Infoblox Threat Intel<p>We've seen it before, but it bears highlighting again: current affairs always lead to a domain gold rush! The newly announced "America Party" has already triggered a wave of sketchy-looking domain registrations, many using the .party TLD. Several redirect to rawdiary[.]com, a five-month-old site hosting third-party articles from sources like OANN, Newsmax and Breitbart, as well as more moderate sources like the FT and the BBC. Others are parked. These domains aren’t inherently malicious, but they're certainly opportunistic and built to look like news. Web content flips fast, so here’s a snapshot of domains unlikely to have been registered for anything in good-faith:</p><p>ameirca[.]party<br>amerca[.]party<br>amercia[.]party<br>americs[.]party<br>amerika[.]party<br>ameroca[.]party<br>ameruca[.]party<br>hyperamerica[.]party<br>theunitedstates[.]party<br>americanparty[.]pics<br>americanparty[.]vip<br>americaparty[.]ink<br>americaparty[.]town<br>theamericanparty[.]vip<br>americanparty[.]pro</p><p><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/americaparty" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>americaparty</span></a> <a href="https://infosec.exchange/tags/osint" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>osint</span></a> <a href="https://infosec.exchange/tags/typosquatting" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>typosquatting</span></a></p>
shakedown.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A community for live music fans with roots in the jam scene. Shakedown Social is run by a team of volunteers (led by @clifff and @sethadam1) and funded by donations.
Administered by:
Server stats:
269active users
shakedown.social: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.4.0
#infoblox
2 posts · 1 participant · 0 posts today
Infoblox Threat Intel<p>Let us introduce "La Fnac". As some of you may already know, La Fnac is a French retailer, and like most large retailers, they want to sell the coolest things that everyone is talking about. That's why, in 2008, they launched their most innovative service yet: an online portal where you could download the latest must-have ringtone for your flip phone.<br> <br>Of course, they didn't build that online portal themselves. They subcontracted that to another company, and to use their services, they set up a subdomain: 'sonneries-logos.fnac[.]com' on their corporate domain to use a CNAME record that the subcontractor then managed.<br>You should know where this is going now. It seems clear that La Fnac forgot to remove this alias from their DNS after the service was retired. Surprisingly, they weren't alone! In 2017 (much later than we expected), when the CNAME record became dangling, there were 2 European tech companies that still had aliases pointed to it.<br> <br>So, when that ringtone download service started seeing activity again in 2025, it wasn't because of a sudden nostalgic resurgence in late naughties ringtones. Obviously, it was hijacked, and used to redirect people to various fake survey scams webpages.<br> <br>The longer a company exists for, the more tech debt it accumulates, which in the case of DNS can mean greater susceptibility to domain hijacking via dangling DNS records. This is not something exclusive to small companies, or companies with smaller tech teams. We've seen this issue affecting large organisations too. If something as cool as downloading ringtones on your flip phone can be forgotten about; don't be surprised when in 20 years, attackers start leveraging the tech debt you are currently procrastinating over.<br> <br><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>phishing</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scam</span></a></p>
Renée Burton<p>The Russians aren't coming, they are already here. Without most anyone realizing, they've created an entire malicious adtech industry whose story is just as complex as the Chinese organized crime we're now realizing from their ventures into pig butchering. </p><p>VexTrio is just one Russian organized crime group in the malicious adtech world, but they are a critical one. They have a very "special" relationship with website hackers that defies logic. I'd put my money on a contractual one. all your bases belong to russian adtech hackers.</p><p>Today we've released the first piece of research that may eventually prove whether I am right. This paper is hard. i've been told. I know. We've condensed thousands of hours of research into about 30 pages. <span class="h-card" translate="no"><a href="https://infosec.exchange/@briankrebs" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>briankrebs</span></a></span> tried to make the main points a lot more consumable -- and wrote a fabulous complimentary article : read both! </p><p>There's so much more to say... but at the same time, between ourselves and Brian, we've released a lot of lead material ... and there's more to come. I've emphasized the Russian (technically Eastern European) crime here, but as Brian's article points out there is a whole Italian side too. and more. </p><p>We've given SURBL, Spamhaus, Cloudflare, Domain Tools, several registrars, and many security companies over 100k domains. They are also posted on our open github.</p><p>Super thanks to our collaborators at Qurium, GoDaddy Sucuri Security, and elsewhere. </p><p><a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scam</span></a> <a href="https://infosec.exchange/tags/tds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tds</span></a> <a href="https://infosec.exchange/tags/vextrio" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vextrio</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/InfobloxThreatIntel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InfobloxThreatIntel</span></a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>phishing</span></a> <a href="https://infosec.exchange/tags/spam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>spam</span></a> </p><p><a href="https://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blogs.infoblox.com/threat-inte</span><span class="invisible">lligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/</span></a></p><p><a href="https://krebsonsecurity.com/2025/06/inside-a-dark-adtech-empire-fed-by-fake-captchas/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">krebsonsecurity.com/2025/06/in</span><span class="invisible">side-a-dark-adtech-empire-fed-by-fake-captchas/</span></a></p>
KrebsOnSecurity RSS<p>Inside a Dark Adtech Empire Fed by Fake CAPTCHAs</p><p><a href="https://krebsonsecurity.com/2025/06/inside-a-dark-adtech-empire-fed-by-fake-captchas/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">krebsonsecurity.com/2025/06/in</span><span class="invisible">side-a-dark-adtech-empire-fed-by-fake-captchas/</span></a></p><p> <a href="https://burn.capital/tags/Ne" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Ne</span></a>'er-Do-WellNews <a href="https://burn.capital/tags/SkyForgeDigitalAG" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SkyForgeDigitalAG</span></a> <a href="https://burn.capital/tags/ALittleSunshine" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ALittleSunshine</span></a> <a href="https://burn.capital/tags/PartnersHouse" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PartnersHouse</span></a> <a href="https://burn.capital/tags/Doppelganger" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Doppelganger</span></a> <a href="https://burn.capital/tags/WebFraud2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WebFraud2</span></a>.0 <a href="https://burn.capital/tags/AimedGlobal" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AimedGlobal</span></a> <a href="https://burn.capital/tags/ReneeBurton" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ReneeBurton</span></a> <a href="https://burn.capital/tags/TeknologySA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TeknologySA</span></a> <a href="https://burn.capital/tags/ByteCoreAG" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ByteCoreAG</span></a> <a href="https://burn.capital/tags/smartlinks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>smartlinks</span></a> <a href="https://burn.capital/tags/Spamshield" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Spamshield</span></a> <a href="https://burn.capital/tags/LosPollos" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LosPollos</span></a> <a href="https://burn.capital/tags/wordpress" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>wordpress</span></a> <a href="https://burn.capital/tags/DollyWay" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DollyWay</span></a> <a href="https://burn.capital/tags/Holacode" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Holacode</span></a> <a href="https://burn.capital/tags/Infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Infoblox</span></a> <a href="https://burn.capital/tags/TacoLoco" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TacoLoco</span></a> <a href="https://burn.capital/tags/BroPush" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BroPush</span></a> <a href="https://burn.capital/tags/GoDaddy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GoDaddy</span></a> <a href="https://burn.capital/tags/HelpTDS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>HelpTDS</span></a> <a href="https://burn.capital/tags/RichAds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RichAds</span></a> <a href="https://burn.capital/tags/VexTrio" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>VexTrio</span></a> <a href="https://burn.capital/tags/AdsPro" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AdsPro</span></a> <a href="https://burn.capital/tags/Qurium" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Qurium</span></a> <a href="https://burn.capital/tags/RexAds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RexAds</span></a></p>
Infoblox Threat Intel<p>Selling your car? Scammers still have it 'VIN' for you!<br> <br>We've recently seen a large cluster of domains hosting fake Vehicle Identification Number (VIN) lookup sites — and private car sellers are the target.<br> <br>While this trick isn’t new, it still catches many off guard — especially first-time sellers. Here’s how it usually plays out:<br> <br>- You list your car on platforms like AutoTrader, Craigslist, or Facebook Marketplace.<br>- You're contacted by a keen 'buyer', perhaps asking a few questions to build trust.<br>- The buyer then asks *you* to get a VIN report — but only from a site *they* provide.<br> <br>Red flag: Legitimate buyers wanting to know a vehicle's history are to be expected - they may ask for the VIN to do this themselves - but insisting on a specific site is a classic scam move.<br> <br>Here’s what happens next:<br> <br>- You enter your VIN on the fake site - it teases you with basic info like make and model.<br>- To get the 'full report' you’re asked to pay $20–$40.<br>- At best, you're sent to a legitimate payment provider — but the money goes straight to the scammer.<br>- At worst, you've just entered your card details into a phishing site.<br> <br>Got your report? Good luck contacting that buyer, they're 'Audi 5000' — long gone. As for the report, it's usually worthless — no odometer readings, no previous owners, no insurance history - and of no value to you or a legit buyer.<br> <br>Unsurprisingly, 'VIN' features in their devious domain names, and at the time of writing we identrified a large cluster using it with U.S. states and locations, for example:<br> <br> - goldstatevin[.]com<br> - gulfstatevin[.]com<br> - kansasvin[.]com<br> - misissippivin[.]com<br> - utahvincheck[.]com<br> <br>These have since gone offline, hopefully for good. They're not alone though, the following domains appear to target sellers in Australia and are currently active:<br> <br> - proregocheck[.]com<br> - smartcheckvin[.]com<br> - smartvincheck[.]com<br> - vincheckzone[.]com<br> <br>Tip: If a buyer wants a VIN report, let them sort it out — or use a trusted provider of your own. If they refuse? Tell 'em to hit the road!<br> <br><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scam</span></a></p>
Infoblox Threat Intel<p>Our latest blog is out! It covers a rising issue that many major organization experiences: Subdomain hijacking through abandoned cloud resources.<br> <br>This research follows our reporting from earlier in the year about the CDC subdomain hijack. We initially assumed that this was an isolated incident. Well… We were wrong.<br> <br>We tied some of this activity to a threat actor, dubbed Hazy Hawk, who hijacks high-profile subdomains which they use to conduct large-scale scams and malware distribution.</p><p><a href="https://blogs.infoblox.com/threat-intelligence/cloudy-with-a-chance-of-hijacking-forgotten-dns-records-enable-scam-actor/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blogs.infoblox.com/threat-inte</span><span class="invisible">lligence/cloudy-with-a-chance-of-hijacking-forgotten-dns-records-enable-scam-actor/</span></a><br> <br><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scam</span></a> <a href="https://infosec.exchange/tags/HazyHawk" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>HazyHawk</span></a></p>
Infoblox Threat Intel<p>Over the past few years, we've been discussing our research into Traffic Distribution Systems (TDSs), especially those that power malicious adtech. We've created this cheatsheet to help those unfamiliar with TDSs get up to speed. Tell us what you think and if there are any other cheatsheets you feel would be helpful!</p><p><a href="https://infosec.exchange/tags/tds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tds</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a></p>
Infoblox Threat Intel<p>There is another Lizard on the radar! Looming Lizard is an actor creating hundreds of lookalike domains impersonating popular banks and telecommunication companies targeting Spanish speaking countries, such as Mexico. Not only they are lookalikes, but are also RDGAs (Registered DGAs), with new domains created on a daily basis. These are some of the entities they impersonate: </p><p>- Banks: Banorte, BBVA, Citi, HSBC, Itaú, Santander, Scotiabank<br>- Telecommunications: AT&T, BTC, Claro, Liberty, Movistar, Telcel, Tigo <br>- Others: post offices, department stores, energy companies</p><p>For one of the lookalikes to Tigo (tigoppy[.]club), the actor was kind enough and offered the ability to trade our (fake) account points for nice prizes (wink wink). Sample of domains for each mentioned company: </p><p>- banortex[.]vip, banortepmex[.]store, banorteoi[.]icu, banorteoi[.]sbs, banortebc[.]top <br>- bbvamex[.]xin, bbvamex[.]xyz, bbvamxn[.]cyou, bbvamxn[.]store, bbvamxn[.]sbs <br>- citiprr[.]top, citipr[.]top, citipr[.]vip, citiipir[.]top, citiipir[.]vip <br>- mex-hsbc[.]xyz, mexhsbc[.]icu, mex-hsbc[.]icu, mex-hsbc[.]xin, mexhsbck[.]pro <br>- itauupy[.]top, ittau[.]top, itauupyi[.]top, itaui[.]cfd, itaupy[.]top <br>- santander-mex[.]xin, santandermox[.]vip, santander-mex[.]sbs, santander-mex[.]icu, santandermox[.]xyz <br>- scotiabank-mx.xyz, scotiabok[.]xyz, scotiiiai[.]vip, scotiabanukmx[.]sbs, scotiiiai[.]xin <br>- attmiex[.]pro, att-com-mx[.]top, attmmex[.]xyz, att-com-mx[.]xin, attmmex[.]vip <br>- btcbahamass[.]vip, btcbahamasni[.]vip, btcbahamasni[.]xin, btcbahamasi[.]top, btcbahamasni[.]top <br>- claroar[.]top, claroec[.]vip, clarosv[.]top, claropy[.]vip, clarolo[.]top <br>- liberty-cr[.]xyz, liberty-cr[.]vip, liberty-cr[.]icu, liberty-cr[.]xin, liberty-cr[.]cc <br>- movisstar[.]pro, movisstar[.]xyz, movistar-uy[.]xin, movisstar[.]sbs, movistarui[.]icu <br>- telcelsi[.]top, telcelt[.]bond, telcele[.]info, telceln[.]qpon, telcel0[.]online <br>- tiiigopy[.]xyz, tigosv[.]top, tigosv[.]cc, tigosvi[.]top, tigoipy[.]top <br> <br><a href="https://urlscan.io/result/375469cb-d1ac-4b91-8dbe-18c5f42d427d/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">urlscan.io/result/375469cb-d1a</span><span class="invisible">c-4b91-8dbe-18c5f42d427d/</span></a><br><a href="https://urlscan.io/result/019656a1-67b5-7007-acc9-8834551420f7/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">urlscan.io/result/019656a1-67b</span><span class="invisible">5-7007-acc9-8834551420f7/</span></a> <br> <br><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/lookalike" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>lookalike</span></a> <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>phishing</span></a> <a href="https://infosec.exchange/tags/rdga" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rdga</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scam</span></a></p>
Infoblox Threat Intel<p>Infoblox Threat Intel had the opportunity to collaborate with the United Nations Office on Drugs and Crime (<a href="https://infosec.exchange/tags/UNODC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>UNODC</span></a>) for their latest report on South East Asian Crime. The report is titled "Inflection Point". It is a great in-depth analysis of the triads and how they fuel the current scam epidemic. </p><p>Organized crime is booming - as you can see with the picture below which shows the growth in the physical footprint of the compounds they operate.<br> <br>Our part of the collaboration (pages 37-42 of the 90+ page report) were around a single actor that we can track in <a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> -- naturally!<br> <br>We analysed a number of illegal Chinese-operated gambling websites and soon found out they were operated by the same 'gambling provider' we named Vault Viper. Vault viper develops its very own "secure gambling browser". Of course it's <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a>. <br> <br>Through DNS, we discovered the companies behind Vault Viper were in fact controlled by Suncity - a criminal junket whose founder has been convicted of laundering billions of dollars.<br> <br> <a href="https://www.unodc.org/roseap/en/2025/04/cyberfraud-inflection-point-mekong/story.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">unodc.org/roseap/en/2025/04/cy</span><span class="invisible">berfraud-inflection-point-mekong/story.html</span></a><br> <br>Illegal gambling is not harmless fun. It fuels some of the largest criminal networks in the world. <br> <br>The entire report is worth reading to get the latest view from experts on the world of organized crime in Asia that is running <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scam</span></a>, <a href="https://infosec.exchange/tags/pigbutchering" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pigbutchering</span></a>, <a href="https://infosec.exchange/tags/humantrafficking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>humantrafficking</span></a>, <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a>, <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a>, <a href="https://infosec.exchange/tags/illegalgambling" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>illegalgambling</span></a>, illegal porn and who knows what else. The image below shows just how much it has grown in a few years from physical footprints. <br> <br>We'll be releasing a detailed report on Vault Viper in the coming months. <br> <br><a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a><br><a href="https://infosec.exchange/tags/organizedcrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>organizedcrime</span></a> <a href="https://infosec.exchange/tags/china" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>china</span></a></p>
Infoblox Threat Intel<p>“Your device has been blocked due to illegal activity” — 🙄 sure it has. After fat-fingering github[.]com, we were redirected to a domain running a fake Microsoft tech support scams: pop-ups that lock your browser, shout scary messages, and push you to call a “support” number (aka the scammer who’ll walk you through installing remote access tools). </p><p>They're hosted on legit infra like Azure blobs or Cloudflare Pages. That one redirect led to uncovering 1,200+ other domains hosting identical fake support pages. Of course, whenever a redirect like this happens, there's a malicious traffic distribution system (TDS) involved.<br> <br>Examples include:<br>- tenecitur.z1.web.core.windows[.]net</p><p>- neon-kleicha-36b137[.]netlify[.]app</p><p>- us6fixyourwindowsnow[.]pages[.]dev</p><p>- microsoft-coral-app-6xv89.ondigitalocean[.]app</p><p><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scam</span></a> <a href="https://infosec.exchange/tags/tds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tds</span></a></p>
Infoblox Threat Intel<p>Online gambling operators are sponsoring charities?? If only :(</p><p>We've identified a malicious gambling affiliate whose specialty is to buy expired domain names which used to belong to charities or reputable organisations. </p><p>Once they own a domain, they host a website impersonating its previous owner, where they claim to "deeply appreciate the support from [their] sponsors", which surprise surprise, all turn out to be dubious online gambling companies.</p><p>Because the domain they are taking over is often abandoned or managed by non-technical people, its previous owner often doesn't notify anyone that they've lost control of their website, so it continues being referenced in genuine content, and it continues getting traffic from old links scattered throughout the internet.</p><p>teampiersma[.]org (screenshots below)<br>americankayak[.]org<br>getelevateapp[.]com<br>hotshotsarena[.]com<br>nehilp[.]org<br>questionner-le-numerique[.]org<br>sip-events[.]co[.]uk<br>studentlendinganalytics[.]com<br>thegallatincountynews[.]com</p><p>Comparison content: <br>2018: <a href="https://web.archive.org/web/20180119043432/https://teampiersma.org/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">web.archive.org/web/2018011904</span><span class="invisible">3432/https://teampiersma.org/</span></a><br>2025: <a href="https://web.archive.org/web/20250401092253/https://teampiersma.org/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">web.archive.org/web/2025040109</span><span class="invisible">2253/https://teampiersma.org/</span></a></p><p><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scam</span></a> <a href="https://infosec.exchange/tags/dropcatch" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dropcatch</span></a> <a href="https://infosec.exchange/tags/charity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>charity</span></a></p>
Infoblox Threat Intel<p>Is the sky fluxxing?! Last week a CISA advisory on DNS Fast Flux created a lot of buzz. We have an insider's take.<br> <br>Fast Flux is a nearly 20 year old technique and is essentially the malicious use of dynamic DNS. It is critical that protective DNS services understand this -- and all other DNS techniques -- on that we agree. </p><p>What we also know as experts in DNS is that there are many ways to skin a cat, as they say. </p><p><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/cisa" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cisa</span></a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>phishing</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> </p><p><a href="https://blogs.infoblox.com/threat-intelligence/disrupting-fast-flux-and-much-more-with-protective-dns/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blogs.infoblox.com/threat-inte</span><span class="invisible">lligence/disrupting-fast-flux-and-much-more-with-protective-dns/</span></a></p>
Infoblox Threat Intel<p>Some days ago, one of our specialists received a call from a scammer - who even knew his name - and he didn't miss the opportunity to potentially gather some threat intelligence. <br> <br>The scammer said he was from a company called Blockchain and wanted to inform him that his Bitcoin wallet hadn't been touched for a long time. Don't you think that's really nice of Blockchain?<br> <br>Of course, our specialist knew what to do. He asked for the company website, and the scammer eagerly provided it. After running the domain through our data, it turns out it is owned by (surprise, surprise) a crypto gang running their scams out of Georgia and Israel. <br> <br>How does this scam work? This group creates extensive networks of fake trading websites promising high returns. To profit, victims just need to share their phone numbers. They are then contacted by multilingual call centers and encouraged to "invest" in crypto, AI, or other ventures. The fake website shows the victim's assets increasing in value, prompting further engagement. The criminals continue to call and entice victims to deposit more money. Unfortunately, the victim won't profit from this.<br> <br>As DNS experts, we have been monitoring their infrastructure for a while now, and they have 1,133 other domains such as:<br> <br>- apexcapitalmarket[.]com<br>- bitmininexpert[.]com<br>- coinfxbrokers[.]com<br>- cryptorinfo[.]com<br>- goldcapitalstocks[.]net<br>- kingstrades[.]net<br>- profxcapitalgroup[.]com<br>- smartcointrades[.]com<br>- stocktradefastminers[.]com<br>- tradeproinvest[.]com<br>- trusttrade21[.]com<br> <br>Here is a reporting reference: <a href="https://www.eurojust.europa.eu/news/support-arrest-online-scammers-georgia-and-israel" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">eurojust.europa.eu/news/suppor</span><span class="invisible">t-arrest-online-scammers-georgia-and-israel</span></a><br> <br><a href="https://infosec.exchange/tags/Infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Infoblox</span></a> <a href="https://infosec.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ThreatIntel</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scam</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/domains" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>domains</span></a> <a href="https://infosec.exchange/tags/iocs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>iocs</span></a> <a href="https://infosec.exchange/tags/crypto" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>crypto</span></a> <a href="https://infosec.exchange/tags/cryptoscams" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cryptoscams</span></a></p>
Nonilex<p><a href="https://masto.ai/tags/DNS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNS</span></a> manipulation is something of a specialty among Chinese govt <a href="https://masto.ai/tags/hacking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hacking</span></a> groups. A mysterious campaign identified earlier this year by <a href="https://masto.ai/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> experts at <a href="https://masto.ai/tags/Infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Infoblox</span></a> & attributed to <a href="https://masto.ai/tags/China" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>China</span></a> involved using the so-called Great <a href="https://masto.ai/tags/Firewall" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Firewall</span></a> of China, which normally misdirects people on the mainland trying to reach restricted services or content.</p><p><a href="https://masto.ai/tags/InfoSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InfoSec</span></a> <a href="https://masto.ai/tags/espionage" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>espionage</span></a> <a href="https://masto.ai/tags/ISP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ISP</span></a> <a href="https://masto.ai/tags/Internet" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Internet</span></a> <a href="https://masto.ai/tags/tech" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tech</span></a> <a href="https://masto.ai/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://masto.ai/tags/US" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>US</span></a> <a href="https://masto.ai/tags/geopolitics" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>geopolitics</span></a></p>
Infoblox Threat Intel<p>Dozens of Google Play Store lookalikes registered over the weekend. In one example, play-google-jophysitur[.]xyz, visiting the domain led to a page that looks similar to the Google Play Store and appears to offer a download for a game called "Plane Adventure". Pressing install did not actually download a file, it redirected to happywithvegas[.]com and asks users to sign up and entices them with free spins when they make their first deposit.</p><p>Sample of the domains: play-google-adviparcha[.]xyz,play-google-amersemicotru[.]xyz,play-google-garfrienlegit[.]xyz,play-google-homelatche[.]xyz,play-google-interedbl[.]xyz,play-google-introunpro[.]xyz,play-google-jophysitur[.]xyz</p><p><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/lookalike" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>lookalike</span></a> <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>phishing</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a></p>
squealermusic<p>Amazing networking professionals of earth! The Library of Congress has an excellent opportunity for a (computer) networking pro to lead our team. Lots of exciting fun! Reasonable humans! Interesting technical challenges!<br><a href="https://www.usajobs.gov/job/760997800" rel="nofollow noopener" target="_blank"><span class="invisible">https://www.</span><span class="">usajobs.gov/job/760997800</span><span class="invisible"></span></a><br><a href="https://mastodon.sdf.org/tags/ComputerNetworks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ComputerNetworks</span></a> <a href="https://mastodon.sdf.org/tags/DNS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNS</span></a> <a href="https://mastodon.sdf.org/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a></p>
Renée Burton<p>A few months ago I posted about a DNS malware C2 we had discovered— Decoy Dog — that was based on Pupy, had been undetected for over a year, and had some inexplicable behavior. We hoped the community would easily find the infected devices based on the info we provided. No suck luck. Since then we have used DNS to learn and an astonishing amount about the operations. Once we realized Decoy Dog was more advanced than Pupy, and we saw how the actors responded to our original relesases, we went back to the binaries. Today we released an indepth technical analysis of Decoy Dog, a Pupy research data set, and a new Yara rule. This is the exec summary. Link to the full technical paper and other tidbits in the comments. <a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/theatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>theatintel</span></a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> <a href="https://infosec.exchange/tags/decoydog" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>decoydog</span></a> <a href="https://infosec.exchange/tags/rat" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rat</span></a> <a href="https://infosec.exchange/tags/c2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>c2</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/datascience" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>datascience</span></a> <a href="https://infosec.exchange/tags/threatresearch" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatresearch</span></a> <a href="https://blogs.infoblox.com/cyber-threat-intelligence/decoy-dog-is-no-ordinary-pupy-distinguishing-malware-via-dns/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blogs.infoblox.com/cyber-threa</span><span class="invisible">t-intelligence/decoy-dog-is-no-ordinary-pupy-distinguishing-malware-via-dns/</span></a></p>
TrendingLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload