Recovery Scam Season: Second Time’s the Charm? 🎣

Fallen victim to online fraud and now seeing ads promising to get your money back—fast, guaranteed, no upfront fees?
⚠️ 📵 Yeah… about that.

Victims around the world are being re-targeted by asset recovery scams impersonating INTERPOL, law enforcement agencies, law firms, and other trusted orgs. We've been tracking an actor deploying some slick AI-generated video ads boosted by fake news pages funneling users to polished lure sites promising miracle turnarounds. Talk about a sequel nobody asked for. 🎬

Here’s the playbook:
• 🎥 Fake ads pushing recovery services, often impersonating law enforcement →
• 🌐 Lookalike recovery domains instructing victims to submit contact info →
• 📞 Outreach via Email, WhatsApp etc. →
• 🤝 Trust building + fake progress →
• 💳 “Processing” and "release" fees (and more… and more) until you're rinsed... again.

Through DNS telemetry, we’ve been tracking this cluster for months—connecting the dots across campaigns long before takedowns hit timelines.

META recently pulled some INTERPOL-themed ads after Hong Kong media coverage—but plenty remain. The Russian-speaking actor behind this is pivoting fast, spinning up new brands, domains, and “legal services” at scale.

Recent examples:
⛔ europolhelp[.]live
⛔ recovery-protocol[.]net
⛔ fbi-support[.]live
⛔ baseinfo[.]biz

Still waiting on our recovered funds. Until then, we’ll keep tracking—because while threat actors evolve, DNS remembers.🧠

#ThreatIntel #Scam #CyberSecurity #DNS #Infoblox #crypto #cybercrime

Stolen phones - and specifically iPhones - have robust anti-theft protections. They are worthless once they're flagged - locked to their owner. So why are millions still being stolen every year?
In this paper, we uncover a thriving underground marketplace focused on unlocking stolen phones. It is powered by:

Lookalike domains impersonating Apple, Xiaomi, Samsung and other brands
Smishing campaigns targeting device owners
Pay‑as‑you‑go “unlocking” tools sold on Telegram
By pivoting on DNS data, we identified 10,000+ malicious domains and a growing ecosystem turning locked devices into profit at scale.

👉 Read how this supply chain works—from theft to resale—and why it’s growing fast. https://www.infoblox.com/blog/threat-intelligence/lookalike-domains-expose-the-iphone-theft-economy/

#ThreatIntel #CyberSecurity #Phishing #MobileSecurity #iOS #Smishing #dns #threatintelligence #cybercrime #infosec #infoblox #infobloxthreatintel #threatintelligence #cybercrime  #infosec #infoblox #infobloxthreatintel

WhatsApp, Japan, and a 500% Traffic Spike! 💹 🚨

To be honest, we thought threat actors were tripping when we saw a new WhatsApp phishing campaign targeting Japanese citizens. Don't they know LINE is the app in Japan? Well, we were surprised because this campaign is actually working…

The campaign doesn't only impersonate WhatsApp through its phishing page, but also through the lookalike domains it uses. Around 2k "WhatsApp" domain name variations are involved. The actor also leverages RDGAs – mostly for subdomains. Domains like web-rka-whatsapp[.]com[.]cn have up to 32 RDGA subdomains!

Upon visiting one of these lookalike domains, the user is fingerprinted and only forwarded to the phishing page if they match the intended profile — otherwise they get redirected to sites like bing[.]com or microsoft[.]com. As we show at the image below (with an AI-translated version), the malicious landing page simulates the WhatsApp login screen and encourages victims to scan a malicious QR code with their phone to log in.

When we found the cluster, we genuinely didn't think this campaign would land in Japan — but we were wrong. In the last 6 months, traffic to these domains has increased more than 500%, and it continues to rise.

What impact would these top quality lookalikes have if the campaigns were directed at countries where WhatsApp is actually the preferred messaging app?

Domain sample:
whatsappweb[.]net
whatapapp[.]com
whatsptapp[.]com
leropaxi-whatsapp[.]com[.]cn

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #Phishing #Quishing #WhatsApp #LINE #Japan #脅威情報 #フィッシング詐欺 #QRコード詐欺 #DNSセキュリティ #Infoblox脅威情報 #WhatsApp #LINEセキュリティ #日本 #サイバーセキュリティ

"Run a quick DNS speed test" they said… 🤔

One click on dns-speed.tail-f[.]de and your browser helpfully fans out ~5,000 HTTPS handshakes to "random" Cisco Top 1M domains in ~30 seconds.

That randomness is doing a lot of work.

Across a handful of runs we saw clients touching:

- Government + defence: *.uscourts.gov, multiple .gov TLDs, and .mil hosts (incl. disa[.]mil, onr[.]navy[.]mil)
- Microsoft sovereign/GCC High endpoints (dodsuite, usgovcloudapi, etc.)
- Enterprise collaboration: 100+ Webex, Zoom infra, SharePoint/OneDrive tenants
- Identity surfaces: 130+ auth/login patterns, Okta/Auth0/Duo tenants
- Autodiscover for named orgs (useful for pre‑populating phish kits)
- ~150 banking domains, globally distributed

All from a page load. No content fetched, just "harmless" handshakes.

What's interesting isn't malice so much as side‑effects. A "neutral" performance test becomes:

- A spray of client IPs into sensitive identity and gov endpoints
- Noisy, hard‑to‑explain telemetry for defenders ("why is this workstation touching DISA?")
- Occasional redirects into less friendly corners of the web, courtesy of the long tail

The stated aim is realism (avoid vendor‑optimised test servers). In practice, you inherit the internet's entire distribution of good, bad, and broken—and push it through end‑user browsers.

It's a reminder that at scale, "just measuring" can look a lot like reconnaissance… or at least generate it for someone else.

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel

Send an SMS to confirm you're a human? That's strange. How about dozens of SMS, to locations all over the world? That sounds more like a hot take on International Revenue Share Fraud (IRSF). Infoblox Threat Intel has come across an operation that defrauds both individuals and telecoms by way of social engineering victims through the use of a fake CAPTCHA process.

With IRSF, fraudsters generate their revenue by driving call or SMS traffic to numbers to which they have revenue sharing agreements with the local telecoms. Historically, this has been done by methods like hacking an organization's PBX system, or using bots to abuse services that generate one-time-passwords, and directing that call or SMS traffic to numbers under their control.

This operation, however, takes advantage of individuals' familiarity with the CAPTCHA process, by adding a multi-stage requirement to send bulk SMS to get access to games, videos, or adult content - because of course, these things are so hard to access online otherwise.
In this case, the victims are two-fold. First, it impacts the people who get unexpected international SMS charges on their bill, and then the telecoms who both pay termination fees to the international destinations telecom, and who also possibly absorb the cost of the chargeback.

Read more about our investigation into this new flavour of scam, including the specific domains and infrastructure we uncovered, here: https://www.infoblox.com/blog/threat-intelligence/hold-the-phone-international-revenue-share-fraud-driven-by-fake-captchas/

 #threatintel #cybercrime #threatintelligence #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #phishing #IRSF #telecom #captcha

Trust this “Amazon” phishing email in Japan—and you’re Prime sashimi 🎣 🍣

Looking into our malspam data, we identified an active campaign impersonating Amazon and targeting Japanese citizens. The emails use subjects such as 「至急 Amazonプライム会員情報の確認」 (“Urgent: Confirm Amazon Prime member information”).

The URLs within the emails ultimately lead to an Amazon phishing page, but only after routing victims through a TDS. Interestingly, instead of keeping the TDS step invisible, the actors chose to show it off—repackaging it as a reassuring security check.

Upon clicking the link within the email, victims are first redirected to an RDGA TDS domain, where fingerprinting occurs. If the user does not match the targeting criteria (e.g., connecting from outside Japan), access is blocked. If they do match, potential victims are redirected to a second RDGA domain.
This second and last domain is not a TDS domain, but funny enough, these actors decided they would emulate it anyway!

At that step victims are already at the landing page but instead of immediately displaying a standard Amazon phishing page, the website displays a CAPTCHA and fake console interface simulating environment fingerprinting checks to “make sure your environment and connection is safe” before "proceeding to the landing page". Ironically, part of their message is true: fingerprinting did happen one domain earlier. It just wasn’t for the user’s benefit—it was to make sure the environment was safe… for the scammers. A few seconds later, without added user interaction needed, a fake Amazon login page is displayed.

Domains samples:
qqc10c[.]cyou
51wang11c[.]cyou

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #phishing #amazon #malspam #email #fingerprinting #japan

#Tatort #DNS: Wie das #Internet seine Angreifer verrät mit Renée Burton - #TheyTalkTech – mit Eckert und Wolfangel - #Podcast:

Das #Telefonbuch des #Internets kennt keine Geheimnisse. Wenn man weiß, wie man es liest. Renée Burton hat 22 Jahre beim #US-Geheimdienst #NSA verbracht und wechselte dann die Seite.

Als #Head_of_Threat_Intelligence bei der #IT-Security Firma #Infoblox analysiert sie Billionen von #DNS-Anfragen und findet darin, was andere übersehen:...

https://frauen-technik.podigee.io/77-new-episode

From call scripts and scams to command and control—Southeast Asia’s scam centres are levelling up.

In our latest research with Chong Lua Dao, we track a sophisticated Android banking trojan directly to the K99 Triumph City scam compound in Sihanoukville, Cambodia, and the high-ranking political elites behind it.

Using a combination of technical analysis, infrastructure patterns, and operational visibility provided by former captives, we were able to map thousands of targeted lure and C2 domains used to distribute and administer the malware across Asia, Africa, Europe, and Latin America.

What we uncovered is a turnkey malware-as-a-service (MaaS) platform sold to scam-centre based criminal networks, including K99, enabling real-time surveillance, credential theft, biometric data exfiltration, and financial fraud on a global scale. Victims are funnelled through domains impersonating government services, financial institutions, e-commerce platforms and airlines, with new domains registered every month.

In addition to giving criminal operators complete control over infected devices, behind the malware sits a highly coordinated operation. Our investigation unpacks the whole thing, revealing multiple C2 panels organised by country and “customer” as well as the integration of AI-driven tools used to support attacks targeting victims in at least 21 countries and 15 languages.

What’s more, we have found that there is significant overlap with the infrastructure and business networks attributed to the DNS threat actors Vigorish Viper and Vault Viper, highlighting the continued evolution of the regional cyber threat landscape.

👉 Read the full report here: https://www.infoblox.com/blog/threat-intelligence/scams-slaves-and-malware-as-a-service-tracking-a-trojan-to-cambodias-scam-centers/
👉 We spoke to the Economist to explain how the scam centre threat is shifting: https://www.economist.com/interactive/asia/2026/04/10/scam-inc-has-a-new-weapon?fsrc=core-app-economist

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #malware #scam

💬 Telegram plays an important role in many underground businesses. Threat actors commonly stand up channels to market and support malicious activities such as malware-as-a-service (MaaS) subscriptions. While investigating ScreenConnect servers, a remote access support tool commonly abused by threat actors, we found an interesting business that we had never seen before. This actor used telegram as a storefront and support channel for an underground Remote Access Toolkit Online (RATO) platform. Technically RATO is a service that bundles cPanel and ScreenConnect technology to help its cyber criminal customers remotely access victim machines and manage scams, phishing, and malware (e.g. Latrodectus).

🐀 🔴 We discovered several servers that matched a ScreenConnect signature but these instances did not serve the typical ScreenConnect web content. Instead, their service is called "RATO PLATFORM" and the portal page shows the slogan "Can't catch the RAT__". We've found several telegram channels that promote services named "RATO", use the rat head logo (see attached image), or the domain rato[.]to. Based on their telegram chat content, it's clear their business model is focused on enabling cybercrime.

@rato_support
@ratofaqs
@rato_backup
@rato_hosting
@Rato2_bot

Consistent with RATO’s “BulletProof & Anti-Red Hosting” feature, we saw many RATO instances on ASNs with a high concentration of malicious activity (e.g., AS202412). Additionally, RATO infrastructure shows strong ties to Indonesia including Indonesian IP addresses in passive DNS and domains within the same cloudflare account used for serving online gambling to Indonesian-speaking users. Collectively, RATO and its customers operate a large number of domains. Here are some examples:

asakusubinitohas[.]com
bmw320ikaka[.]co
cpusx[.]com
newoneazu[.]com
ratmail[.]pro
rato[.]page
rato[.]to
ratodemo[.]pro
sesrecipt[.]com
silk-gen[.]com
sunostart[.]com
viewyourstatementonline[.]com

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #phishing #malware #maas #telegram #indonesia #screenconnect #latrodectus #rat #rmm #remotemonitoringmanagement #downloader #spam #rato

⚽ Threat actors are warming up for the 2026 World Cup—and they’re targeting fans early.

We’ve observed FIFA ticket phishing pages on domains such as fifa[.]bio and ww-fifa[.]com, distributed through malicious spam emails and Facebook ad campaigns. These sites prompt a bogus FIFA ID login to purchase tickets, then transition to a checkout flow collecting personal and payment information.

Payment flows redirect to actor-controlled domains (pay[.]fifa-com[.]com) or Stripe checkout pages with inconsistent merchants (we observed some with suspicious Romanian LLC names).

These recently-registered domains are mostly Cloudflare-hosted, spread across various TLDs, and consistently abuse FIFA branding. If it’s a suspicious domain in your inbox or feed, assume it’s not official. 🛑 ⚽

Domain sample: fifa-2026[.]homes, fifa-com[.]media, www-fifa-com[.]website, vvww-fifa[.]com, fifa-26-worldcup[.]com

#dns #infoblox #infobloxthreatintel #threatintel #threatintelligence #cybercrime #cybersecurity #FIFA #WorldCup2026 #phishing #scam #lookalikes