shakedown.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A community for live music fans with roots in the jam scene. Shakedown Social is run by a team of volunteers (led by @clifff and @sethadam1) and funded by donations.

Administered by:

Server stats:

245
active users

#infoblox

3 posts3 participants0 posts today
Infoblox Threat Intel<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@shadowserver" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>shadowserver</span></a></span> helped us disrupt a prolific website malware multiple times in early August. This malware uses DNS TXT records for a C2 to redirect users to scams and malware. Exclusively redirecting to VexTrio for years, they've been disrupted a few times by us and partners this past year ... which each time allows us to understand the criminal enterprise a bit further. <br> <br>Prior to the disruption, we analyzed over 4M DNS responses from the authoritative servers from several partners covering a short window of traffic. </p><p>The diagram below shows how the server is likely to redirect website visitors based on their geo and device type, which are encoded in the query. Connections to Strela Stealer in June. We are in the process of writing up research around how this all connects to the MikroTik router botnet we published early this year. <br> <br>In mid-June, the C2 server domain had a global popularity level on Tranco of about 80k - pretty high for a niche domain. <br> <br>What happened after Shadow Server sinkholed the C2 domain?? We saw nearly 30k sites reach out to the sinkhole in a 48 hour period. Lots of bot activity -- these queries only come from compromised websites and there were nearly 37M unique queries in that time! <br> <br>of course the threat actors adjust.. that is part of the game. but we learnt a lot in the process. </p><p>Diagram also shows how several of the TDS are related to each other in these flows.</p><p><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scam</span></a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> <a href="https://infosec.exchange/tags/tds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tds</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/vextrio" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vextrio</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a></p>
Infoblox Threat Intel<p>Part three of our VexTrio full monty is now available. This one is for the geeks but also a pretty short read... especially given the previous two parts! </p><p>Major takeaways are: <br>* these networks receive a ton of traffic. The primary image server for VexTrio TDS has long been in the top 10k popular domains globally -- we've been pushing hard and it is down around 11k now. <br>* they use a few different cloakers / trackers. we talk about IMKLO, binom, and Keitaro. <br>* they run a pretty modern devops stack with all the tech you would expect. </p><p><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/vextrio" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vextrio</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scam</span></a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>phishing</span></a> <a href="https://infosec.exchange/tags/tds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tds</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> </p><p><a href="https://blogs.infoblox.com/threat-intelligence/inside-the-robot-deconstructing-vextrios-affiliate-advertising-platform/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blogs.infoblox.com/threat-inte</span><span class="invisible">lligence/inside-the-robot-deconstructing-vextrios-affiliate-advertising-platform/</span></a></p>
Renée Burton<p>VexTrio's origins come from two distinct groups: an Italian group we can date back to 2004 and a Russian-speaking Eastern European group. The Italians were quite successful early on, with a dating app that was among the fastest growing on Facebook in 2012. But our guess is that their profits slid in the years that followed. In 2020, there is an merger-acquisition which leaves the Eastern Europeans in charge. They gain the trademarks, knowledge in spam distribution, and who knows what else. <br> <br>While developers remain in eastern Europe, VexTrio created business headquarters in Lugano, Switzerland. Including the existing AdsPro, which developed the Los Pollos, Taco Loco, and Adtrafico traffic distribution systems (TDS) through their software company HolaCode. (ok it's more complicated than that, but this is the cliffsnotes version). We have identified nearly 100 businesses associated with 8 key figures in many industries, including construction, energy, and advertising.</p><p>So in the end, what is VexTrio? It's hard to say. We originally used it to refer to the TDS. Nice clean lines... but now, for us it is all the people and their labyrinth of companies. <br> <br>We spoke at BlackHat last week so if you have a briefings pass you can listen to that. Otherwise, find our research online and start your own investigation.</p><p><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scam</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/vextrio" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vextrio</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> <a href="https://infosec.exchange/tags/tds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tds</span></a></p>
Renée Burton<p>I promised another shoe would fall... here is part one of the VexTrio origin story. It is just too big for one entry, so a few more will come in the next few weeks... and this is still a small fraction of what we know. The story of malicious adtech has long legs. </p><p>We had great reception at BlackHat. One of the most common questions was: why are you giving this talk? Simple. It's a story that needs to be told and one that is too big to carry alone. We are looking for message carriers in the media, champions in the government, partners in the industry. </p><p>Organized crime, predominantly Russian speaking, has a strong foothold in the advertising world - and they are ensuring the delivery of everything from dating scams to information stealers. Let's root them out together. </p><p>boosts for awareness appreciated.</p><p><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scam</span></a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> </p><p><a href="https://blogs.infoblox.com/threat-intelligence/vextrios-origin-story-from-spam-to-scam-to-adtech/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blogs.infoblox.com/threat-inte</span><span class="invisible">lligence/vextrios-origin-story-from-spam-to-scam-to-adtech/</span></a></p>
IT News<p>Tech Moves: Icertis names new CEO as Samir Bodas steps down; Smartsheet adds security leader - Anand Subbaraman, left, is the new Icertis CEO, succeeding Samir Bodas, who co-fo... - <a href="https://www.geekwire.com/2025/tech-moves-icertis-names-new-ceo-as-samir-bodas-steps-down-smartsheet-adds-security-leader/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">geekwire.com/2025/tech-moves-i</span><span class="invisible">certis-names-new-ceo-as-samir-bodas-steps-down-smartsheet-adds-security-leader/</span></a> <a href="https://schleuss.online/tags/lonewolftechnologies" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>lonewolftechnologies</span></a> <a href="https://schleuss.online/tags/microsoftresearch" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>microsoftresearch</span></a> <a href="https://schleuss.online/tags/outboundaerospace" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>outboundaerospace</span></a> <a href="https://schleuss.online/tags/rbccapitalmarkets" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rbccapitalmarkets</span></a> <a href="https://schleuss.online/tags/foresightcanada" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>foresightcanada</span></a> <a href="https://schleuss.online/tags/carterrabasa" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>carterrabasa</span></a> <a href="https://schleuss.online/tags/samirbodas" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>samirbodas</span></a> <a href="https://schleuss.online/tags/smartsheet" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>smartsheet</span></a> <a href="https://schleuss.online/tags/techmoves" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>techmoves</span></a> <a href="https://schleuss.online/tags/moxiworks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>moxiworks</span></a> <a href="https://schleuss.online/tags/startups" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>startups</span></a> <a href="https://schleuss.online/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://schleuss.online/tags/yorkbaur" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>yorkbaur</span></a></p>
Infoblox Threat Intel<p>After three years of relentless tracking, we’ve published a [paper](<a href="https://blogs.infoblox.com/threat-intelligence/vextrios-origin-story-from-spam-to-scam-to-adtech/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blogs.infoblox.com/threat-inte</span><span class="invisible">lligence/vextrios-origin-story-from-spam-to-scam-to-adtech/</span></a>) that, for the first time, exposes the true identities behind VexTrio. This research connects real names to the various companies that form the VexTrio ecosystem. It begins with the origin story—how a group of Italians launched a successful spam and dating business. Over time, VexTrio expanded its operations into malicious adtech and online scams. For over a decade, the group employed deceptive tactics to defraud countless innocent internet users. These illegitimate gains funded the extravagant lifestyles of VexTrio’s key figures—who, despite increasing scrutiny, have yet to be fully stopped.</p><p>We’re deeply grateful to all the contributors who helped us reach this research milestone, especially <span class="h-card" translate="no"><a href="https://infosec.exchange/@rmceoin" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>rmceoin</span></a></span> and Tord from [Qurium](<a href="https://www.qurium.org/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="">qurium.org/</span><span class="invisible"></span></a>).</p><p><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/adtech" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>adtech</span></a> <a href="https://infosec.exchange/tags/maliciousadtech" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>maliciousadtech</span></a> <a href="https://infosec.exchange/tags/advertising" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>advertising</span></a> <a href="https://infosec.exchange/tags/affiliates" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>affiliates</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scam</span></a> <a href="https://infosec.exchange/tags/notifications" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>notifications</span></a> <a href="https://infosec.exchange/tags/pushnotifications" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pushnotifications</span></a> <a href="https://infosec.exchange/tags/tds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tds</span></a> <a href="https://infosec.exchange/tags/trafficdistributionsystem" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>trafficdistributionsystem</span></a> <a href="https://infosec.exchange/tags/spam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>spam</span></a> <a href="https://infosec.exchange/tags/italy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>italy</span></a> <a href="https://infosec.exchange/tags/russia" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>russia</span></a> <a href="https://infosec.exchange/tags/belarus" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>belarus</span></a> <a href="https://infosec.exchange/tags/dating" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dating</span></a> <a href="https://infosec.exchange/tags/clickallow" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>clickallow</span></a></p>
Infoblox Threat Intel<p>Tens of thousands of compromised websites use DNS TXT records to conditionally redirect visitors to malicious content. For years, this exclusively redirected to VexTrio TDS - but in late-November 2024, it changed. But did it? We think not. </p><p>A couple of major takeaways from the research we released in June and what we've continued to learn since then: </p><p>* DNS is being used very successfully to drive innocent people to malware and scams, including alarming tech support scams </p><p>* These can be stopped by blocking the DNS query but it must be done at the website server side not the visitor </p><p>* VexTrio is tight not just with malware actors who hack sites and drive traffic to them, but they appear to be one and the same, or at least closely related, to infamous TDS and a multitude of other "adtech" platforms.</p><p>* reviewing old literature carefully connects VexTrio via shared software with ROI777 </p><p>we're going to throw up more "snackables" before heading to Vegas. If you want to see the faces behind VexTrio and hear their origin story, come see our talk or track us down at the booth. </p><p><a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> <a href="https://infosec.exchange/tags/tds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tds</span></a> <a href="https://infosec.exchange/tags/vextrio" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vextrio</span></a> <a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scam</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a></p>
Infoblox Threat Intel<p>Like CEOs at Coldplay concerts, we keep finding malicious adtech hiding behind well-known advertising brands. While these platforms may appear credible, they allow malicious actors access to their platform, and profit from their successes.<br> <br>Our posts often focus on adtech operators because they are the ones who manage the infrastructure. But they are not the only ones profiting from this business. Affiliates play a big role by driving traffic (aka visitors) to the adtech platform (TDS).<br> <br>Malicious affiliates do this by tricking visitors into clicking hidden links or manipulating pages to redirect them automatically. They are so good at it that they generate a profit just due to the sheer volume of traffic they drive into the platform.<br> <br>Legitimate affiliates do this by posting what they believe to be normal ads on their web pages, tempted by promises of big rewards. Unfortunately for them, this is rarely the reality, and there are many reports of affiliates being underpaid or not paid at all. Additionally, affiliates risk damaging their own brand image – no one wants their legitimate website redirecting to malware, right?<br> <br>As a user, regardless of how you find yourself diverted into a malicious TDS, if you happen to fit the profile then you face the risk of being sent to a malicious landing page. Scams, disinformation, malware…you name it.<br> <br>As there are many players involved in this scheme, we’ve created an infographic that highlights who they are and how they fit into the malicious adtech landscape.<br> <br>Have you come across any of these shady platforms or, worse, been lured into becoming part of the scheme? Let us know!</p><p> <a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/adtech" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>adtech</span></a> <a href="https://infosec.exchange/tags/maliciousadtech" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>maliciousadtech</span></a> <a href="https://infosec.exchange/tags/advertising" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>advertising</span></a> <a href="https://infosec.exchange/tags/affiliates" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>affiliates</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scam</span></a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>phishing</span></a></p>
Infoblox Threat Intel<p>We've seen it before, but it bears highlighting again: current affairs always lead to a domain gold rush! The newly announced "America Party" has already triggered a wave of sketchy-looking domain registrations, many using the .party TLD. Several redirect to rawdiary[.]com, a five-month-old site hosting third-party articles from sources like OANN, Newsmax and Breitbart, as well as more moderate sources like the FT and the BBC. Others are parked. These domains aren’t inherently malicious, but they're certainly opportunistic and built to look like news. Web content flips fast, so here’s a snapshot of domains unlikely to have been registered for anything in good-faith:</p><p>ameirca[.]party<br>amerca[.]party<br>amercia[.]party<br>americs[.]party<br>amerika[.]party<br>ameroca[.]party<br>ameruca[.]party<br>hyperamerica[.]party<br>theunitedstates[.]party<br>americanparty[.]pics<br>americanparty[.]vip<br>americaparty[.]ink<br>americaparty[.]town<br>theamericanparty[.]vip<br>americanparty[.]pro</p><p><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/americaparty" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>americaparty</span></a> <a href="https://infosec.exchange/tags/osint" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>osint</span></a> <a href="https://infosec.exchange/tags/typosquatting" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>typosquatting</span></a></p>
Infoblox Threat Intel<p>Let us introduce "La Fnac". As some of you may already know, La Fnac is a French retailer, and like most large retailers, they want to sell the coolest things that everyone is talking about. That's why, in 2008, they launched their most innovative service yet: an online portal where you could download the latest must-have ringtone for your flip phone.<br> <br>Of course, they didn't build that online portal themselves. They subcontracted that to another company, and to use their services, they set up a subdomain: 'sonneries-logos.fnac[.]com' on their corporate domain to use a CNAME record that the subcontractor then managed.<br>You should know where this is going now. It seems clear that La Fnac forgot to remove this alias from their DNS after the service was retired. Surprisingly, they weren't alone! In 2017 (much later than we expected), when the CNAME record became dangling, there were 2 European tech companies that still had aliases pointed to it.<br> <br>So, when that ringtone download service started seeing activity again in 2025, it wasn't because of a sudden nostalgic resurgence in late naughties ringtones. Obviously, it was hijacked, and used to redirect people to various fake survey scams webpages.<br> <br>The longer a company exists for, the more tech debt it accumulates, which in the case of DNS can mean greater susceptibility to domain hijacking via dangling DNS records. This is not something exclusive to small companies, or companies with smaller tech teams. We've seen this issue affecting large organisations too. If something as cool as downloading ringtones on your flip phone can be forgotten about; don't be surprised when in 20 years, attackers start leveraging the tech debt you are currently procrastinating over.<br> <br><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>phishing</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scam</span></a></p>
Renée Burton<p>The Russians aren't coming, they are already here. Without most anyone realizing, they've created an entire malicious adtech industry whose story is just as complex as the Chinese organized crime we're now realizing from their ventures into pig butchering. </p><p>VexTrio is just one Russian organized crime group in the malicious adtech world, but they are a critical one. They have a very "special" relationship with website hackers that defies logic. I'd put my money on a contractual one. all your bases belong to russian adtech hackers.</p><p>Today we've released the first piece of research that may eventually prove whether I am right. This paper is hard. i've been told. I know. We've condensed thousands of hours of research into about 30 pages. <span class="h-card" translate="no"><a href="https://infosec.exchange/@briankrebs" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>briankrebs</span></a></span> tried to make the main points a lot more consumable -- and wrote a fabulous complimentary article : read both! </p><p>There's so much more to say... but at the same time, between ourselves and Brian, we've released a lot of lead material ... and there's more to come. I've emphasized the Russian (technically Eastern European) crime here, but as Brian's article points out there is a whole Italian side too. and more. </p><p>We've given SURBL, Spamhaus, Cloudflare, Domain Tools, several registrars, and many security companies over 100k domains. They are also posted on our open github.</p><p>Super thanks to our collaborators at Qurium, GoDaddy Sucuri Security, and elsewhere. </p><p><a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scam</span></a> <a href="https://infosec.exchange/tags/tds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tds</span></a> <a href="https://infosec.exchange/tags/vextrio" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vextrio</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/InfobloxThreatIntel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InfobloxThreatIntel</span></a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>phishing</span></a> <a href="https://infosec.exchange/tags/spam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>spam</span></a> </p><p><a href="https://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blogs.infoblox.com/threat-inte</span><span class="invisible">lligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/</span></a></p><p><a href="https://krebsonsecurity.com/2025/06/inside-a-dark-adtech-empire-fed-by-fake-captchas/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">krebsonsecurity.com/2025/06/in</span><span class="invisible">side-a-dark-adtech-empire-fed-by-fake-captchas/</span></a></p>
KrebsOnSecurity RSS<p>Inside a Dark Adtech Empire Fed by Fake CAPTCHAs</p><p><a href="https://krebsonsecurity.com/2025/06/inside-a-dark-adtech-empire-fed-by-fake-captchas/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">krebsonsecurity.com/2025/06/in</span><span class="invisible">side-a-dark-adtech-empire-fed-by-fake-captchas/</span></a></p><p> <a href="https://burn.capital/tags/Ne" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Ne</span></a>'er-Do-WellNews <a href="https://burn.capital/tags/SkyForgeDigitalAG" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SkyForgeDigitalAG</span></a> <a href="https://burn.capital/tags/ALittleSunshine" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ALittleSunshine</span></a> <a href="https://burn.capital/tags/PartnersHouse" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PartnersHouse</span></a> <a href="https://burn.capital/tags/Doppelganger" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Doppelganger</span></a> <a href="https://burn.capital/tags/WebFraud2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WebFraud2</span></a>.0 <a href="https://burn.capital/tags/AimedGlobal" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AimedGlobal</span></a> <a href="https://burn.capital/tags/ReneeBurton" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ReneeBurton</span></a> <a href="https://burn.capital/tags/TeknologySA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TeknologySA</span></a> <a href="https://burn.capital/tags/ByteCoreAG" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ByteCoreAG</span></a> <a href="https://burn.capital/tags/smartlinks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>smartlinks</span></a> <a href="https://burn.capital/tags/Spamshield" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Spamshield</span></a> <a href="https://burn.capital/tags/LosPollos" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LosPollos</span></a> <a href="https://burn.capital/tags/wordpress" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>wordpress</span></a> <a href="https://burn.capital/tags/DollyWay" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DollyWay</span></a> <a href="https://burn.capital/tags/Holacode" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Holacode</span></a> <a href="https://burn.capital/tags/Infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Infoblox</span></a> <a href="https://burn.capital/tags/TacoLoco" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TacoLoco</span></a> <a href="https://burn.capital/tags/BroPush" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BroPush</span></a> <a href="https://burn.capital/tags/GoDaddy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GoDaddy</span></a> <a href="https://burn.capital/tags/HelpTDS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>HelpTDS</span></a> <a href="https://burn.capital/tags/RichAds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RichAds</span></a> <a href="https://burn.capital/tags/VexTrio" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>VexTrio</span></a> <a href="https://burn.capital/tags/AdsPro" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AdsPro</span></a> <a href="https://burn.capital/tags/Qurium" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Qurium</span></a> <a href="https://burn.capital/tags/RexAds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RexAds</span></a></p>
Infoblox Threat Intel<p>Selling your car? Scammers still have it 'VIN' for you!<br> <br>We've recently seen a large cluster of domains hosting fake Vehicle Identification Number (VIN) lookup sites — and private car sellers are the target.<br> <br>While this trick isn’t new, it still catches many off guard — especially first-time sellers. Here’s how it usually plays out:<br> <br>- You list your car on platforms like AutoTrader, Craigslist, or Facebook Marketplace.<br>- You're contacted by a keen 'buyer', perhaps asking a few questions to build trust.<br>- The buyer then asks *you* to get a VIN report — but only from a site *they* provide.<br> <br>Red flag: Legitimate buyers wanting to know a vehicle's history are to be expected - they may ask for the VIN to do this themselves - but insisting on a specific site is a classic scam move.<br> <br>Here’s what happens next:<br> <br>- You enter your VIN on the fake site - it teases you with basic info like make and model.<br>- To get the 'full report' you’re asked to pay $20–$40.<br>- At best, you're sent to a legitimate payment provider — but the money goes straight to the scammer.<br>- At worst, you've just entered your card details into a phishing site.<br> <br>Got your report? Good luck contacting that buyer, they're 'Audi 5000' — long gone. As for the report, it's usually worthless — no odometer readings, no previous owners, no insurance history - and of no value to you or a legit buyer.<br> <br>Unsurprisingly, 'VIN' features in their devious domain names, and at the time of writing we identrified a large cluster using it with U.S. states and locations, for example:<br> <br> - goldstatevin[.]com<br> - gulfstatevin[.]com<br> - kansasvin[.]com<br> - misissippivin[.]com<br> - utahvincheck[.]com<br> <br>These have since gone offline, hopefully for good. They're not alone though, the following domains appear to target sellers in Australia and are currently active:<br> <br> - proregocheck[.]com<br> - smartcheckvin[.]com<br> - smartvincheck[.]com<br> - vincheckzone[.]com<br> <br>Tip: If a buyer wants a VIN report, let them sort it out — or use a trusted provider of your own. If they refuse? Tell 'em to hit the road!<br> <br><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scam</span></a></p>
Infoblox Threat Intel<p>Our latest blog is out! It covers a rising issue that many major organization experiences: Subdomain hijacking through abandoned cloud resources.<br> <br>This research follows our reporting from earlier in the year about the CDC subdomain hijack. We initially assumed that this was an isolated incident. Well… We were wrong.<br> <br>We tied some of this activity to a threat actor, dubbed Hazy Hawk, who hijacks high-profile subdomains which they use to conduct large-scale scams and malware distribution.</p><p><a href="https://blogs.infoblox.com/threat-intelligence/cloudy-with-a-chance-of-hijacking-forgotten-dns-records-enable-scam-actor/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blogs.infoblox.com/threat-inte</span><span class="invisible">lligence/cloudy-with-a-chance-of-hijacking-forgotten-dns-records-enable-scam-actor/</span></a><br> <br><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintelligence</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scam</span></a> <a href="https://infosec.exchange/tags/HazyHawk" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>HazyHawk</span></a></p>
Infoblox Threat Intel<p>Some days ago, one of our specialists received a call from a scammer - who even knew his name - and he didn't miss the opportunity to potentially gather some threat intelligence. <br> <br>The scammer said he was from a company called Blockchain and wanted to inform him that his Bitcoin wallet hadn't been touched for a long time. Don't you think that's really nice of Blockchain?<br> <br>Of course, our specialist knew what to do. He asked for the company website, and the scammer eagerly provided it. After running the domain through our data, it turns out it is owned by (surprise, surprise) a crypto gang running their scams out of Georgia and Israel. <br> <br>How does this scam work? This group creates extensive networks of fake trading websites promising high returns. To profit, victims just need to share their phone numbers. They are then contacted by multilingual call centers and encouraged to "invest" in crypto, AI, or other ventures. The fake website shows the victim's assets increasing in value, prompting further engagement. The criminals continue to call and entice victims to deposit more money. Unfortunately, the victim won't profit from this.<br> <br>As DNS experts, we have been monitoring their infrastructure for a while now, and they have 1,133 other domains such as:<br> <br>- apexcapitalmarket[.]com<br>- bitmininexpert[.]com<br>- coinfxbrokers[.]com<br>- cryptorinfo[.]com<br>- goldcapitalstocks[.]net<br>- kingstrades[.]net<br>- profxcapitalgroup[.]com<br>- smartcointrades[.]com<br>- stocktradefastminers[.]com<br>- tradeproinvest[.]com<br>- trusttrade21[.]com<br> <br>Here is a reporting reference: <a href="https://www.eurojust.europa.eu/news/support-arrest-online-scammers-georgia-and-israel" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">eurojust.europa.eu/news/suppor</span><span class="invisible">t-arrest-online-scammers-georgia-and-israel</span></a><br> <br><a href="https://infosec.exchange/tags/Infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Infoblox</span></a> <a href="https://infosec.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ThreatIntel</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scam</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a> <a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/domains" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>domains</span></a> <a href="https://infosec.exchange/tags/iocs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>iocs</span></a> <a href="https://infosec.exchange/tags/crypto" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>crypto</span></a> <a href="https://infosec.exchange/tags/cryptoscams" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cryptoscams</span></a></p>
Nonilex<p><a href="https://masto.ai/tags/DNS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNS</span></a> manipulation is something of a specialty among Chinese govt <a href="https://masto.ai/tags/hacking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hacking</span></a> groups. A mysterious campaign identified earlier this year by <a href="https://masto.ai/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> experts at <a href="https://masto.ai/tags/Infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Infoblox</span></a> &amp; attributed to <a href="https://masto.ai/tags/China" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>China</span></a> involved using the so-called Great <a href="https://masto.ai/tags/Firewall" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Firewall</span></a> of China, which normally misdirects people on the mainland trying to reach restricted services or content.</p><p><a href="https://masto.ai/tags/InfoSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InfoSec</span></a> <a href="https://masto.ai/tags/espionage" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>espionage</span></a> <a href="https://masto.ai/tags/ISP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ISP</span></a> <a href="https://masto.ai/tags/Internet" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Internet</span></a> <a href="https://masto.ai/tags/tech" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tech</span></a> <a href="https://masto.ai/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://masto.ai/tags/US" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>US</span></a> <a href="https://masto.ai/tags/geopolitics" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>geopolitics</span></a></p>
Infoblox Threat Intel<p>Dozens of Google Play Store lookalikes registered over the weekend. In one example, play-google-jophysitur[.]xyz, visiting the domain led to a page that looks similar to the Google Play Store and appears to offer a download for a game called "Plane Adventure". Pressing install did not actually download a file, it redirected to happywithvegas[.]com and asks users to sign up and entices them with free spins when they make their first deposit.</p><p>Sample of the domains: play-google-adviparcha[.]xyz,play-google-amersemicotru[.]xyz,play-google-garfrienlegit[.]xyz,play-google-homelatche[.]xyz,play-google-interedbl[.]xyz,play-google-introunpro[.]xyz,play-google-jophysitur[.]xyz</p><p><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/lookalike" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>lookalike</span></a> <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>phishing</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a></p>
squealermusic<p>Amazing networking professionals of earth! The Library of Congress has an excellent opportunity for a (computer) networking pro to lead our team. Lots of exciting fun! Reasonable humans! Interesting technical challenges!<br><a href="https://www.usajobs.gov/job/760997800" rel="nofollow noopener" target="_blank"><span class="invisible">https://www.</span><span class="">usajobs.gov/job/760997800</span><span class="invisible"></span></a><br><a href="https://mastodon.sdf.org/tags/ComputerNetworks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ComputerNetworks</span></a> <a href="https://mastodon.sdf.org/tags/DNS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DNS</span></a> <a href="https://mastodon.sdf.org/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a></p>
Renée Burton<p>A few months ago I posted about a DNS malware C2 we had discovered— Decoy Dog — that was based on Pupy, had been undetected for over a year, and had some inexplicable behavior. We hoped the community would easily find the infected devices based on the info we provided. No suck luck. Since then we have used DNS to learn and an astonishing amount about the operations. Once we realized Decoy Dog was more advanced than Pupy, and we saw how the actors responded to our original relesases, we went back to the binaries. Today we released an indepth technical analysis of Decoy Dog, a Pupy research data set, and a new Yara rule. This is the exec summary. Link to the full technical paper and other tidbits in the comments. <a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/theatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>theatintel</span></a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> <a href="https://infosec.exchange/tags/decoydog" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>decoydog</span></a> <a href="https://infosec.exchange/tags/rat" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rat</span></a> <a href="https://infosec.exchange/tags/c2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>c2</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/datascience" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>datascience</span></a> <a href="https://infosec.exchange/tags/threatresearch" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatresearch</span></a> <a href="https://blogs.infoblox.com/cyber-threat-intelligence/decoy-dog-is-no-ordinary-pupy-distinguishing-malware-via-dns/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blogs.infoblox.com/cyber-threa</span><span class="invisible">t-intelligence/decoy-dog-is-no-ordinary-pupy-distinguishing-malware-via-dns/</span></a></p>