All news with #domain impersonation tag

💳 A Russian-speaking threat actor has registered more than 4,300 domains since early 2025 to host convincing fake travel and hotel booking pages that harvest payment card data. According to Netcraft researcher Andrew Brandt, the campaign—active since February—uses a customizable phishing kit that serves branded pages for platforms like Booking, Expedia, and Airbnb and supports 43 languages. The kit requires a unique AD_CODE in the URL to render targeted branding (otherwise visitors see a blank page), employs fake Cloudflare-style CAPTCHA, and persists state in a cookie so subsequent pages maintain consistent impersonation. Victims are prompted to pay a deposit; entered card numbers, expiry and CVV are processed in the background while a bogus support chat guides users through a sham 3D Secure step to complete the theft.

🔒 Check Point researchers disclosed four vulnerabilities in Microsoft Teams that let attackers alter message content, spoof senders, and manipulate notifications to impersonate colleagues. The issues were reported in March 2024 and remediated across multiple updates beginning with an August 2024 fix for CVE-2024-38197, followed by patches in September 2024 and October 2025. Exploitable by external guests and internal actors alike, the flaws could trick users into clicking malicious links, sharing sensitive data, or accepting fraudulent calls by making messages and caller notifications appear to originate from trusted executives or coworkers.

🔍 Varonis Threat Labs highlights BiDi Swap, a technique that exploits Unicode bidirectional rendering to make malicious URLs appear legitimate. By mixing Right-to-Left and Left-to-Right scripts, attackers can visually move parameters, paths, or subdomains into the apparent host name to facilitate phishing and spoofing. Browser defenses vary — some highlight domains or flag lookalikes while others leave gaps — so the report urges user caution and vendor improvements.

🚨 Unit 42 attributes a widespread smishing campaign to the Smishing Triad that uses urgent SMS messages and realistic phishing pages to impersonate toll, delivery and other critical services. Since April 2024 the operation has registered and churned over 194,000 malicious domains and 136,900 root domains, leveraging a Hong Kong registrar while primarily hosting on U.S. cloud infrastructure. The campaign appears powered by a large phishing-as-a-service ecosystem and seeks PII, credentials and payment data. Advanced URL Filtering and Advanced DNS Security provide protections; contact Unit 42 Incident Response for urgent help.

🔍 Cybersecurity researchers have uncovered a large-scale investment scam that impersonated Singapore’s top officials, including Prime Minister Lawrence Wong and Minister K Shanmugam, to promote a fraudulent forex platform. The campaign used verified Google Ads, hundreds of fake news domains and deepfake videos, funneling victims through multiple redirects to a Mauritius-registered trading site. Group-IB reported advanced evasion techniques and localized targeting to show scam pages only to Singaporean users, pressuring many to invest and then blocking withdrawals.

🔒 LastPass has confirmed it was not breached after detecting a targeted phishing campaign that mimicked its branding. The emails used the subject line "We Have Been Hacked - Update Your LastPass Desktop App to Maintain Vault Security" and came from spoofed senders such as hello@lastpasspulse.blog and hello@lastpassgazette.blog. Links in the messages redirected recipients to phishing sites (lastpassdesktop.com and lastpassgazette.blog), and attackers have also registered lastpassdesktop.app for potential follow-ups. Cloudflare is displaying warnings and LastPass said it is working to have the malicious domains taken down.

🔍 Cyber criminals continue to favor familiar brands, with Microsoft used in 40% of all brand impersonation attempts in Q3 2025, according to Check Point Research’s Brand Phishing Report. Google represented 9% and Apple 6%, and together these tech giants comprised more than half of brand-related phishing activity. The findings highlight persistent targeting of the technology sector and underscore the need for stronger defenses and user awareness.

📱 SEKOIA warns that unknown actors have been abusing Milesight industrial cellular routers to send phishing SMS messages across Europe since at least February 2022. The attackers exploited exposed SMS-related APIs — linked to a patched information disclosure flaw (CVE-2023-43261) — to dispatch typosquatted URLs impersonating government platforms, banks, postal and telecom providers. Of roughly 18,000 such routers visible on the public internet, SEKOIA identified about 572 potentially vulnerable devices, roughly half located in Europe. The campaigns used JavaScript-based mobile checks and domains that disabled debugging and logged visitors to a Telegram bot, indicating operational measures to hinder analysis.

🔒 The National Crime Agency and The Law Society have warned that UK house buyers faced average losses of £82,000 from payment diversion fraud over the past year. This form of payment diversion fraud (PDF) — a type of business email compromise — relies on hijacked or spoofed emails and lookalike domains to alter bank transfer instructions. The campaign urges solicitors and conveyancers to tighten checks and advises clients to verify bank details, use strong passwords, avoid public Wi‑Fi and transfer small initial amounts to confirm receipt.

🔗 A new online tool converts benign web addresses into deliberately sketchy-looking links that mimic phishing or malware landing pages. The creator's example transforms www.schneier.com into a URL with domains like cheap-bitcoin.online and appended query strings that resemble exploit payloads. Security observers note the service highlights how easily visual trust cues can be subverted. It is a timely reminder for defenders and users to verify URLs beyond surface appearance.

⚠️ The FBI has issued a public service announcement warning that threat actors are creating spoofed versions of the IC3 cybercrime reporting site to steal personally identifiable information and facilitate fraud. The agency advises typing www.ic3.gov directly, avoiding sponsored search results and mismatched URLs, and never paying anyone claiming to be IC3 staff. Victims should report impersonation attempts to the legitimate IC3 portal and provide full details.

🛡️ LastPass warns of a widespread campaign leveraging fake GitHub repositories and SEO-poisoned search results to distribute an Atomic-infostealer targeting macOS users. The malicious pages impersonate popular tools such as LastPass, 1Password, and Dropbox, and redirect victims to pages that instruct them to run Terminal commands. Those commands fetch and execute a multi-stage dropper that deploys the Atomic Stealer. Users should verify official vendor pages and avoid running untrusted commands in Terminal.

🔒 Domain-based attacks that exploit DNS and registered domains are rising in frequency and sophistication, driven heavily by AI. Attackers increasingly blend website spoofing, email domain impersonation, subdomain hijacking, DNS tunnelling and automated domain-generation (DGAs) to scale campaigns and evade detection. Many proven protections—Registry Lock, DNSSEC, DNS redundancy and active domain monitoring—remain underused, leaving organizations exposed. Security teams should adopt preemptive scanning, layered DNS controls, strict asset ownership and employee training to limit impact.

🚨 U.S. and Dutch authorities dismantled VerifTools, an illicit marketplace that produced and sold counterfeit driver's licenses, passports, and other identity documents used to bypass verification systems and facilitate fraud. Two domains and a blog were seized and redirected to an FBI splash page after servers in Amsterdam were confiscated. The FBI linked roughly $6.4 million in illicit proceeds to the service, which offered forged documents for as little as $9. Operators have since signaled a relaunch on a new domain.