, we were able to map thousands of targeted lure and C2 domains used to distribute and administer the malware across Asia, Africa, Europe, and Latin America.

    What we uncovered is a turnkey malware-as-a-service (MaaS) platform sold to scam-centre based criminal networks, including K99, enabling real-time surveillance, credential theft, biometric data exfiltration, and financial fraud on a global scale. Victims are funnelled through domains impersonating government services, financial institutions, e-commerce platforms and airlines, with new domains registered every month.

    In addition to giving criminal operators complete control over infected devices, behind the malware sits a highly coordinated operation. Our investigation unpacks the whole thing, revealing multiple C2 panels organised by country and “customer” as well as the integration of AI-driven tools used to support attacks targeting victims in at least 21 countries and 15 languages.

    What’s more, we have found that there is significant overlap with the infrastructure and business networks attributed to the DNS threat actors Vigorish Viper and Vault Viper, highlighting the continued evolution of the regional cyber threat landscape.

    👉 Read the full report here: infoblox.com/blog/threat-intel
    👉 We spoke to the Economist to explain how the scam centre threat is shifting: economist.com/interactive/asia

    #dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #malware #scam

  39. From call scripts and scams to command and control—Southeast Asia’s scam centres are levelling up.

    In our latest research with Chong Lua Dao, we track a sophisticated Android banking trojan directly to the K99 Triumph City scam compound in Sihanoukville, Cambodia, and the high-ranking political elites behind it.

    Using a combination of technical analysis, infrastructure patterns, and operational visibility provided by former captives, we were able to map thousands of targeted lure and C2 domains used to distribute and administer the malware across Asia, Africa, Europe, and Latin America.

    What we uncovered is a turnkey malware-as-a-service (MaaS) platform sold to scam-centre based criminal networks, including K99, enabling real-time surveillance, credential theft, biometric data exfiltration, and financial fraud on a global scale. Victims are funnelled through domains impersonating government services, financial institutions, e-commerce platforms and airlines, with new domains registered every month.

    In addition to giving criminal operators complete control over infected devices, behind the malware sits a highly coordinated operation. Our investigation unpacks the whole thing, revealing multiple C2 panels organised by country and “customer” as well as the integration of AI-driven tools used to support attacks targeting victims in at least 21 countries and 15 languages.

    What’s more, we have found that there is significant overlap with the infrastructure and business networks attributed to the DNS threat actors Vigorish Viper and Vault Viper, highlighting the continued evolution of the regional cyber threat landscape.

    👉 Read the full report here: infoblox.com/blog/threat-intel
    👉 We spoke to the Economist to explain how the scam centre threat is shifting: economist.com/interactive/asia

    #dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #malware #scam

  40. From call scripts and scams to command and control—Southeast Asia’s scam centres are levelling up.

    In our latest research with Chong Lua Dao, we track a sophisticated Android banking trojan directly to the K99 Triumph City scam compound in Sihanoukville, Cambodia, and the high-ranking political elites behind it.

    Using a combination of technical analysis, infrastructure patterns, and operational visibility provided by former captives, we were able to map thousands of targeted lure and C2 domains used to distribute and administer the malware across Asia, Africa, Europe, and Latin America.

    What we uncovered is a turnkey malware-as-a-service (MaaS) platform sold to scam-centre based criminal networks, including K99, enabling real-time surveillance, credential theft, biometric data exfiltration, and financial fraud on a global scale. Victims are funnelled through domains impersonating government services, financial institutions, e-commerce platforms and airlines, with new domains registered every month.

    In addition to giving criminal operators complete control over infected devices, behind the malware sits a highly coordinated operation. Our investigation unpacks the whole thing, revealing multiple C2 panels organised by country and “customer” as well as the integration of AI-driven tools used to support attacks targeting victims in at least 21 countries and 15 languages.

    What’s more, we have found that there is significant overlap with the infrastructure and business networks attributed to the DNS threat actors Vigorish Viper and Vault Viper, highlighting the continued evolution of the regional cyber threat landscape.

    👉 Read the full report here: infoblox.com/blog/threat-intel
    👉 We spoke to the Economist to explain how the scam centre threat is shifting: economist.com/interactive/asia

    #dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #malware #scam

  41. From call scripts and scams to command and control—Southeast Asia’s scam centres are levelling up.

    In our latest research with Chong Lua Dao, we track a sophisticated Android banking trojan directly to the K99 Triumph City scam compound in Sihanoukville, Cambodia, and the high-ranking political elites behind it.

    Using a combination of technical analysis, infrastructure patterns, and operational visibility provided by former captives, we were able to map thousands of targeted lure and C2 domains used to distribute and administer the malware across Asia, Africa, Europe, and Latin America.

    What we uncovered is a turnkey malware-as-a-service (MaaS) platform sold to scam-centre based criminal networks, including K99, enabling real-time surveillance, credential theft, biometric data exfiltration, and financial fraud on a global scale. Victims are funnelled through domains impersonating government services, financial institutions, e-commerce platforms and airlines, with new domains registered every month.

    In addition to giving criminal operators complete control over infected devices, behind the malware sits a highly coordinated operation. Our investigation unpacks the whole thing, revealing multiple C2 panels organised by country and “customer” as well as the integration of AI-driven tools used to support attacks targeting victims in at least 21 countries and 15 languages.

    What’s more, we have found that there is significant overlap with the infrastructure and business networks attributed to the DNS threat actors Vigorish Viper and Vault Viper, highlighting the continued evolution of the regional cyber threat landscape.

    👉 Read the full report here: infoblox.com/blog/threat-intel
    👉 We spoke to the Economist to explain how the scam centre threat is shifting: economist.com/interactive/asia

    #dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #malware #scam

  42. 💬 Telegram plays an important role in many underground businesses. Threat actors commonly stand up channels to market and support malicious activities such as malware-as-a-service (MaaS) subscriptions. While investigating ScreenConnect servers, a remote access support tool commonly abused by threat actors, we found an interesting business that we had never seen before. This actor used telegram as a storefront and support channel for an underground Remote Access Toolkit Online (RATO) platform. Technically RATO is a service that bundles cPanel and ScreenConnect technology to help its cyber criminal customers remotely access victim machines and manage scams, phishing, and malware (e.g. Latrodectus).

    🐀 🔴 We discovered several servers that matched a ScreenConnect signature but these instances did not serve the typical ScreenConnect web content. Instead, their service is called "RATO PLATFORM" and the portal page shows the slogan "Can't catch the RAT__". We've found several telegram channels that promote services named "RATO", use the rat head logo (see attached image), or the domain rato[.]to. Based on their telegram chat content, it's clear their business model is focused on enabling cybercrime.

    @rato_support
    @ratofaqs
    @rato_backup
    @rato_hosting
    @Rato2_bot

    Consistent with RATO’s “BulletProof & Anti-Red Hosting” feature, we saw many RATO instances on ASNs with a high concentration of malicious activity (e.g., AS202412). Additionally, RATO infrastructure shows strong ties to Indonesia including Indonesian IP addresses in passive DNS and domains within the same cloudflare account used for serving online gambling to Indonesian-speaking users. Collectively, RATO and its customers operate a large number of domains. Here are some examples:

    asakusubinitohas[.]com
    bmw320ikaka[.]co
    cpusx[.]com
    newoneazu[.]com
    ratmail[.]pro
    rato[.]page
    rato[.]to
    ratodemo[.]pro
    sesrecipt[.]com
    silk-gen[.]com
    sunostart[.]com
    viewyourstatementonline[.]com

    #dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #phishing #malware #maas #telegram #indonesia #screenconnect #latrodectus #rat #rmm #remotemonitoringmanagement #downloader #spam #rato

  43. 💬 Telegram plays an important role in many underground businesses. Threat actors commonly stand up channels to market and support malicious activities such as malware-as-a-service (MaaS) subscriptions. While investigating ScreenConnect servers, a remote access support tool commonly abused by threat actors, we found an interesting business that we had never seen before. This actor used telegram as a storefront and support channel for an underground Remote Access Toolkit Online (RATO) platform. Technically RATO is a service that bundles cPanel and ScreenConnect technology to help its cyber criminal customers remotely access victim machines and manage scams, phishing, and malware (e.g. Latrodectus).

    🐀 🔴 We discovered several servers that matched a ScreenConnect signature but these instances did not serve the typical ScreenConnect web content. Instead, their service is called "RATO PLATFORM" and the portal page shows the slogan "Can't catch the RAT__". We've found several telegram channels that promote services named "RATO", use the rat head logo (see attached image), or the domain rato[.]to. Based on their telegram chat content, it's clear their business model is focused on enabling cybercrime.

    @rato_support
    @ratofaqs
    @rato_backup
    @rato_hosting
    @Rato2_bot

    Consistent with RATO’s “BulletProof & Anti-Red Hosting” feature, we saw many RATO instances on ASNs with a high concentration of malicious activity (e.g., AS202412). Additionally, RATO infrastructure shows strong ties to Indonesia including Indonesian IP addresses in passive DNS and domains within the same cloudflare account used for serving online gambling to Indonesian-speaking users. Collectively, RATO and its customers operate a large number of domains. Here are some examples:

    asakusubinitohas[.]com
    bmw320ikaka[.]co
    cpusx[.]com
    newoneazu[.]com
    ratmail[.]pro
    rato[.]page
    rato[.]to
    ratodemo[.]pro
    sesrecipt[.]com
    silk-gen[.]com
    sunostart[.]com
    viewyourstatementonline[.]com

    #dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #phishing #malware #maas #telegram #indonesia #screenconnect #latrodectus #rat #rmm #remotemonitoringmanagement #downloader #spam #rato

  44. 💬 Telegram plays an important role in many underground businesses. Threat actors commonly stand up channels to market and support malicious activities such as malware-as-a-service (MaaS) subscriptions. While investigating ScreenConnect servers, a remote access support tool commonly abused by threat actors, we found an interesting business that we had never seen before. This actor used telegram as a storefront and support channel for an underground Remote Access Toolkit Online (RATO) platform. Technically RATO is a service that bundles cPanel and ScreenConnect technology to help its cyber criminal customers remotely access victim machines and manage scams, phishing, and malware (e.g. Latrodectus).

    🐀 🔴 We discovered several servers that matched a ScreenConnect signature but these instances did not serve the typical ScreenConnect web content. Instead, their service is called "RATO PLATFORM" and the portal page shows the slogan "Can't catch the RAT__". We've found several telegram channels that promote services named "RATO", use the rat head logo (see attached image), or the domain rato[.]to. Based on their telegram chat content, it's clear their business model is focused on enabling cybercrime.

    @rato_support
    @ratofaqs
    @rato_backup
    @rato_hosting
    @Rato2_bot

    Consistent with RATO’s “BulletProof & Anti-Red Hosting” feature, we saw many RATO instances on ASNs with a high concentration of malicious activity (e.g., AS202412). Additionally, RATO infrastructure shows strong ties to Indonesia including Indonesian IP addresses in passive DNS and domains within the same cloudflare account used for serving online gambling to Indonesian-speaking users. Collectively, RATO and its customers operate a large number of domains. Here are some examples:

    asakusubinitohas[.]com
    bmw320ikaka[.]co
    cpusx[.]com
    newoneazu[.]com
    ratmail[.]pro
    rato[.]page
    rato[.]to
    ratodemo[.]pro
    sesrecipt[.]com
    silk-gen[.]com
    sunostart[.]com
    viewyourstatementonline[.]com

    #dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #phishing #malware #maas #telegram #indonesia #screenconnect #latrodectus #rat #rmm #remotemonitoringmanagement #downloader #spam #rato

  45. 💬 Telegram plays an important role in many underground businesses. Threat actors commonly stand up channels to market and support malicious activities such as malware-as-a-service (MaaS) subscriptions. While investigating ScreenConnect servers, a remote access support tool commonly abused by threat actors, we found an interesting business that we had never seen before. This actor used telegram as a storefront and support channel for an underground Remote Access Toolkit Online (RATO) platform. Technically RATO is a service that bundles cPanel and ScreenConnect technology to help its cyber criminal customers remotely access victim machines and manage scams, phishing, and malware (e.g. Latrodectus).

    🐀 🔴 We discovered several servers that matched a ScreenConnect signature but these instances did not serve the typical ScreenConnect web content. Instead, their service is called "RATO PLATFORM" and the portal page shows the slogan "Can't catch the RAT__". We've found several telegram channels that promote services named "RATO", use the rat head logo (see attached image), or the domain rato[.]to. Based on their telegram chat content, it's clear their business model is focused on enabling cybercrime.

    @rato_support
    @ratofaqs
    @rato_backup
    @rato_hosting
    @Rato2_bot

    Consistent with RATO’s “BulletProof & Anti-Red Hosting” feature, we saw many RATO instances on ASNs with a high concentration of malicious activity (e.g., AS202412). Additionally, RATO infrastructure shows strong ties to Indonesia including Indonesian IP addresses in passive DNS and domains within the same cloudflare account used for serving online gambling to Indonesian-speaking users. Collectively, RATO and its customers operate a large number of domains. Here are some examples:

    asakusubinitohas[.]com
    bmw320ikaka[.]co
    cpusx[.]com
    newoneazu[.]com
    ratmail[.]pro
    rato[.]page
    rato[.]to
    ratodemo[.]pro
    sesrecipt[.]com
    silk-gen[.]com
    sunostart[.]com
    viewyourstatementonline[.]com

    #dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #phishing #malware #maas #telegram #indonesia #screenconnect #latrodectus #rat #rmm #remotemonitoringmanagement #downloader #spam #rato

  46. 💬 Telegram plays an important role in many underground businesses. Threat actors commonly stand up channels to market and support malicious activities such as malware-as-a-service (MaaS) subscriptions. While investigating ScreenConnect servers, a remote access support tool commonly abused by threat actors, we found an interesting business that we had never seen before. This actor used telegram as a storefront and support channel for an underground Remote Access Toolkit Online (RATO) platform. Technically RATO is a service that bundles cPanel and ScreenConnect technology to help its cyber criminal customers remotely access victim machines and manage scams, phishing, and malware (e.g. Latrodectus).

    🐀 🔴 We discovered several servers that matched a ScreenConnect signature but these instances did not serve the typical ScreenConnect web content. Instead, their service is called "RATO PLATFORM" and the portal page shows the slogan "Can't catch the RAT__". We've found several telegram channels that promote services named "RATO", use the rat head logo (see attached image), or the domain rato[.]to. Based on their telegram chat content, it's clear their business model is focused on enabling cybercrime.

    @rato_support
    @ratofaqs
    @rato_backup
    @rato_hosting
    @Rato2_bot

    Consistent with RATO’s “BulletProof & Anti-Red Hosting” feature, we saw many RATO instances on ASNs with a high concentration of malicious activity (e.g., AS202412). Additionally, RATO infrastructure shows strong ties to Indonesia including Indonesian IP addresses in passive DNS and domains within the same cloudflare account used for serving online gambling to Indonesian-speaking users. Collectively, RATO and its customers operate a large number of domains. Here are some examples:

    asakusubinitohas[.]com
    bmw320ikaka[.]co
    cpusx[.]com
    newoneazu[.]com
    ratmail[.]pro
    rato[.]page
    rato[.]to
    ratodemo[.]pro
    sesrecipt[.]com
    silk-gen[.]com
    sunostart[.]com
    viewyourstatementonline[.]com

    #dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #phishing #malware #maas #telegram #indonesia #screenconnect #latrodectus #rat #rmm #remotemonitoringmanagement #downloader #spam #rato

  47. ⚽ Threat actors are warming up for the 2026 World Cup—and they’re targeting fans early.

    We’ve observed FIFA ticket phishing pages on domains such as fifa[.]bio and ww-fifa[.]com, distributed through malicious spam emails and Facebook ad campaigns. These sites prompt a bogus FIFA ID login to purchase tickets, then transition to a checkout flow collecting personal and payment information.

    Payment flows redirect to actor-controlled domains (pay[.]fifa-com[.]com) or Stripe checkout pages with inconsistent merchants (we observed some with suspicious Romanian LLC names).

    These recently-registered domains are mostly Cloudflare-hosted, spread across various TLDs, and consistently abuse FIFA branding. If it’s a suspicious domain in your inbox or feed, assume it’s not official. 🛑 ⚽

    Domain sample: fifa-2026[.]homes, fifa-com[.]media, www-fifa-com[.]website, vvww-fifa[.]com, fifa-26-worldcup[.]com

    #dns #infoblox #infobloxthreatintel #threatintel #threatintelligence #cybercrime #cybersecurity #FIFA #WorldCup2026 #phishing #scam #lookalikes

  48. ⚽ Threat actors are warming up for the 2026 World Cup—and they’re targeting fans early.

    We’ve observed FIFA ticket phishing pages on domains such as fifa[.]bio and ww-fifa[.]com, distributed through malicious spam emails and Facebook ad campaigns. These sites prompt a bogus FIFA ID login to purchase tickets, then transition to a checkout flow collecting personal and payment information.

    Payment flows redirect to actor-controlled domains (pay[.]fifa-com[.]com) or Stripe checkout pages with inconsistent merchants (we observed some with suspicious Romanian LLC names).

    These recently-registered domains are mostly Cloudflare-hosted, spread across various TLDs, and consistently abuse FIFA branding. If it’s a suspicious domain in your inbox or feed, assume it’s not official. 🛑 ⚽

    Domain sample: fifa-2026[.]homes, fifa-com[.]media, www-fifa-com[.]website, vvww-fifa[.]com, fifa-26-worldcup[.]com

    #dns #infoblox #infobloxthreatintel #threatintel #threatintelligence #cybercrime #cybersecurity #FIFA #WorldCup2026 #phishing #scam #lookalikes

  49. ⚽ Threat actors are warming up for the 2026 World Cup—and they’re targeting fans early.

    We’ve observed FIFA ticket phishing pages on domains such as fifa[.]bio and ww-fifa[.]com, distributed through malicious spam emails and Facebook ad campaigns. These sites prompt a bogus FIFA ID login to purchase tickets, then transition to a checkout flow collecting personal and payment information.

    Payment flows redirect to actor-controlled domains (pay[.]fifa-com[.]com) or Stripe checkout pages with inconsistent merchants (we observed some with suspicious Romanian LLC names).

    These recently-registered domains are mostly Cloudflare-hosted, spread across various TLDs, and consistently abuse FIFA branding. If it’s a suspicious domain in your inbox or feed, assume it’s not official. 🛑 ⚽

    Domain sample: fifa-2026[.]homes, fifa-com[.]media, www-fifa-com[.]website, vvww-fifa[.]com, fifa-26-worldcup[.]com

    #dns #infoblox #infobloxthreatintel #threatintel #threatintelligence #cybercrime #cybersecurity #FIFA #WorldCup2026 #phishing #scam #lookalikes

  50. ⚽ Threat actors are warming up for the 2026 World Cup—and they’re targeting fans early.

    We’ve observed FIFA ticket phishing pages on domains such as fifa[.]bio and ww-fifa[.]com, distributed through malicious spam emails and Facebook ad campaigns. These sites prompt a bogus FIFA ID login to purchase tickets, then transition to a checkout flow collecting personal and payment information.

    Payment flows redirect to actor-controlled domains (pay[.]fifa-com[.]com) or Stripe checkout pages with inconsistent merchants (we observed some with suspicious Romanian LLC names).

    These recently-registered domains are mostly Cloudflare-hosted, spread across various TLDs, and consistently abuse FIFA branding. If it’s a suspicious domain in your inbox or feed, assume it’s not official. 🛑 ⚽

    Domain sample: fifa-2026[.]homes, fifa-com[.]media, www-fifa-com[.]website, vvww-fifa[.]com, fifa-26-worldcup[.]com

    #dns #infoblox #infobloxthreatintel #threatintel #threatintelligence #cybercrime #cybersecurity #FIFA #WorldCup2026 #phishing #scam #lookalikes