📱Smishing Slows, Quishing Quickens 🎣

Sick of smishing and those pesky parking/toll texts? Don’t get caught by crafty, counterfeit court QR codes — it’s a scan-and-scam! 💳 🚨

North American cell phone users are being hit with yet another wave of smishing campaigns that now include quishing elements. Likely orchestrated by Chinese-speaking threat actors, this latest campaign builds on previous vehicular violations, evolving tactics while impersonating US courts. 🧑‍⚖️

We’ve recently seen a flurry of SMS messages pushing parking violations — but with a twist: face justice in court… or scan and pay instead!

Delivered as an official-looking image, the actor has begun integrating QR codes into these lures to help mask suspicious phishing URLs, baiting victims into entering personal information, credentials, and ultimately making payments.

For some, this lure may sound better than facing justice for their perceived poor parking. Victims who don't comply are warned that failure to appear or pay could have serious repercussions - a scare tactic designed to push you toward a hasty decision and scanning the QR code! 🫣

We uncovered thousands of these nefarious domains, through their use of Registered Domain Generation Algorithms (RDGAs) and local government impersonation, hosted across a diverse range of hosting providers to evade takedown.

Recent examples:
⛔ ahfgx[.]icu
⛔ euoyq[.]icu
⛔ htpze[.]icu
⛔ mwlaj[.]icu

Friendly reminder - courts don't usually communicate with you via text. That said, we suspect this actor will continue to evolve, expanding their global reach and diversifying lures while improving tradecraft used in smishing and quishing delivery. As for us, we'll take our chances on evading that bench warrant and running from the law. 🏃‍♂️‍➡️

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #phishing #smishing #quishing

We discovered a phishing actor that is abusing .arpa to host content on domains that should not resolve to an IP address. The actor uses free services to create domain names from reverse DNS strings for IPv6 tunnels that use the .arpa top level domain. These domains are unlikely to be blocked, much less scrutinized, by security systems as they aren’t supposed to be used in URLs. But this actor is doing just that. Every day.

We’ve seen a constant flow of phishing emails using these domains as phishing links since last November. The scam uses a toolkit that has been used since at least 2017. Another campaign using the same toolkit leverage hijacked CNAMEs of well-known government agencies, universities, telecommunication companies, media organizations, and retailers from around the world.

In our latest blog, we explain what these actors are doing and how they are doing it. We even share all the indicators we’ve uncovered.

https://www.infoblox.com/blog/threat-intelligence/abusing-arpa-the-tld-that-isnt-supposed-to-host-anything/

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #phishing #hijackedcname

In this deep dive, David Bombal is joined by Wireshark expert Chris Greer to strip down the most critical protocol on the internet: DNS. We move beyond the theory to show you exactly what DNS looks like "on the wire."

Watch the video on YouTube: https://youtu.be/9b4EjMsB5bg?si=31XwJFQqn4MsQuil

Big thank you to Infoblox for sponsoring this video.  For more information on Infoblox have a look at their website:  https://www.infoblox.com/

#dns #infoblox #wireshark

Two of the biggest heavyweight scam TTPs - malvertising and pig butchering - have combined. In our latest research, we track hundreds of investment‑scam campaigns using this one-two punch to target Japan and the wider Asia region.

The hybrid approach kicks-off with malvertising ads that impersonate well‑known financial experts, funnel victims through lure sites on RDGA‑generated domains, before finally pulling them into messaging chats run by tireless AI‑style pig butcher bots. The result: an industrial‑scale long con, with individual victims reporting losses of up to ¥10M (~US$63k).

This model is reused across different campaigns and, by pivoting on DNS, we've so far been able to map out an ecosystem of over 23,000 domains.

In our latest blog we talk about our first‑hand experience going through the scheme, break down the entire flow, and share all the related IOCs: https://www.blogs.infoblox.com/threat-intelligence/banners-bots-and-butchers-an-automated-long-con-targeting-japan-asia-and-beyond/

#Infoblox #InfobloxThreatIntel #dns #threatintel #threatintelligence #malvertising #pigbutchering #rdga #dga #lookalikes #crypto #investment #scam #fraud #cybercrime #cybersecurity #infosec #Japan #Asia #AI

🏇 Sports and gambling are long time partners, and the 2026 Winter Olympics is no exception. 🥇 🏂

In recent years, higher adoption of digital payment methods, cheaper mobile internet, and legalization in more jurisdictions have rapidly expanded online gambling. Industry forecasts put the market at about USD 153 billion by 2030. Although more regions have moved from bans to regulated licensing, it hasn't eliminated illicit activities. There are many providers that are unlicensed, use offshore operators, and have been implicated in unlawful practices. One of the most prominent and controversial platforms is 1XBET, which offers betting on football, esports, and even weather events. Numerous investigative groups have questioned the legitimacy of 1XBET, and many users associate it with scams.

Last week, we observed a 1XBET email spam campaign targeting Burmese internet users. Emails were sent from mailer[@]1xbet[.]com via Melbicom SMTP servers (AS 56630) with the subject ❄️ 1xBet ရဲ့ Winter Olympics မှာ ပါဝင်ပြီး Legend တစ်ယောက် ဖြစ်လာလိုက်ပါ။. They also targeted the same audience through their Facebook account at https://www.facebook.com/mmsportsnet/.

Although online gambling is technically illegal in Myanmar, 1XBET continues to reach users through numerous mirror sites that can be quickly replaced when blocked. They also apply geo‑gating for additional protection. Our initial access attempt to 1xlite-03801[.]world was blocked, but switching to a South Asian endpoint allowed us to reach content at 1xlite-17342[.]bar.

Below is a subset of domains we have attributed to 1XBET and the associated spam campaign.

Mirror site domains:
10x-bet[.]org,10xbet[.]icu,11xslp[.]top,14xsl[.]top,1ex-bet[.]net,1x-bat[.]net,1x-vet[.]com,1xbat[.]xyz,1xbatdownload[.]com,1xbate[.]com,1xbeat[.]net,1xbed[.]net,1xbeet[.]icu,1xbetdemoaccount[.]com,1xbetslipcheck[.]com,1xbettingapp[.]com,1xbey[.]net,1xbst[.]org,1xbwt[.]org,1xdet[.]net,1xlk-chickenroad[.]com,1xslopi[.]top,1z-bet[.]com,2xslops[.]top,3xslo[.]top,42sport[.]ph,4xslo[.]top,5xslops[.]top,6xslops[.]top

Geo-gate / Landing page domains:
1xlite-03801[.]world,1xlite-048726[.]top,1xlite-107192[.]top,1xlite-17342[.]bar

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #sportsbetting #onlinegambling #gambling #betting #1xbet #myanmar #winterolympics #olympics #spam

DNS Armor: Google Cloud startet cloudnativen DNS-Schutz für Enterprise-Workloads

https://www.all-about-security.de/dns-armor-google-cloud-startet-cloudnativen-dns-schutz-fuer-enterprise-workloads/

#dns #googlecloud #infoblox

🇦🇺 Scam at Work: Down Under 🪪

We've been tracking multiple phishing campaigns targeting Australian myGov users, impersonating the myGov portal to harvest credentials and PII.

Access is only permitted if visitor is browsing from an Australian IP address — a classic geo‑IP filter to narrow in on likely victims and discourage casual analysis.

While there are a few small variations across samples, the core scam flow remains the same.

Attempts to authenticate using the Digital ID app either causes the sign‑in page to refresh or trigger a particularly helpful message:

"Error – Digital ID is N/A at this moment. Use your myGov sign‑in details below."

And by helpful… we mean phishy.

From there, the flow escalates quickly. Victims are prompted to:
- Authenticate with an email/username and password
- Submit SMS one‑time codes (sometimes twice), despite never being asked for a phone number — any code is accepted
- Answer three pre‑defined security questions, selected from a drop‑down list
- Provide full name, date of birth, and upload front and back images of a driver licence, after being told to have both a licence and Medicare card ready

💰 The payoff?
Victims are shown some variation of "Verification Complete" or "Verified Successfully". Some versions promise "You are eligible to receive a refund", while others instruct victims to wait 21 days for their income statement to become tax‑ready.
Unsurprisingly, we suspect no refunds will be forthcoming.

🧰 Tradecraft notes:
Pivoting on structural markers led to the discovery of similar phishing targeting Microsoft 365 tenants. Whether myGov uses Microsoft‑backed identity services or not, the user experience deliberately mirrors enterprise SSO and MFA flows users have been trained to trust.

🚩 Reminder:
If it's not on gov.au, you'd better run — you'd better take cover.

Example domains:
⛔️ govausclientsecureinbox[.]com
⛔️ online‑sevices[.]cfd
⛔️ login‑mygouau[.]live

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #phishing

🚗 Re‑tax, don't do it?! 💷

We're seeing an ongoing phishing campaign impersonating the UK Government Vehicle Tax website, telling victims to "Renew your Vehicle Tax Now".

No need for official reference numbers or details from your vehicle log book — this page will happily collect a handful of personal and payment card details before helpfully dumping you back at the GOV.UK search page, all as if nothing ever happened.

📝 Victims are prompted to enter their name, address, postcode and mobile number…
💳 ...along with their payment card number, expiry date and card verification value (CVV)

In other words, pretty much everything you'd need to make fraudulent charges — or resell the details on to other scammers.

Unsurprisingly, this activity originates from an off‑the‑shelf phishing kit, sold and advertised on Telegram by an actor we're tracking. It's one of several kits they offer, targeting both government and commercial brands worldwide.

As to be expected, this kit has been deployed on a mix of compromised hosts and dedicated registered domains, such as this example in January:

⛔️ `licence‑updates[.]com`

The current campaign is abusing Bluehost's shared hosting, with multiple `mybluehost[.]me` subdomains serving identical phishy content:

⛔️ `ksh[.]bfm[.]mybluehost[.]me`
⛔️ `qqw[.]cjf[.]mybluehost[.]me`
⛔️ `qsh[.]xka[.]mybluehost[.]me`
⛔️ `wvj[.]xnj[.]mybluehost[.]me`

FRANKIE SAYS: If you didn't start on GOV.UK, the only thing getting renewed 'immediatley' [sic] is the scammer's stolen card inventory!

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #phishing

We’ve been tracking a cluster of RDGA‑generated domains involved in distributing fake app‑store landing pages. These domains are consistently registered through Namecheap and protected by Cloudflare, which the operators use to obscure origin infrastructure and rapidly cycle through fresh front‑end domains.

The sites impersonate Google Play or iTunes, based on their device’s user‑agent, presenting users with pages that look and feel legitimate. Instead of real apps, the pages deliver Progressive Web Applications (PWAs) that persist on the device and enable ongoing notification abuse.

PWAs are a chrome application which plays cross platform, windows, linux, android, iOS and gets added as an icon on the desktop ofevery device.

Once installed, the PWA triggers a redirection chain through one or more intermediary domains before sending users to online casinos, adult content, or other low‑quality destinations. Because many of these casinos operate from regions where online gambling is restricted or illegal, the operators continually replace the final‑stage domains. This use of RDGA and PWAs allows them to evade regional blocking, reputation systems, and automated detection controls by rotating infrastructure at scale and keeping their persistence to the user devices.

fwiw, most large scale gambling operations like these are not simply illegal in the regions they target... they are scams and often connected to other major crimes, including human trafficking.

play-megawin[.]site
play-icefish[.]website
play-richcasino[.]site
play-casinostaat[.]site
mountainvertex[.]shop
play-fdjfrance[.]site
play-lucky7[.]site
funterra[.]shop
hotcoins[.]site
stonefestal[.]shop
spirevanguard[.]shop
play-crowngreen[.]website
forestoutpost[.]shop

#threatintel #gambling #pwa #dns #fake #infoblox #threatresearch #malware #scam #fakeApp #googleplay #infobloxthreatintel #itunes

⚠️ Smishing alert for Greek citizens. 💳 🚨

Scammers are pushing fake AADE (Independent Authority for Public Revenue) “unpaid taxes” SMS that lead to cloned payment pages designed to steal credit‑card info. If a text suddenly demands urgent payment, treat it like a pop‑up from nowhere—don’t click, don’t trust, don’t pay. Share to protect others.

mycargr[.]com
aadcar[.]com
aadgee[.]com
aadgre[.]com

#CyberThreatIntel #Infoblox #DNS #ThreatResearch #phishing #smishing #Cybercrime #AADE #Greece