All news with #domain impersonation tag

🔎 Research by Silent Push finds that, despite US Treasury sanctions in 2025, Triad Nexus has expanded and refined a global fraud operation with average victim losses around $150,000. The group uses infrastructure laundering — compromised AWS, Cloudflare, Google and Microsoft accounts — to host high-performance scam platforms that closely mimic legitimate sites. It industrializes brand impersonation across banking, luxury retail and public services, enforces US IP blocks to reduce scrutiny, and has localized campaigns in Spanish, Vietnamese and Indonesian markets. Silent Push released a CNAME Chain Lookup tool to expose layered domain redirections and help defenders map the group's complex infrastructure.

🎟️ Scammers are exploiting BTS's ARIRANG world tour pre-sales by cloning official ticket pages for multiple countries, creating at least 10 fraudulent domains observed in early April. These lookalike sites replicate the purchase flow and pressure fans into instant payments — in Brazil many victims are urged to pay via PIX, sending funds to mule accounts that are difficult to recover. To avoid fraud, fans should use only the official tour page, verify domains, confirm country-specific sales formats, and contact banks immediately if scammed. Enable banking alerts and use security software that blocks phishing sites.

🛡️ Infoblox reports a novel phishing evasion technique that leverages the .arpa reverse-DNS namespace and IPv6-to-IPv4 tunneling to host malicious content on infrastructure-only names. The actor created forward A/AAAA records for reverse DNS names—using services tied to Hurricane Electric and Cloudflare—so links appear to originate from trusted infrastructure, bypassing reputation checks and many security controls. Clicks redirected victims to credential- and payment-stealing landing pages. Infoblox recommends audits, DNS restrictions, and targeted detection for ip6.arpa traffic.

🔒 Threat actors are abusing the special-use .arpa reverse DNS namespace and IPv6 reverse zones to evade domain reputation checks and email gateways. By obtaining IPv6 address space and controlling reverse DNS, attackers can create nonstandard records (for example A records under ip6.arpa) that resolve to phishing infrastructure hosted behind reputable providers like Cloudflare or Hurricane Electric. Infoblox observed short-lived, image-linked URLs that redirect through traffic distribution systems to selectively deliver phishing pages and frustrate investigation.

🛡️ Zscaler ThreatLabz reported in January 2026 that a suspected Iran-nexus cluster dubbed Dust Specter has targeted Iraqi government officials by impersonating the Ministry of Foreign Affairs to deliver novel malware families — SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. The campaign uses two infection chains: a password-protected RAR containing a .NET dropper that sideloads DLLs and a consolidated in-memory binary that avoids disk writes. Operators staged payloads on compromised Iraqi infrastructure and employed geofencing, User-Agent checks, randomized C2 URIs with checksums, and execution delays; Zscaler also notes code artifacts suggesting possible use of generative AI.

🛡️ Meta said it is suing deceptive advertisers in Brazil, China, and Vietnam, suspending their payment methods, disabling related accounts, and blocking domains used in scams. The company also issued cease-and-desist letters to eight marketing consultants accused of offering ways to evade ad-policy enforcement, including fake 'un-ban' services and renting access to trusted accounts. Meta highlighted targeted celeb‑bait schemes and cloaking tactics, and said its protections now cover more than 500,000 celebrity and public-figure images.

🔍Typosquatting remains a highly effective deception tactic where attackers register look-alike domains to phish, harvest credentials, and deliver malware. CrowdStrike describes how adversaries exploit weak registrar verification and craft convincing WHOIS records while using techniques such as strategic HTTP redirects, geo-targeted content and fake sale pages to evade detection. Organizations should monitor registrations, protect brands, and use Falcon Adversary Intelligence to detect and disrupt campaigns.

💌 Check Point researchers report a sharp rise in Valentine-themed phishing websites, fraudulent online stores, and fake dating platforms that aim to steal personal data and payment information from shoppers and daters ahead of Valentine’s Day 2026. From March–December 2025, new Valentine-related domains averaged 474 per month; registrations jumped to 696 in January 2026, a 44% increase. In the first five days of February researchers detected 152 additional domains, a further 36% rise in the daily average. The trend reflects opportunistic abuse of seasonal demand and last-minute gift shopping.

🔎 Security researchers at Fortra’s Intelligence and Research Experts (FIRE) uncovered a Telegram and WhatsApp marketplace called HaxorSEO offering over 1,000 backlinks on pre-compromised, legitimate domains. Operators install webshells and inject backlinks that point to phishing or malware sites, advertising SEO metrics like PA, DA and DR to sell effectiveness. Listings cost as little as $6 each and can help fraudulent pages outrank genuine services. Users are advised to bookmark sensitive login pages and verify domains before entering credentials.

⚠️ LastPass is warning of a phishing campaign that impersonates maintenance notices and urges users to back up their vaults within 24 hours. The messages contain a 'Create Backup Now' button that redirects to a fraudulent site purporting to build an encrypted local backup, where attackers likely try to capture master passwords or hijack accounts. LastPass confirmed it will never ask for master passwords and advised recipients to report suspicious messages to abuse@lastpass.com. The company said the campaign began on January 19 and was timed to exploit a U.S. holiday weekend.

🔒 Brand impersonation—fake websites, domains, emails, ads, and social pages—is an increasingly common tactic used to harvest credentials, steal payments, distribute malware, and defraud customers and partners. Attackers exploit lookalike domains, SEO and paid ads, and phishing messages to lure victims; even imperfect forgeries can inflict financial, operational, and reputational harm. Organisations should monitor clones, maintain a visible trust centre, pursue rapid takedowns, block malicious domains internally, and coordinate legal, IT, and communications teams for fast response.

⚠️ Scammers are targeting LinkedIn with fake comment replies that impersonate the platform and falsely warn users of policy violations or temporary account restrictions. The malicious replies sometimes use LinkedIn’s lnkd.in shortener or obscure .app domains to hide phishing destinations and present convincing link previews. Victims who click are directed to credential-harvesting pages that request identity verification. LinkedIn says it is aware and is taking action; members should report suspicious comments.

💰Fraudulent emails appearing to come from a Grubhub subdomain promised a tenfold bitcoin payout to recipients who transferred funds to a specified wallet, urging action within a 30-minute window. Messages were sent from addresses on b.grubhub.com and in some cases included recipients' names, increasing their apparent legitimacy. Grubhub says it isolated the issue, investigated the incident, and is taking steps to prevent recurrence while technical details remain undisclosed.

📦 Cybercriminals are exploiting the holiday rush, with NordVPN reporting an 86% month-over-month increase in malicious postal service websites. Fraudsters impersonate carriers such as DHL and USPS, using smishing and phishing links to steal data; DHL spoof sites rose 206% while USPS impersonations jumped 850% in one month. Consumers are urged to avoid unsolicited tracking links, verify tracking numbers on official carrier sites or apps, inspect sender details for altered domains, and report suspicious messages to carriers or the FTC.

🔒 Infoblox researchers found that most parked and typosquatting domains now redirect visitors to scams, scareware, or malware without any user click. The redirects are frequently conditional — benign when accessed via a VPN or non‑residential IP, but malicious for residential addresses — and rely on device fingerprinting, geolocation, and chained resells. The study highlights widespread abuse of expired and lookalike domains and the growing role of affiliate networks in distributing harmful traffic.

🔒 ReliaQuest researchers discovered that a group calling itself Scattered Lapsus$ Hunters registered more than 40 fake domains over six months to impersonate Zendesk, host fraudulent login pages, and push malware. Domains such as znedesk.com and vpn-zendesk.com used realistic sign-in screens while other URLs embedded company names to build trust. Attackers also submitted bogus support tickets to real Zendesk portals to trick help-desk staff into surrendering credentials or installing malware. ReliaQuest noted registry patterns tied to NiceNic and Cloudflare-masked nameservers and shared findings with Zendesk.

🔍 Dark Atlas has uncovered a growing cluster of fraudulent domains used by the Chinese-speaking Smishing Triad to impersonate major Egyptian and global service providers, including Fawry, Egypt Post and Careem. Analysts traced malicious infrastructure in AS132203 — linked to Tencent facilities — after examining HTTP headers and running targeted Shodan searches, which revealed additional spoofed pages for brands such as UnionPay and TikTok. The group advertises a configurable smishing kit on Telegram that automates deployment of multilingual phishing templates for delivery, telecom, government and payment services worldwide.

⚠️ Criminal networks are exploiting shortages of GLP-1 drugs like Ozempic, Wegovy and Mounjaro, using AI to generate convincing counterfeit websites, emails and documents that impersonate regulators and health services across Europe. They are hijacking the identities of the NHS, AEMPS, ANSM, BfArM and AIFA to market fake weight-loss products and harvest payments. Check Point Research documents the tactics, scale and public-safety implications of this rapidly evolving scam epidemic.

🔒 Check Point Research reports a significant increase in Black Friday–themed domain registrations, with about 1 in 11 newly registered domains classified as malicious. Brand impersonation is a primary tactic: roughly 1 in 25 new domains referencing marketplaces like Amazon, AliExpress, and Alibaba are flagged. Attackers create convincing fake storefronts that copy logos, layouts, and imagery to harvest credentials and payment data, with recent campaigns impersonating HOKA and AliExpress demonstrating active phishing tied to seasonal promotions.

🔐 Palo Alto Networks Unit 42 identified two interconnected 2025 campaigns that used large-scale brand impersonation to deliver variants of the Gh0st remote access Trojan to Chinese-speaking users globally. The adversary evolved from simple droppers (Campaign Trio, Feb–Mar 2025) to sophisticated, multi-stage MSI-based chains abusing signed binaries, VBScript droppers and public cloud storage (Campaign Chorus, May 2025 onward). The report includes representative IoCs and mitigation guidance for Advanced WildFire, Cortex XDR and allied protections.