Having trouble finding a free 📺 streaming site for World Cup 🏟️ matches? This threat actor has you covered with thousands of websites for all 104 matches! ⚽

We've been tracking a likely Vietnam-based actor that mass purchases expired domains (we call these dropcatch) and repurposes their existing web traffic to funnel visitors into illegal sports streaming sites, and then straight into a betting platform the same actor operates. The domain portfolio is a graveyard of real internet history: 2026worldcupnorthamerica[.]com (once cited by the Dallas Morning News and the US Men's National Team Facebook fan page), childreninachangingclimate[.]org (formerly a children's aid program), thebreastcancercharities[.]org (formerly non-profit The Breast Cancer Charities of America), and a domain officially used by major US grocery store chains involved in a large proposed merger. Collectively, this actor has spent hundreds of thousands of dollars acquiring dropcatch domains alone — a strong signal that dropcatching is a genuinely effective vehicle for cyber fraud. Behind all of it sits a staggering tech stack operated by a single actor: 5,000+ domains, illegal streaming services, CDNs, TDSs, trackers, cloakers, betting platforms, and mobile apps. That's not a side hustle, that's an enterprise. 🏗️

While the platform largely targets Vietnamese-speaking users, as well as others in Asia and Oceania, the financial damage reaches much further. Sports authorities and broadcasters worldwide are 📉 losing revenue every time someone watches a live NBA 🏀 , MLB ⚾ :, esports 🎮 , poker 🃏 , or World Cup 🏆 match for free on one of these sites, and this actor has all of them covered.

Some examples from the domains we've uncovered so far:

:Dropcatch domains host or redirect to illegal streaming services

autoredistrict[.]org
childreninachangingclimate[.]org
2026worldcupnorthamerica[.]com
folsomprisonmuseum[.]org
allaboutbasketball[.]us
thebreastcancercharities[.]org

:Fraudulent domains host or redirect to illegal streaming services

90phutaa[.]cc
90phutab[.]cc
90phutac[.]cc
xoilaczzzzw[.]tv
xoilaczzzzt[.]tv
xoilaczzzzh[.]tv

:Lookalike domains used by the betting platforms

fifa001[.]com
fifa002[.]com
fifa02[.]com
worldcup00[.]com
worldcup000[.]com
worldcup02[.]com

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #dropcatch #malvertising #illegalstreaming #sportsbetting #domainabuse #vietnam #worldcup #asia #fifa #streaming #betting #2026worldcup #charities #nonprofit #lookalike #xoilac #90phut

65% - that's how many of our Threat Defense Cloud customers have been observed accessing residential proxy services. But how many of them are aware of this?
Our latest report is a deep dive into the growing phenomenon we call 'resproxies'. Resproxies, which are often embedded in Android IoT devices, or baked into "free" applications, may be running in your environment, granting access to your own IP space, or even worse, like in the case of Kimwolf, granting access to your internal network. Turns out "bring your own device" sometimes means "bring your own residential proxy." 😬

Our new research (with @synthient who covered what happens on the other end):
🔗 https://www.infoblox.com/blog/threat-intelligence/residential-proxies-in-the-wild/
#dns #threatintel #threatintelligence #cybercrime #cyber #cybersecurity #infosec #infoblox #infobloxthreatintel #residentialproxy #resproxy

Boss too tough? Salary too low? If you're after a new gig, look no further 💼

We’re tracking a recruitment‑themed phishing campaign that opens with hope of a career upgrade and ends in stolen credentials.

Victims are targeted through emails spammed out by “recruiters” impersonating real people — LinkedIn profiles copied in full, including photos and current recruiter identities. The lure leans on exciting big‑name brands including FIFA, UEFA, Nike and Spotify to anchor legitimacy before prompting victims to schedule an interview using a bogus Calendly page 👔 💫

About time they noticed your stellar performance, right? But this interview comes with a catch 🎣 To seal the deal, you'll need to log in with your company email.

The mechanics:
• Initial outreach primes the role and rapport with some feel-good shmoozing
• Link to schedule your interview lands on a cloned Calendly recruitment portal
• Follow‑on contact nudges the victim through staged redirects
• Your credentials submit their 30-day notice ⚠️

Behind the scenes:
• Convincing lookalike domains generated at scale (RDGAs), rotated aggressively
• Layered redirect chains to blur origin and intent
• Compromised or fraudulently obtained Salesforce Marketing Cloud used for delivery, helping mails sail past controls
• Lure pages clone the Pinpoint ATS — attribution supported by Pinpoint’s own Cloudinary account ID (pinpointhq) embedded in assets
• Domain validation logic limits logins to business email providers, excluding free webmail services

Sad to say, the only thing getting “shortlisted” here is your inbox for another round of credential theft.

IOCs
• brand-jobs[.]com
• brand-careers[.]com
• hr-brand[.]com
• brand-talenthub[.]com

These campaigns remain active, with the actor spinning up new lures impersonating other major brands. We regret to inform you, it seems they'll be moving forward with other candidates 😩

Better luck next time.

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #phishing

⚽ Looking for FIFA World Cup tickets without the queue?

We're continuously tracking a surge in convincing FIFA lookalike sites we first posted on last month, but this isn't your typical phishing game — it's full‑blown counterfeit ticketing, run like a high‑volume e‑commerce operation.

Premier League theatrics. Sunday league legitimacy 🎭

The flow:
• Land on a polished FIFA clone
• Auto‑localized content (language, region, pricing)
• "Checkout" pushed through rotating payment domains

Behind the curtain:
• ⚡ High domain churn — fresh registrations daily
• 🔄 Payment infrastructure swapped in/out to dodge disruption
• 🪞 Near-perfect mirroring of official FIFA content

There are indicators pointing to Chinese‑origin operators (hosting patterns, code artifacts), but targeting is global—and scalable.

The interesting bit? This isn't about stealing creds.

It's about conversion at scale. Auto-localisation + disposable infrastructure = throughput over stealth.

No ticket. No refund. Reliable revenue stream.

While this actor keeps kickin' and churning out new domains, we'll be here tracking the infrastructure... and yes it's because we can't afford a real ticket to the game.

#dns #threatintel #cybersecurity #infosec #scam #phishing #infoblox #infobloxthreatintel #WorldCup2026 #FIFA

Recovery Scam Season: Second Time’s the Charm? 🎣

Fallen victim to online fraud and now seeing ads promising to get your money back—fast, guaranteed, no upfront fees?
⚠️ 📵 Yeah… about that.

Victims around the world are being re-targeted by asset recovery scams impersonating INTERPOL, law enforcement agencies, law firms, and other trusted orgs. We've been tracking an actor deploying some slick AI-generated video ads boosted by fake news pages funneling users to polished lure sites promising miracle turnarounds. Talk about a sequel nobody asked for. 🎬

Here’s the playbook:
• 🎥 Fake ads pushing recovery services, often impersonating law enforcement →
• 🌐 Lookalike recovery domains instructing victims to submit contact info →
• 📞 Outreach via Email, WhatsApp etc. →
• 🤝 Trust building + fake progress →
• 💳 “Processing” and "release" fees (and more… and more) until you're rinsed... again.

Through DNS telemetry, we’ve been tracking this cluster for months—connecting the dots across campaigns long before takedowns hit timelines.

META recently pulled some INTERPOL-themed ads after Hong Kong media coverage—but plenty remain. The Russian-speaking actor behind this is pivoting fast, spinning up new brands, domains, and “legal services” at scale.

Recent examples:
⛔ europolhelp[.]live
⛔ recovery-protocol[.]net
⛔ fbi-support[.]live
⛔ baseinfo[.]biz

Still waiting on our recovered funds. Until then, we’ll keep tracking—because while threat actors evolve, DNS remembers.🧠

#ThreatIntel #Scam #CyberSecurity #DNS #Infoblox #crypto #cybercrime

Stolen phones - and specifically iPhones - have robust anti-theft protections. They are worthless once they're flagged - locked to their owner. So why are millions still being stolen every year?
In this paper, we uncover a thriving underground marketplace focused on unlocking stolen phones. It is powered by:

Lookalike domains impersonating Apple, Xiaomi, Samsung and other brands
Smishing campaigns targeting device owners
Pay‑as‑you‑go “unlocking” tools sold on Telegram
By pivoting on DNS data, we identified 10,000+ malicious domains and a growing ecosystem turning locked devices into profit at scale.

👉 Read how this supply chain works—from theft to resale—and why it’s growing fast. https://www.infoblox.com/blog/threat-intelligence/lookalike-domains-expose-the-iphone-theft-economy/

#ThreatIntel #CyberSecurity #Phishing #MobileSecurity #iOS #Smishing #dns #threatintelligence #cybercrime #infosec #infoblox #infobloxthreatintel #threatintelligence #cybercrime  #infosec #infoblox #infobloxthreatintel

WhatsApp, Japan, and a 500% Traffic Spike! 💹 🚨

To be honest, we thought threat actors were tripping when we saw a new WhatsApp phishing campaign targeting Japanese citizens. Don't they know LINE is the app in Japan? Well, we were surprised because this campaign is actually working…

The campaign doesn't only impersonate WhatsApp through its phishing page, but also through the lookalike domains it uses. Around 2k "WhatsApp" domain name variations are involved. The actor also leverages RDGAs – mostly for subdomains. Domains like web-rka-whatsapp[.]com[.]cn have up to 32 RDGA subdomains!

Upon visiting one of these lookalike domains, the user is fingerprinted and only forwarded to the phishing page if they match the intended profile — otherwise they get redirected to sites like bing[.]com or microsoft[.]com. As we show at the image below (with an AI-translated version), the malicious landing page simulates the WhatsApp login screen and encourages victims to scan a malicious QR code with their phone to log in.

When we found the cluster, we genuinely didn't think this campaign would land in Japan — but we were wrong. In the last 6 months, traffic to these domains has increased more than 500%, and it continues to rise.

What impact would these top quality lookalikes have if the campaigns were directed at countries where WhatsApp is actually the preferred messaging app?

Domain sample:
whatsappweb[.]net
whatapapp[.]com
whatsptapp[.]com
leropaxi-whatsapp[.]com[.]cn

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #Phishing #Quishing #WhatsApp #LINE #Japan #脅威情報 #フィッシング詐欺 #QRコード詐欺 #DNSセキュリティ #Infoblox脅威情報 #WhatsApp #LINEセキュリティ #日本 #サイバーセキュリティ

"Run a quick DNS speed test" they said… 🤔

One click on dns-speed.tail-f[.]de and your browser helpfully fans out ~5,000 HTTPS handshakes to "random" Cisco Top 1M domains in ~30 seconds.

That randomness is doing a lot of work.

Across a handful of runs we saw clients touching:

- Government + defence: *.uscourts.gov, multiple .gov TLDs, and .mil hosts (incl. disa[.]mil, onr[.]navy[.]mil)
- Microsoft sovereign/GCC High endpoints (dodsuite, usgovcloudapi, etc.)
- Enterprise collaboration: 100+ Webex, Zoom infra, SharePoint/OneDrive tenants
- Identity surfaces: 130+ auth/login patterns, Okta/Auth0/Duo tenants
- Autodiscover for named orgs (useful for pre‑populating phish kits)
- ~150 banking domains, globally distributed

All from a page load. No content fetched, just "harmless" handshakes.

What's interesting isn't malice so much as side‑effects. A "neutral" performance test becomes:

- A spray of client IPs into sensitive identity and gov endpoints
- Noisy, hard‑to‑explain telemetry for defenders ("why is this workstation touching DISA?")
- Occasional redirects into less friendly corners of the web, courtesy of the long tail

The stated aim is realism (avoid vendor‑optimised test servers). In practice, you inherit the internet's entire distribution of good, bad, and broken—and push it through end‑user browsers.

It's a reminder that at scale, "just measuring" can look a lot like reconnaissance… or at least generate it for someone else.

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel

Send an SMS to confirm you're a human? That's strange. How about dozens of SMS, to locations all over the world? That sounds more like a hot take on International Revenue Share Fraud (IRSF). Infoblox Threat Intel has come across an operation that defrauds both individuals and telecoms by way of social engineering victims through the use of a fake CAPTCHA process.

With IRSF, fraudsters generate their revenue by driving call or SMS traffic to numbers to which they have revenue sharing agreements with the local telecoms. Historically, this has been done by methods like hacking an organization's PBX system, or using bots to abuse services that generate one-time-passwords, and directing that call or SMS traffic to numbers under their control.

This operation, however, takes advantage of individuals' familiarity with the CAPTCHA process, by adding a multi-stage requirement to send bulk SMS to get access to games, videos, or adult content - because of course, these things are so hard to access online otherwise.
In this case, the victims are two-fold. First, it impacts the people who get unexpected international SMS charges on their bill, and then the telecoms who both pay termination fees to the international destinations telecom, and who also possibly absorb the cost of the chargeback.

Read more about our investigation into this new flavour of scam, including the specific domains and infrastructure we uncovered, here: https://www.infoblox.com/blog/threat-intelligence/hold-the-phone-international-revenue-share-fraud-driven-by-fake-captchas/

 #threatintel #cybercrime #threatintelligence #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #phishing #IRSF #telecom #captcha