Malicious actors have taken notice of news about the US Social Security System. We've seen multiple spam campaigns that attempt to phish users or lure them to download malware.

Emails with subjects like "Social Security Administrator.", "Social Security Statement", and "ensure the accuracy of your earnings record" contain malicious links and attachments.

One example contained a disguised URL that redirected to user2ilogon[.]es in order to download the trojan file named SsaViewer1.7.exe.

Actors using social security lures are connected to malicious campaigns targeting major brands through their DNS records.

Block these:

user2ilogon[.]es
viewer-ssa-gov[.]es
wellsffrago[.]com
nf-prime[.]com
deilvery-us[.]com
wllesfrarqo-home[.]com
nahud[.]com.

#dns #lookalikes #lookalikeDomain #threatintel #cybercrime #threatintelligence #cybersecurity #infoblox #infobloxthreatintel #infosec #pdns #malware #scam #ssa

For one reason or another, some domain registrars seem to attract threat actors. This leads to domains registered through these registrars having higher associated risk. Unlike TLD reputation scores, which are fairly consistent from month to month, registrar reputation scores can vary quite a bit month to month. In fact, this month's riskiest registrar, Dominit (HK) Ltd., increased from a score of 7 to 9 and jumped a whopping 29 spots to reach #1.

An explanation and minimum-working-example of our reputation algorithm can be found here: https://blogs.infoblox.com/threat-intelligence/reliable-reputation-scoring/

Last week, we discussed the riskiest TLDs of March. Our reputation algorithm is generic, meaning it can be applied to virtually *any* type of data (read more here: https://blogs.infoblox.com/threat-intelligence/reliable-reputation-scoring/). This time, we'll take a look at the riskiest mail servers we've identified this month. Top of the list? all-harmless[.]domains -- the irony isn't lost on anyone.

These mail servers attract phishing actors like honey does flies -- serving such lovely domains as bbva-web-soporte[.]com and kutxabank-movil-app[.]com. Additionally, we've identified one FunNull / Polyfill domain (69558[.]vip) using both baidu[.]com and shifen[.]com mail servers.

Threat actors often have their favorite TLDs. This month we've found the following TLDs to have the highest risk. The top 5 retain their spot from last month, with the TLD .bond topping the chart with a risk score of 10. This is rare and only happens when the percentage of risky domains is at least 4.5 standard deviations above the mean. Congratulations, I guess?

An explanation and minimum-working-example of our reputation algorithm can be found here: https://blogs.infoblox.com/threat-intelligence/reliable-reputation-scoring/

A huge body of work coming from a 1.9TB data leak around crypto scams began dropping this week. There are 32 news organizations involved including our friends at Qurium.
We're going to compare notes and see how our previous reporting on crypto scams align with theirs, though we did see in one of the several pieces the names of two Vextrio companies. So that's fun.
This page has several independent pieces in it so you do have to poke about to get everything. More pieces will be released in the coming days.

https://www.qurium.org/scam-empire/
https://www.occrp.org/en/project/scam-empire/scam-empire-inside-a-merciless-international-investment-scam

#scam #threatintel #cybercrime #cybersecurity #infosec #dns #infoblox #InfobloxThreatIntel #crypto

While everyone is enjoying Carnival in Brazil, threat actors are still out there trying to lure people into their traps. We have found a cluster of lookalikes to the Brazilian DMV office (DETRAN in Portuguese). We observed at least two instances where they were impersonating the DMV office for the Brazilian states of Paraná and Maranhão.

The actor(s) create domains with the same label, but on several different TLDs (mostly highly abused). Here are some examples of what they look like.

consultes-seu-debitos2025.<space|site|shop|cloud>
debitos-sp-2025.<club|com|lat|net|online|store|xyz>
de3trasn2025.<click|fun|life|online|xyz>
departamentodetran2025.<click|icu|lat>
detran2025.<click|icu|lat|sbs>
l1cenciamento-detran2025.<click|icu|lat|sbs>

#lookalikes #dns #threatintel #cybercrime #threatintelligence #cybersecurity #infoblox #infobloxthreatintel

https://urlscan.io/result/802374b7-6c8b-433b-b6e0-32561f74b7d3/
https://urlscan.io/result/721b12bb-d5fe-4c7e-b2b5-724e07aa22e0/

Criminal organizations are doubling down on malicious adtech to enable delivery of fake applications, malware, credential theft, and more -- not to mention the ability to circumvent enterprise security controls AND target victims with custom content: https://blogs.infoblox.com/threat-intelligence/the-hidden-dangers-of-malicious-adtech/
#tds #dns #threatintel #cybercrime #threatintelligence #cybersecurity #infosec #infoblox #infobloxthreatintel #adtech

We use the term Registered DGA in a different way than a traditional DGA since they serve a different purpose. We've created this cheatsheet to help you understand why we make the distinction. Tell us what you think and if there are any terms you would like explained!

The hack that turned the US government website of the Center for Disease Control into a porn site turns out to be more interesting than I originally thought. And that's not just because the CDC has not done anything to fix the problem 24 hours later...
 
Yesterday we found that a number of universities, enterprises and other government sites have been hacked by the same actor. Visiting the specific URLs takes you into a malicious adtech traffic distribution system (TDS). Depending on your device and location, you might get the pornography. bud, you also might get other scams like scareware. From my sacrificial phone, I was able to trigger a bunch of push notification requests.
 
Bottom Line: malicious adtech pays, their TDS allow actors to hide, and hackers are quite happy to compromise well known websites to get that money. But it's not just about scams, these types of techniques are frequently used for delivering information stealers, which lead to breaches.
 
Here's a few notes about the attack:
* The site is modified to add pages which attempt to load a specific image name. If that isn't there, then it redirects to the actor controlled malicious domain which funnels into the TDS
* The actor seems to be using blogspot for this now, but previously used a tiny URL. From here they will go to adtech TDS.
* There were what seemed possible to be dangling CNAME records in many cases, but in some of them didn't appear to be any issues with the DNS records. I suspect combo of accesses.
* In cases where there's no apparent DNS record issue, the legit site seems to be hosting in GitHub. Perhaps they have a credential compromised.
* I saw at least two adtech companies used, Adsterra and Roller Ads. these are checking for VPN and anonymous proxies before serving the final landing page.
* This image redirect actor seems to be riding off of a different actor who originally hacked the site, uses SEO poisoning techniques, and hacked universities to host porn content.
 
I put a bunch of images in imgur.
 
Thanks Krebs for the lead.
 
#dns #cybercrime #cybersecurity #infosec #adtech #malware #scam #threatintel #tds #InfobloxThreatIntel

https://imgur.com/a/cdc-website-hijack-leads-to-malicious-adtech-XfguIcN

We have detected a recent malware campaign originating from a Türkiye IP. The campaign involved SnakeKeyLogger and XWorm, sent via emails primarily from`mail.haselayakkabi[.]com[.]tr` (SMTP IP: 45[.]144[.]214[.]104). The subject line was "<Recipient> received a new documents" with attachments like "SCS AWB and Commercial Invoice.rar" and a png of the Dropbox logo. Be cautious and stay safe!
The combination of Xworm and SnakeKeyLogger represent a significant threat to privacy, and is capable of stealing passwords, recording keystrokes, and exfiltrating the data using SMTP and telegram.

Malware Analysis: https://tria.ge/250205-bqhf9stndn
Stay vigilant, everyone!

#malware #snakekeylogger #xworm #phishing #dns #mastodon #threatintel #cybercrime #threatintelligence #cybersecurity #infosec #infoblox #infobloxthreatintel

Uh-oh! We're seeing an uptick in newly observed domains related to tariffs. Most concerning are those offering 'tariff exclusions' or 'tariff rebates.' Additionally, various domains, both supporting and opposing the tariffs, are emerging from all over the world.
An influx of new domains on a topic like this indicates a high potential for fraud, disinformation, or manipulation. Turbulent times create opportunities for scammers to exploit uncertainty. Don't fall for offers of rebates or exceptions to the tariffs. Get your news from trusted sources, and if confronted with an unexpected popup notification or website, remember there's no need to act urgently.

Here are some examples of newly registered domains we've seen: tariffexemptions[.]com, tariffrebatespecialists[.]com, and tariff-mitigation[.]xyz.

#phishing #dns #scam #fraud #mastodon #threatintel #cybercrime #threatintelligence #cybersecurity #infosec #infoblox #infobloxthreatintel

Mastodon communities, be vigilant! Bad actors are creating accounts within the Fediverse and then using them to distribute malware. We identified one such case in which the threat actor had gone undetected since 2022. That Mastodon instance was one with a climate change focus. The threat actor was distributing an information stealer through their account.

We are happy to have helped the instance owner figure out why they have been on blocklists intermittently for the last few years, but also get that particular threat out of their Mastodon instance and safe for users.

There are undoubtedly many more of these across the Fediverse. Hopefully more awareness can get them detected and shut down faster.

For our fellow security nerds... this was #vidar malware with sha256 975932eeda7cc3feea07bc1f8576e1e73e4e001c6fe477c8df7272ee2e0ba20d
and a c2 IP 78[.]47[.]227[.]68 from the instance.
there is still at least one more Mastodon instance impacted that we are trying to reach.

#malware #stealer #mastodon #threatintel #cybercrime #threatintelligence #cybersecurity #infosec #infoblox #infobloxthreatintel #fakeaccounts #c2

Some days ago, one of our specialists received a call from a scammer - who even knew his name - and he didn't miss the opportunity to potentially gather some threat intelligence.

The scammer said he was from a company called Blockchain and wanted to inform him that his Bitcoin wallet hadn't been touched for a long time. Don't you think that's really nice of Blockchain?

Of course, our specialist knew what to do. He asked for the company website, and the scammer eagerly provided it. After running the domain through our data, it turns out it is owned by (surprise, surprise) a crypto gang running their scams out of Georgia and Israel.

How does this scam work? This group creates extensive networks of fake trading websites promising high returns. To profit, victims just need to share their phone numbers. They are then contacted by multilingual call centers and encouraged to "invest" in crypto, AI, or other ventures. The fake website shows the victim's assets increasing in value, prompting further engagement. The criminals continue to call and entice victims to deposit more money. Unfortunately, the victim won't profit from this.

As DNS experts, we have been monitoring their infrastructure for a while now, and they have 1,133 other domains such as:

- apexcapitalmarket[.]com
- bitmininexpert[.]com
- coinfxbrokers[.]com
- cryptorinfo[.]com
- goldcapitalstocks[.]net
- kingstrades[.]net
- profxcapitalgroup[.]com
- smartcointrades[.]com
- stocktradefastminers[.]com
- tradeproinvest[.]com
- trusttrade21[.]com

Here is a reporting reference: https://www.eurojust.europa.eu/news/support-arrest-online-scammers-georgia-and-israel

#Infoblox #ThreatIntel #infosec #cybercrime #scam #cybersecurity #infobloxthreatintel #dns #domains #iocs #crypto #cryptoscams

We've been collaborating with SURBL on some shady adtech hunting. I threw one of the domains they shared into my sacrificial phone and found an AT&T scareware scam that led to TotalAV. These domains are passed via SMS messages to the victims.

As usual there is a traffic distribution system (TDS) in play here.. so I started at one domain and landed at another. Entry was fbkzy80[.]azotuto[.]xyz. Naturally I was asked to allow push notifications along the way. This chat is preprogrammed so no matter what you do you end up at TotalAV. Scammers get commission.

DNS to block: azotuto[.]xyz, scanavtoday[.]com, safetrcktoday[.]com
Some of the TDS chains are in urlscan.

#threatintel #cybercrime #cybersecurity #infosec #scam #infoblox #InfobloxThreatIntel

Here's a video of the experience. https://lnkd.in/gA5pvViV