Send an SMS to confirm you're a human? That's strange. How about dozens of SMS, to locations all over the world? That sounds more like a hot take on International Revenue Share Fraud (IRSF). Infoblox Threat Intel has come across an operation that defrauds both individuals and telecoms by way of social engineering victims through the use of a fake CAPTCHA process.

With IRSF, fraudsters generate their revenue by driving call or SMS traffic to numbers to which they have revenue sharing agreements with the local telecoms. Historically, this has been done by methods like hacking an organization's PBX system, or using bots to abuse services that generate one-time-passwords, and directing that call or SMS traffic to numbers under their control.

This operation, however, takes advantage of individuals' familiarity with the CAPTCHA process, by adding a multi-stage requirement to send bulk SMS to get access to games, videos, or adult content - because of course, these things are so hard to access online otherwise.
In this case, the victims are two-fold. First, it impacts the people who get unexpected international SMS charges on their bill, and then the telecoms who both pay termination fees to the international destinations telecom, and who also possibly absorb the cost of the chargeback.

Read more about our investigation into this new flavour of scam, including the specific domains and infrastructure we uncovered, here: https://www.infoblox.com/blog/threat-intelligence/hold-the-phone-international-revenue-share-fraud-driven-by-fake-captchas/

 #threatintel #cybercrime #threatintelligence #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #phishing #IRSF #telecom #captcha

Trust this “Amazon” phishing email in Japan—and you’re Prime sashimi 🎣 🍣

Looking into our malspam data, we identified an active campaign impersonating Amazon and targeting Japanese citizens. The emails use subjects such as 「至急 Amazonプライム会員情報の確認」 (“Urgent: Confirm Amazon Prime member information”).

The URLs within the emails ultimately lead to an Amazon phishing page, but only after routing victims through a TDS. Interestingly, instead of keeping the TDS step invisible, the actors chose to show it off—repackaging it as a reassuring security check.

Upon clicking the link within the email, victims are first redirected to an RDGA TDS domain, where fingerprinting occurs. If the user does not match the targeting criteria (e.g., connecting from outside Japan), access is blocked. If they do match, potential victims are redirected to a second RDGA domain.
This second and last domain is not a TDS domain, but funny enough, these actors decided they would emulate it anyway!

At that step victims are already at the landing page but instead of immediately displaying a standard Amazon phishing page, the website displays a CAPTCHA and fake console interface simulating environment fingerprinting checks to “make sure your environment and connection is safe” before "proceeding to the landing page". Ironically, part of their message is true: fingerprinting did happen one domain earlier. It just wasn’t for the user’s benefit—it was to make sure the environment was safe… for the scammers. A few seconds later, without added user interaction needed, a fake Amazon login page is displayed.

Domains samples:
qqc10c[.]cyou
51wang11c[.]cyou

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #phishing #amazon #malspam #email #fingerprinting #japan

Happy Sweet ~16th birthday back button hijacking schemes! 🎂 😈

It's been over a decade without actions, but this year, Google Search finally decided to step up and announce plans to penalize websites that hijack back buttons, a technical process universally disliked by users.

For years threat actors and overly aggressive tech companies have used "back button hijacking" across a wide variety of browsers to prevent people from leaving their scammy website experiences.

This type of malicious feature can be built with a little bit of Javascript, so there are countless organizations who have been doing it including some of the most aggressive Traffic Distribution System (TDS) advertising companies.

Some organizations combine these back button hijacking schemes with malicious SEO efforts to rank their websites high on search results only to unexpectedly redirect visitors to new domains.

But starting June 15, 2026, Google announced that "Pages that are engaging in back button hijacking may be subject to manual spam actions or automated demotions, which can impact the site's performance in Google Search results."

Read their announcement @ https://developers.google.com/search/blog/2026/04/back-button-hijacking

We're very excited about this announcement from Google – and while it's taken longer than most folks would have hoped to make this change, the economics of websites trying to both rank high in search results while also conducting forced redirections has just dramatically shifted. 💸

We need more organizations thinking about how to disrupt the economics of cybercrime by making choices that punish malicious behaviors. And if you're aware of an ~exploit of your product with "hijacking" in the name, maybe that's a good one to look into disrupting sooner than later! 👀 ⚡ ⚖️

From call scripts and scams to command and control—Southeast Asia’s scam centres are levelling up.

In our latest research with Chong Lua Dao, we track a sophisticated Android banking trojan directly to the K99 Triumph City scam compound in Sihanoukville, Cambodia, and the high-ranking political elites behind it.

Using a combination of technical analysis, infrastructure patterns, and operational visibility provided by former captives, we were able to map thousands of targeted lure and C2 domains used to distribute and administer the malware across Asia, Africa, Europe, and Latin America.

What we uncovered is a turnkey malware-as-a-service (MaaS) platform sold to scam-centre based criminal networks, including K99, enabling real-time surveillance, credential theft, biometric data exfiltration, and financial fraud on a global scale. Victims are funnelled through domains impersonating government services, financial institutions, e-commerce platforms and airlines, with new domains registered every month.

In addition to giving criminal operators complete control over infected devices, behind the malware sits a highly coordinated operation. Our investigation unpacks the whole thing, revealing multiple C2 panels organised by country and “customer” as well as the integration of AI-driven tools used to support attacks targeting victims in at least 21 countries and 15 languages.

What’s more, we have found that there is significant overlap with the infrastructure and business networks attributed to the DNS threat actors Vigorish Viper and Vault Viper, highlighting the continued evolution of the regional cyber threat landscape.

👉 Read the full report here: https://www.infoblox.com/blog/threat-intelligence/scams-slaves-and-malware-as-a-service-tracking-a-trojan-to-cambodias-scam-centers/
👉 We spoke to the Economist to explain how the scam centre threat is shifting: https://www.economist.com/interactive/asia/2026/04/10/scam-inc-has-a-new-weapon?fsrc=core-app-economist

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #malware #scam

💬 Telegram plays an important role in many underground businesses. Threat actors commonly stand up channels to market and support malicious activities such as malware-as-a-service (MaaS) subscriptions. While investigating ScreenConnect servers, a remote access support tool commonly abused by threat actors, we found an interesting business that we had never seen before. This actor used telegram as a storefront and support channel for an underground Remote Access Toolkit Online (RATO) platform. Technically RATO is a service that bundles cPanel and ScreenConnect technology to help its cyber criminal customers remotely access victim machines and manage scams, phishing, and malware (e.g. Latrodectus).

🐀 🔴 We discovered several servers that matched a ScreenConnect signature but these instances did not serve the typical ScreenConnect web content. Instead, their service is called "RATO PLATFORM" and the portal page shows the slogan "Can't catch the RAT__". We've found several telegram channels that promote services named "RATO", use the rat head logo (see attached image), or the domain rato[.]to. Based on their telegram chat content, it's clear their business model is focused on enabling cybercrime.

@rato_support
@ratofaqs
@rato_backup
@rato_hosting
@Rato2_bot

Consistent with RATO’s “BulletProof & Anti-Red Hosting” feature, we saw many RATO instances on ASNs with a high concentration of malicious activity (e.g., AS202412). Additionally, RATO infrastructure shows strong ties to Indonesia including Indonesian IP addresses in passive DNS and domains within the same cloudflare account used for serving online gambling to Indonesian-speaking users. Collectively, RATO and its customers operate a large number of domains. Here are some examples:

asakusubinitohas[.]com
bmw320ikaka[.]co
cpusx[.]com
newoneazu[.]com
ratmail[.]pro
rato[.]page
rato[.]to
ratodemo[.]pro
sesrecipt[.]com
silk-gen[.]com
sunostart[.]com
viewyourstatementonline[.]com

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #phishing #malware #maas #telegram #indonesia #screenconnect #latrodectus #rat #rmm #remotemonitoringmanagement #downloader #spam #rato

⚽ Threat actors are warming up for the 2026 World Cup—and they’re targeting fans early.

We’ve observed FIFA ticket phishing pages on domains such as fifa[.]bio and ww-fifa[.]com, distributed through malicious spam emails and Facebook ad campaigns. These sites prompt a bogus FIFA ID login to purchase tickets, then transition to a checkout flow collecting personal and payment information.

Payment flows redirect to actor-controlled domains (pay[.]fifa-com[.]com) or Stripe checkout pages with inconsistent merchants (we observed some with suspicious Romanian LLC names).

These recently-registered domains are mostly Cloudflare-hosted, spread across various TLDs, and consistently abuse FIFA branding. If it’s a suspicious domain in your inbox or feed, assume it’s not official. 🛑 ⚽

Domain sample: fifa-2026[.]homes, fifa-com[.]media, www-fifa-com[.]website, vvww-fifa[.]com, fifa-26-worldcup[.]com

#dns #infoblox #infobloxthreatintel #threatintel #threatintelligence #cybercrime #cybersecurity #FIFA #WorldCup2026 #phishing #scam #lookalikes

🚨 Tax Season, Scam Season: Lookalike Domains Target Spain’s Agencia Tributaria

Today (April 8), the tax filing and refund period officially starts in Spain — and as expected, so do the scams.

We’ve identified multiple new registrations of lookalike domains impersonating Spain’s official tax authority (Agencia Tributaria) happening over the past weeks, including:

agenciatributaria-gob[.]com
agencia-tributaria[.]im
agenciatributaria[.]de
sede-agenciatributaria[.]com

Threat actors moved so fast that some campaigns were launched before the official refund process even started, already promising generous (and obviously fake) tax refunds.

For example, agencia-tributaria[.]im advertises refunds of €250+ — a clear lure.

Laughs aside, while they may not be the smartest in terms of timing, they are learning new tricks. We’ve been talking a lot about TDSs lately, and they seem to like them too.

That same domain redirects users almost instantly to a malicious phishing landing page if they match the attacker’s targeting criteria. However, when accessed from a Linux virtual machine, fingerprinting likely flags a security analyst environment — and suddenly you’re redirected to the lovely and familiar "google[.]com" page, never seeing a second of the phishing content. The same seems to occur if you access it from another country.

They may have been fast starting their campaigns (maybe too fast)…but we’re faster finding them!

#dns #infoblox
#infobloxthreatintel
#threatintel
#threatintelligence
#cybercrime
#cybersecurity #phishing #scam
#spain #agenciatributaria #declaraciondelarenta

Keitaro series, Part 3: What happens when we zoom out from individual campaigns and examine the broader ecosystem of Keitaro abuse?

In the third and final installment on Keitaro, we take a step back to analyze cross‑campaign trends and the Keitaro features most frequently abused at scale. We also look at cookies and cracked versions tied to threat actors like TA2726, and share what provider engagement and takedowns actually look like in practice.

https://www.infoblox.com/blog/threat-intelligence/patterns-pirates-and-provider-action-what-we-learned-working-with-keitaro/

#dns #infoblox #infobloxthreatintel #threatintel #threatintelligence #cybercrime #cybersecurity #keitaro #adtech #tds

We planned one report on Keitaro abuse, but we ran out of pages before we ran out of cases.
So here’s Part 2 of 3, a medley of threats that go well beyond AI‑investment scams.

Threat actors abuse Keitaro’s traffic distribution, cloaking, and rule engine to hide malicious landing pages behind geo and device-based filters. They stack bulletproof hosting and reverse proxies to add layers of indirection, making takedown and analysis harder. In this post, we share how we overcame this using multi‑protocol, multi‑vantage telemetry. We leveraged JA4+ web server fingerprints, DNS analytics, and Confiant’s visibility into advertising supply chain data to uncover Keitaro abuse and the delivery of malware downloaders, infostealers, weaponized RMMs, wallet drainer campaigns, scams, and email spam and advertising attack vectors.

If you hunt threats distributed via adtech, these indicators can be useful pivots. https://www.infoblox.com/blog/threat-intelligence/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution/

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #ai #keitaro #adtech #tds #trafficdistributionsystem #cloaker #cloaking #landscape #malvertising #infostealer #rmm #remotemonitoringmanagement #downloader #malware #spam #airdrop #cryptocurrency #ja4 #ja4_fingerprinting

Seeing FQDNs like "mtmoqiuq.20.218.142.124.static.hostiran[.]name" and "sgrwnbid.172-202-98-170.cloud-xip[.]com", we first thought some ASNs could be exploited similarly to the ".ARPA abuse" we described in one of our recent blogs. Turns out we were overthinking it... This kind of "DNS abuse" is so straight forward... We're not sure it qualifies as DNS abuse...

Here is what is going on: Whatever IP address you prepend to "static.hostiran[.]name" creates a hostname which resolves to this IP... That is it! Same goes for cloud-xip[.]com!

We've seen these kinds of hostnames a lot in SPAM emails recently, like the one we screenshot below which loads an image from a CDN as a giant hyperlink. We aren't sure why malicious SPAM actors bother to use this trick in their email links... If they control an IP, they can use it directly in URLs. They don't need a domain name!? And it isn't like this bypasses a firewall... If their IP is blocked, queries to those FQDNs will be too...

Our best guesses are that:
- Using hostnames rather than IPs helps them bypass SPAM email detection?
- And / or it enables them to create "subdomains", which they seem to be doing to track something, either SPAM campaigns, or their victims.

Technically, this could be used to create lookalike FQDNs. Those examples look like random subdomains, but literally anything can be prepended to the IP, so the only limit is your imagination! Not the most convincing lookalike by any means... but we've seen worse!

Here is an example of how this can be abused to both, load content from literally any IP, and create low quality lookalikes:
https://urlscan.io/result/019d1b3d-b94e-70f9-aae7-ecf5a02e3c89/

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #spam #scam