All news with #domain impersonation tag

🛡️ Check Point warns that the primary cyber threat to the 2026 U.S. midterms is not vote tampering but a coordinated assault on trust through misinformation, lookalike news sites, and domain abuse. Attackers are cloning major media brands, registering thousands of election-themed domains, and exploiting leaked credentials to fuel phishing and impersonation. Security teams must prioritize brand protection, rapid takedown, and credential monitoring to mitigate politically motivated campaigns that exploit familiar operational vectors at greater scale.

🎯 Group-IB has identified over 4,300 fraudulent domains impersonating FIFA since last August, organized across six schemes and four threat actors targeting 2026 World Cup fans. The main operator, dubbed Ghost Stadium, uses a Chinese-speaking developer and a phishing kit that clones fifa.com, including its PingIdentity SSO flow, and leverages paid Facebook ads. Other actors include domain squatters, a PhaaS supplier and infostealer campaigns, which have already harvested around 2,500 FIFA credentials. Group-IB warns ticket fraud losses could reach into the hundreds of millions and advises fans to buy only from fifa.com, avoid crypto-based offers and enable MFA.

⚠️ ESET researchers in Latin America discovered multiple fraudulent websites impersonating FIFA and the World Cup ticketing portal to dupe fans into registering and submitting payment details. These sites use typosquatting, copied visuals, and convincing checkout flows to harvest money and personal data. Victims arrive via ads, sponsored search results, social posts or forwarded links. FIFA confirms tickets are only sold through a few official channels; users should verify domains, avoid pressure tactics, and enable unique passwords and two-factor authentication.

⚠️Cyber criminals are exploiting World Cup 2026 excitement with fake merchandise stores, fraudulent betting platforms, and phishing domains designed to steal money and personal data. Domain registrations containing 'FIFA' or 'World Cup' surged to 9,741 in April 2026, and host countries recorded higher weekly attack averages in April versus March and the prior year. Check Point Research identified multiple impersonation and betting sites and advises fans to watch for steep discounts, suspicious domains, and 'vote‑to‑earn' schemes that solicit deposits.

🔎 Research by Silent Push finds that, despite US Treasury sanctions in 2025, Triad Nexus has expanded and refined a global fraud operation with average victim losses around $150,000. The group uses infrastructure laundering — compromised AWS, Cloudflare, Google and Microsoft accounts — to host high-performance scam platforms that closely mimic legitimate sites. It industrializes brand impersonation across banking, luxury retail and public services, enforces US IP blocks to reduce scrutiny, and has localized campaigns in Spanish, Vietnamese and Indonesian markets. Silent Push released a CNAME Chain Lookup tool to expose layered domain redirections and help defenders map the group's complex infrastructure.

🎟️ Scammers are exploiting BTS's ARIRANG world tour pre-sales by cloning official ticket pages for multiple countries, creating at least 10 fraudulent domains observed in early April. These lookalike sites replicate the purchase flow and pressure fans into instant payments — in Brazil many victims are urged to pay via PIX, sending funds to mule accounts that are difficult to recover. To avoid fraud, fans should use only the official tour page, verify domains, confirm country-specific sales formats, and contact banks immediately if scammed. Enable banking alerts and use security software that blocks phishing sites.

🛡️ Infoblox reports a novel phishing evasion technique that leverages the .arpa reverse-DNS namespace and IPv6-to-IPv4 tunneling to host malicious content on infrastructure-only names. The actor created forward A/AAAA records for reverse DNS names—using services tied to Hurricane Electric and Cloudflare—so links appear to originate from trusted infrastructure, bypassing reputation checks and many security controls. Clicks redirected victims to credential- and payment-stealing landing pages. Infoblox recommends audits, DNS restrictions, and targeted detection for ip6.arpa traffic.

🔒 Threat actors are abusing the special-use .arpa reverse DNS namespace and IPv6 reverse zones to evade domain reputation checks and email gateways. By obtaining IPv6 address space and controlling reverse DNS, attackers can create nonstandard records (for example A records under ip6.arpa) that resolve to phishing infrastructure hosted behind reputable providers like Cloudflare or Hurricane Electric. Infoblox observed short-lived, image-linked URLs that redirect through traffic distribution systems to selectively deliver phishing pages and frustrate investigation.

🛡️ Zscaler ThreatLabz reported in January 2026 that a suspected Iran-nexus cluster dubbed Dust Specter has targeted Iraqi government officials by impersonating the Ministry of Foreign Affairs to deliver novel malware families — SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. The campaign uses two infection chains: a password-protected RAR containing a .NET dropper that sideloads DLLs and a consolidated in-memory binary that avoids disk writes. Operators staged payloads on compromised Iraqi infrastructure and employed geofencing, User-Agent checks, randomized C2 URIs with checksums, and execution delays; Zscaler also notes code artifacts suggesting possible use of generative AI.

🛡️ Meta said it is suing deceptive advertisers in Brazil, China, and Vietnam, suspending their payment methods, disabling related accounts, and blocking domains used in scams. The company also issued cease-and-desist letters to eight marketing consultants accused of offering ways to evade ad-policy enforcement, including fake 'un-ban' services and renting access to trusted accounts. Meta highlighted targeted celeb‑bait schemes and cloaking tactics, and said its protections now cover more than 500,000 celebrity and public-figure images.

🔍Typosquatting remains a highly effective deception tactic where attackers register look-alike domains to phish, harvest credentials, and deliver malware. CrowdStrike describes how adversaries exploit weak registrar verification and craft convincing WHOIS records while using techniques such as strategic HTTP redirects, geo-targeted content and fake sale pages to evade detection. Organizations should monitor registrations, protect brands, and use Falcon Adversary Intelligence to detect and disrupt campaigns.

💌 Check Point researchers report a sharp rise in Valentine-themed phishing websites, fraudulent online stores, and fake dating platforms that aim to steal personal data and payment information from shoppers and daters ahead of Valentine’s Day 2026. From March–December 2025, new Valentine-related domains averaged 474 per month; registrations jumped to 696 in January 2026, a 44% increase. In the first five days of February researchers detected 152 additional domains, a further 36% rise in the daily average. The trend reflects opportunistic abuse of seasonal demand and last-minute gift shopping.

🔎 Security researchers at Fortra’s Intelligence and Research Experts (FIRE) uncovered a Telegram and WhatsApp marketplace called HaxorSEO offering over 1,000 backlinks on pre-compromised, legitimate domains. Operators install webshells and inject backlinks that point to phishing or malware sites, advertising SEO metrics like PA, DA and DR to sell effectiveness. Listings cost as little as $6 each and can help fraudulent pages outrank genuine services. Users are advised to bookmark sensitive login pages and verify domains before entering credentials.

⚠️ LastPass is warning of a phishing campaign that impersonates maintenance notices and urges users to back up their vaults within 24 hours. The messages contain a 'Create Backup Now' button that redirects to a fraudulent site purporting to build an encrypted local backup, where attackers likely try to capture master passwords or hijack accounts. LastPass confirmed it will never ask for master passwords and advised recipients to report suspicious messages to abuse@lastpass.com. The company said the campaign began on January 19 and was timed to exploit a U.S. holiday weekend.

🔒 Brand impersonation—fake websites, domains, emails, ads, and social pages—is an increasingly common tactic used to harvest credentials, steal payments, distribute malware, and defraud customers and partners. Attackers exploit lookalike domains, SEO and paid ads, and phishing messages to lure victims; even imperfect forgeries can inflict financial, operational, and reputational harm. Organisations should monitor clones, maintain a visible trust centre, pursue rapid takedowns, block malicious domains internally, and coordinate legal, IT, and communications teams for fast response.

⚠️ Scammers are targeting LinkedIn with fake comment replies that impersonate the platform and falsely warn users of policy violations or temporary account restrictions. The malicious replies sometimes use LinkedIn’s lnkd.in shortener or obscure .app domains to hide phishing destinations and present convincing link previews. Victims who click are directed to credential-harvesting pages that request identity verification. LinkedIn says it is aware and is taking action; members should report suspicious comments.

💰Fraudulent emails appearing to come from a Grubhub subdomain promised a tenfold bitcoin payout to recipients who transferred funds to a specified wallet, urging action within a 30-minute window. Messages were sent from addresses on b.grubhub.com and in some cases included recipients' names, increasing their apparent legitimacy. Grubhub says it isolated the issue, investigated the incident, and is taking steps to prevent recurrence while technical details remain undisclosed.

📦 Cybercriminals are exploiting the holiday rush, with NordVPN reporting an 86% month-over-month increase in malicious postal service websites. Fraudsters impersonate carriers such as DHL and USPS, using smishing and phishing links to steal data; DHL spoof sites rose 206% while USPS impersonations jumped 850% in one month. Consumers are urged to avoid unsolicited tracking links, verify tracking numbers on official carrier sites or apps, inspect sender details for altered domains, and report suspicious messages to carriers or the FTC.

🔒 Infoblox researchers found that most parked and typosquatting domains now redirect visitors to scams, scareware, or malware without any user click. The redirects are frequently conditional — benign when accessed via a VPN or non‑residential IP, but malicious for residential addresses — and rely on device fingerprinting, geolocation, and chained resells. The study highlights widespread abuse of expired and lookalike domains and the growing role of affiliate networks in distributing harmful traffic.

🔒 ReliaQuest researchers discovered that a group calling itself Scattered Lapsus$ Hunters registered more than 40 fake domains over six months to impersonate Zendesk, host fraudulent login pages, and push malware. Domains such as znedesk.com and vpn-zendesk.com used realistic sign-in screens while other URLs embedded company names to build trust. Attackers also submitted bogus support tickets to real Zendesk portals to trick help-desk staff into surrendering credentials or installing malware. ReliaQuest noted registry patterns tied to NiceNic and Cloudflare-masked nameservers and shared findings with Zendesk.