#lookalikes — Public Fediverse posts

⚽ Threat actors are warming up for the 2026 World Cup—and they’re targeting fans early.

We’ve observed FIFA ticket phishing pages on domains such as fifa[.]bio and ww-fifa[.]com, distributed through malicious spam emails and Facebook ad campaigns. These sites prompt a bogus FIFA ID login to purchase tickets, then transition to a checkout flow collecting personal and payment information.

Payment flows redirect to actor-controlled domains (pay[.]fifa-com[.]com) or Stripe checkout pages with inconsistent merchants (we observed some with suspicious Romanian LLC names).

These recently-registered domains are mostly Cloudflare-hosted, spread across various TLDs, and consistently abuse FIFA branding. If it’s a suspicious domain in your inbox or feed, assume it’s not official. 🛑 ⚽

Domain sample: fifa-2026[.]homes, fifa-com[.]media, www-fifa-com[.]website, vvww-fifa[.]com, fifa-26-worldcup[.]com

#dns #infoblox #infobloxthreatintel #threatintel #threatintelligence #cybercrime #cybersecurity #FIFA #WorldCup2026 #phishing #scam #lookalikes

⚽ Threat actors are warming up for the 2026 World Cup—and they’re targeting fans early.

We’ve observed FIFA ticket phishing pages on domains such as fifa[.]bio and ww-fifa[.]com, distributed through malicious spam emails and Facebook ad campaigns. These sites prompt a bogus FIFA ID login to purchase tickets, then transition to a checkout flow collecting personal and payment information.

Payment flows redirect to actor-controlled domains (pay[.]fifa-com[.]com) or Stripe checkout pages with inconsistent merchants (we observed some with suspicious Romanian LLC names).

These recently-registered domains are mostly Cloudflare-hosted, spread across various TLDs, and consistently abuse FIFA branding. If it’s a suspicious domain in your inbox or feed, assume it’s not official. 🛑 ⚽

Domain sample: fifa-2026[.]homes, fifa-com[.]media, www-fifa-com[.]website, vvww-fifa[.]com, fifa-26-worldcup[.]com

#dns #infoblox #infobloxthreatintel #threatintel #threatintelligence #cybercrime #cybersecurity #FIFA #WorldCup2026 #phishing #scam #lookalikes

⚽ Threat actors are warming up for the 2026 World Cup—and they’re targeting fans early.

We’ve observed FIFA ticket phishing pages on domains such as fifa[.]bio and ww-fifa[.]com, distributed through malicious spam emails and Facebook ad campaigns. These sites prompt a bogus FIFA ID login to purchase tickets, then transition to a checkout flow collecting personal and payment information.

Payment flows redirect to actor-controlled domains (pay[.]fifa-com[.]com) or Stripe checkout pages with inconsistent merchants (we observed some with suspicious Romanian LLC names).

These recently-registered domains are mostly Cloudflare-hosted, spread across various TLDs, and consistently abuse FIFA branding. If it’s a suspicious domain in your inbox or feed, assume it’s not official. 🛑 ⚽

Domain sample: fifa-2026[.]homes, fifa-com[.]media, www-fifa-com[.]website, vvww-fifa[.]com, fifa-26-worldcup[.]com

#dns #infoblox #infobloxthreatintel #threatintel #threatintelligence #cybercrime #cybersecurity #FIFA #WorldCup2026 #phishing #scam #lookalikes

⚽ Threat actors are warming up for the 2026 World Cup—and they’re targeting fans early.

We’ve observed FIFA ticket phishing pages on domains such as fifa[.]bio and ww-fifa[.]com, distributed through malicious spam emails and Facebook ad campaigns. These sites prompt a bogus FIFA ID login to purchase tickets, then transition to a checkout flow collecting personal and payment information.

Payment flows redirect to actor-controlled domains (pay[.]fifa-com[.]com) or Stripe checkout pages with inconsistent merchants (we observed some with suspicious Romanian LLC names).

These recently-registered domains are mostly Cloudflare-hosted, spread across various TLDs, and consistently abuse FIFA branding. If it’s a suspicious domain in your inbox or feed, assume it’s not official. 🛑 ⚽

Domain sample: fifa-2026[.]homes, fifa-com[.]media, www-fifa-com[.]website, vvww-fifa[.]com, fifa-26-worldcup[.]com

#dns #infoblox #infobloxthreatintel #threatintel #threatintelligence #cybercrime #cybersecurity #FIFA #WorldCup2026 #phishing #scam #lookalikes

Two of the biggest heavyweight scam TTPs - malvertising and pig butchering - have combined. In our latest research, we track hundreds of investment‑scam campaigns using this one-two punch to target Japan and the wider Asia region.

The hybrid approach kicks-off with malvertising ads that impersonate well‑known financial experts, funnel victims through lure sites on RDGA‑generated domains, before finally pulling them into messaging chats run by tireless AI‑style pig butcher bots. The result: an industrial‑scale long con, with individual victims reporting losses of up to ¥10M (~US$63k).

This model is reused across different campaigns and, by pivoting on DNS, we've so far been able to map out an ecosystem of over 23,000 domains.

In our latest blog we talk about our first‑hand experience going through the scheme, break down the entire flow, and share all the related IOCs: https://www.blogs.infoblox.com/threat-intelligence/banners-bots-and-butchers-an-automated-long-con-targeting-japan-asia-and-beyond/

#Infoblox #InfobloxThreatIntel #dns #threatintel #threatintelligence #malvertising #pigbutchering #rdga #dga #lookalikes #crypto #investment #scam #fraud #cybercrime #cybersecurity #infosec #Japan #Asia #AI

Two of the biggest heavyweight scam TTPs - malvertising and pig butchering - have combined. In our latest research, we track hundreds of investment‑scam campaigns using this one-two punch to target Japan and the wider Asia region.

The hybrid approach kicks-off with malvertising ads that impersonate well‑known financial experts, funnel victims through lure sites on RDGA‑generated domains, before finally pulling them into messaging chats run by tireless AI‑style pig butcher bots. The result: an industrial‑scale long con, with individual victims reporting losses of up to ¥10M (~US$63k).

This model is reused across different campaigns and, by pivoting on DNS, we've so far been able to map out an ecosystem of over 23,000 domains.

In our latest blog we talk about our first‑hand experience going through the scheme, break down the entire flow, and share all the related IOCs: https://www.blogs.infoblox.com/threat-intelligence/banners-bots-and-butchers-an-automated-long-con-targeting-japan-asia-and-beyond/

#Infoblox #InfobloxThreatIntel #dns #threatintel #threatintelligence #malvertising #pigbutchering #rdga #dga #lookalikes #crypto #investment #scam #fraud #cybercrime #cybersecurity #infosec #Japan #Asia #AI

Photographer made it his life work to track down amazing doppelgängers. Here are his best finds.

https://web.brid.gy/r/https://www.upworthy.com/doppelgangers-photo-project

That guy from Darts is in The Hives now, right? #totp #lookalikes

------
#humour #lookalikes to #celebs meet each others

https://youtu.be/18QGRoIHX6s?si=mBIYciUlCNYmBx7n

------

#humour #sarcasm

#chris_evans_tgi met #all_saints_band in 98
& #jack_carroll_comedian was born that year & he #lookalikes , that s just #rumours #dreams &
#little_liesLies

https://youtu.be/iqzKJOBific?si=aDujLaU1-RppeDEj

--------

------
#humour

#will_mellor_actor sings

#lookalikes #benson_boone_music #borat

https://youtu.be/v85csFDThuk?si=n4IS1UQLj3adtt9P

------

WhatsApp, doc?

We recently observed about 800 lookalike domains impersonating WhatsApp. These domains are all on the .com, .cc, and .cn TLDs and exhibit a few naming patterns:

Randomized short .cc domains:
- whatsqgs[.]cc, whatsqka[.]cc, whatsqys[.]cc

Structured .com domains:
- app-<3 letters>-whatshktw[.]com
- app-<3 letters>-whatsappcc[.]com

Structured .cn domains:
- <4 letters>-wahtsapp[.]cn

These domains were all created within the last 20 days, tops, and given the bulk registration and consistent infrastructure, point to a coordinated campaign. All 800+ domains are hosted in ASN 205960 (KR, 'IP Transit'), share the same nameserver domain (domainnamedns[.]com), and embed a highly-suspicious Chinese analytics loader from aizhantj[.]com (seriously, this thing is weird; check the references below). The sites present fake WhatsApp login/download portals in Chinese, suggesting East-Asian targeting.

Selection of IOCs
app-xfn-whatsappcc[.]com
app-xbb-whatsappcc[.]com
app-wum-whatshktw[.]com
ptjh-wahtsapp[.]com
kemc-wahstapp[.]cn
hzfv-wahstapp[.]cn
iiqu-wahstapp[.]cn
ggeu-wahstapp[.]cn
whatsyuy[.]cc
xjdp-wahstapp[.]cn
yaue-wahstapp[.]cn
zvxd-wahstapp[.]cn

References
https://urlscan.io/result/0199f335-4b61-76ca-851f-c832a7d5f9bd/#transactions (tj.js is the weird analytics GET request)
https://urlscan.io/result/0199f34a-e9a8-7788-a057-29a6c9a3f133 (the loader itself)
https://www.shodan.io/search?query=aizhantj.com

#infoblox #phishing #lookalikes #infosec #threatintel #dns #whatsapp

#People shared 25 #hilarious “Celebrity lookalikes” that are surprisingly #similar https://zorz.it/CHbEH | #ShanilouPerera #CelebrityLookalikes #celebrities #CelebrityDopplegangers #funny #lookalikes #EntertainingGallery

Malicious actors have taken notice of news about the US Social Security System. We've seen multiple spam campaigns that attempt to phish users or lure them to download malware.

Emails with subjects like "Social Security Administrator.", "Social Security Statement", and "ensure the accuracy of your earnings record" contain malicious links and attachments.

One example contained a disguised URL that redirected to user2ilogon[.]es in order to download the trojan file named SsaViewer1.7.exe.

Actors using social security lures are connected to malicious campaigns targeting major brands through their DNS records.

Block these:

user2ilogon[.]es
viewer-ssa-gov[.]es
wellsffrago[.]com
nf-prime[.]com
deilvery-us[.]com
wllesfrarqo-home[.]com
nahud[.]com.

#dns #lookalikes #lookalikeDomain #threatintel #cybercrime #threatintelligence #cybersecurity #infoblox #infobloxthreatintel #infosec #pdns #malware #scam #ssa

Last week, while reviewing detected lookalike domains, one in particular stood out: cdsi--simi[.]com. A quick search pointed him to a legitimate U.S. military contractor, CDSI, which specializes in electronic warfare and telemetry systems. It's legitimate domain cdsi-simi[.]com features a single hyphen, whereas the lookalike domain uses two hyphens.

Passive DNS revealed a goldmine: a cloud system in Las Vegas hosting Russian domains and other impersonations of major companies.

Here are a few samples of the domains:

- reag-br[.]com Lookalike for Reag Capital Holdings, Brazil.
- creo--ia[.]com Lookalike for an industrial fabrication firm in WA State.
- admiralsmetal[.]com Lookalike for US based metals provider.
- ustructuressinc[.]com Lookalike Colorado based Heavy Civil Contractor.
- elisontechnologies[.]com Typosquat for Ellison Technologies machine fabrication.

#dns #lookalikes #lookalikeDomain #threatintel #cybercrime #threatintelligence #cybersecurity #infoblox #infobloxthreatintel #infosec #pdns #phishing #malware #scam #dod

While everyone is enjoying Carnival in Brazil, threat actors are still out there trying to lure people into their traps. We have found a cluster of lookalikes to the Brazilian DMV office (DETRAN in Portuguese). We observed at least two instances where they were impersonating the DMV office for the Brazilian states of Paraná and Maranhão.

The actor(s) create domains with the same label, but on several different TLDs (mostly highly abused). Here are some examples of what they look like.

consultes-seu-debitos2025.<space|site|shop|cloud>
debitos-sp-2025.<club|com|lat|net|online|store|xyz>
de3trasn2025.<click|fun|life|online|xyz>
departamentodetran2025.<click|icu|lat>
detran2025.<click|icu|lat|sbs>
l1cenciamento-detran2025.<click|icu|lat|sbs>

#lookalikes #dns #threatintel #cybercrime #threatintelligence #cybersecurity #infoblox #infobloxthreatintel

https://urlscan.io/result/802374b7-6c8b-433b-b6e0-32561f74b7d3/
https://urlscan.io/result/721b12bb-d5fe-4c7e-b2b5-724e07aa22e0/

https://apple.news/AN4SNkzWiR0ubW0AyTzrXqA

Has anyone ever noticed the remarkable resemblance between Barron Trump and the young Adolf Hitler?

I wonder if they could be the related? I think we should be told.

#BarronTrump
#LookAlikes
#PrivateEye
(http://private-eye.co.uk/lookalikes)

#JasonKelce & his #lookalikes spent the weekend spreading #gay #holiday #cheer

Kelce played 13 seasons for the #PhiladelphiaEagles. But in the #gay #community, the #NFL #legend will always be known as a #Bear!

#Women #Transgender #LGBTQ #LGBTQIA #Entertainment #Sports #Representation #Culture

https://www.queerty.com/jason-kelce-his-lookalikes-spent-the-weekend-spreading-gay-holiday-cheer-20241216

@w7voa Suuuuuure sounds like all the things needed for a rock-solid conviction, to deter the perpetrator-applauding audience, and calm the fear-ridden, wealthy community, has all fallen into place. How convenient for everyone…right? #lookalikes #grainofsalt #policeinvestigate #questionauthority #ShineTheLight

Continued fun in mobile threats.. One of our analyst received these two different threats on her household Android phones on the same day.. usually Google does a pretty good job filtering them out, but failed here. These show two different #dns trends that we see in practice. The use of a shortener which redirects to an Amazon lookalike domain -- we often just see the lookalike in the message.

The amazon one led to amazonfey[.]co and the same actor had over 300 active lookalikes to Amazon and other services. These guys are fairly easy to track in DNS using fingerprinting. Blocking at DNS providers will help reduce where Google, Apple, and other service providers miss some.

The Wells Fargo / Apple alert used an old domain -- a "drop catch" that has been picked up by a threat actor. This might look obvious but people work on alarm -- if you have a Wells Fargo account and see a big charge, you might just click without thinking.

#dns #cybersecurity #InfobloxThreatIntel #Infoblox #dropCatchDomains #IOCs #threatIntel #cybercrime #lookalikes

Has anyone ever noticed the remarkable resemblance between drug-using Nazi and commander in chief of aviation-technology development, Elon Musk, and Hermann Göring?

I wonder if they could be the related? I think we should be told.

#ElonMusk
#Nazi
#PrivateEye
#Lookalikes

(http://private-eye.co.uk/lookalikes)

Multiple Airbnb phishing lookalikes were registered over the weekend. The domains all have been registered with cloudflare and have a Chinese registrant organization. The domains resolve to a webpage that mimics the actual Airbnb website, prompting the user to input their username and password. If the user attempts to register a new account, a verification code is required before the account can be created. See screenshots.

Sample of domains: airbnb03vip[.]com, airbnb02vip[.]com, airbnb01vip[.]com

#dns #threatintel #infoblox #suspicious #lookalikes #phishing

A special kind of lookalike are ones designed to be used for tricking users into giving up MFA credentials... we see about 100 of those newly registered a day... a common trick now is to add a -inc to the domain name. Here are some recent ones of those verify-yourinformations[.]click, easy-mfa[.]site, mfa-ca[.]site, truistweb-verify[.]com, verify-nft[.]com, ticket-okta[.]com.... suspicious new "inc" domains often take a real domain and add the -inc to it... risa-inc[.]com.. there is a real domain risa[.]com. and gigadat-inc[.]live... often these will be parked until use.

#dns #threatintel #mfa #lookalikes #cybersecurity #cybercrime #infoblox

#Lookalikes tauchte zum ersten Mal im Protokoll der 145. Sitzung des 20. Deutschen Bundestages am 15.12.2023 auf. Das Protokoll findet sich unter https://dserver.bundestag.de/btp/20/20145.pdf

I see the Torygraph is displaying an unusual sense of humour for once!

https://www.telegraph.co.uk/news/2023/02/07/boris-johnsons-ancestor-did-not-have-syphilis-new-scans-show/

#UKpolitics #BorisJohnson #Mummy #Lookalikes #WhichOneIsMoreGormless

I see the Torygraph is displaying an unusual sense of humour for once!

https://www.telegraph.co.uk/news/2023/02/07/boris-johnsons-ancestor-did-not-have-syphilis-new-scans-show/

#UKpolitics #BorisJohnson #Mummy #Lookalikes #WhichOneIsMoreGormless

I see the Torygraph is displaying an unusual sense of humour for once!

https://www.telegraph.co.uk/news/2023/02/07/boris-johnsons-ancestor-did-not-have-syphilis-new-scans-show/

#UKpolitics #BorisJohnson #Mummy #Lookalikes #WhichOneIsMoreGormless

I see the Torygraph is displaying an unusual sense of humour for once!

https://www.telegraph.co.uk/news/2023/02/07/boris-johnsons-ancestor-did-not-have-syphilis-new-scans-show/

#UKpolitics #BorisJohnson #Mummy #Lookalikes #WhichOneIsMoreGormless

“After the storms, many Bay Area drivers dealing with pothole damage”

(https://www.cbsnews.com/sanfrancisco/news/after-the-storms-many-bay-area-drivers-dealing-with-pothole-damage/)

Potholes have definitely been a problem here.

It also turns out, though, that my very clever foster dog is a prodigious digger — primarily for gophers, but I couldn’t help noticing something which leaves me with a nagging suspicion…

#PrivateEye
#Lookalikes
#SFBayArea
#PotHoles
#DogsOfMastodon

Painting by #JohnSingerSargent that looks like #JonStewart

#painting #art #lookalikes #Sargent #portraitart #funny

I was told on Friday night that I look like Mark Hamill, and I take that as a compliment. #MarkHamill #lookalikes