| Netcraft.com | Netcraft.com |
RE: https://infosec.exchange/@BleepingComputer/115663627288221100
Proud to support NCSC’s proactive notifications pilot. External scanning helps surface exposed services and known vulnerabilities so organizations can remediate faster. Important initiative outlined here.
Attackers are leveraging behavioral science to shape their campaigns.
Netcraft expects this to intensify in 2026, making intent detection just as important as artifact detection.
https://vmblog.com/archive/2025/11/19/five-cybersecurity-predictions-for-the-year-ahead.aspx
🚨 NEW THREAT INTEL REPORT: A football sponsorship isn’t always what it seems. ⚽
Our latest research uncovers how Felix Markets used sports to launder legitimacy for a fraudulent investment platform.
https://www.netcraft.com/blog/fake-investment-platform-reputation-laundering-felix-markets
Happy Cyber(crime) Monday. Someone is sending out these bogus "e-signature" notifications as #malspam.
They lead to a page on Google Drive that has an interstitial link. When you click it, the page pushes an installer for N-Able Advanced Monitoring Agent, a commercial IT remote management tool. https://www.virustotal.com/gui/file/5ddcff44de366e6693c24e189121011ba664d6e71686e9463bb1574572564909/detection
This is just the latest evolution of the attack I documented on the @Netcraft blog before the holiday break: https://www.netcraft.com/blog/shared-document-spam-delivers-remote-access-tool #spam #malware #RAT
Google has filed suit against a Chinese-based phishing-kit platform behind toll-road & delivery scams. Meanwhile our team at Netcraft uncovered 17,500+ domains targeting 316 global brands.
Read how PhaaS is going industrial: https://www.netcraft.com/blog/inside-the-lighthouse-and-lucid-phaas-campaigns-targeting-316-global-brands
📞 “Hello, this is your bank…”
No it’s not.
Learn how PNC’s team spots these calls before they reach customers.
💡 Webinar Nov 17 – Reserve your spot:
Overall, this has been a fascinating #phishing investigation, one of the first ones I've done since joining @Netcraft and one that highlights just how deep the rabbit hole can go.
As with all of my blog posts, I've linked to indicators of compromise. It's a big list, but I know the folks who want to address problems will want all the data to work with. Here's what I've got. Do you have more intel about them? Drop me a line.
https://github.com/netcraftcom/public-iocs/blob/main/2025-11%20hotel%20phishing%20IOCs.csv
Also, if you (or someone you know) has received a message like this, reach out! I really want to know if you actually had a reservation at the hotel that shows up in the scam email in your inbox. If you do/did, that may point to a larger problem that has not been discovered or disclosed.
/fin
https://www.netcraft.com/blog/thousands-of-domains-target-hotel-guests-in-massive-phishing-campaign
Happy Thursday! I'm celebrating the publication of my first blog post at @Netcraft as Principal Threat Researcher with a story about...#smishing for tax refunds.
Since the beginning of last month, a threat actor we're calling #LoggerEIO began registering domains for use in #phishing attacks.
They're now up to more than 850 domains registered, with thousands of websites in use (using a variety of subdomains) that dangle the prospect of a refund of state income tax overpayments as a lure.
Here's a quick 🧵 about it.
https://www.netcraft.com/blog/taxpayers-drivers-targeted-in-refund-and-road-toll-smishing-scams
Threat actors deployed over 850 fake tax and toll websites to steal personal and financial data from U.S. and international victims. Netcraft uncovers the latest smishing campaign targeting taxpayers and drivers ahead of the October 15 IRS extension deadline.
SAINTCON 25 partners @Netcraft offer Threat Intelligence and Digital Risk Protection. Find out more near the Expo Hall during SAINTCON next week:
🚨NEW RESEARCH🚨
Attackers don’t always need zero-days. Sometimes, all it takes is a single character.
Our researchers recently uncovered a phishing wave abusing the Japanese Hiragana character “ん” – a lookalike that resembles a forward slash or Latin “n.” By inserting it into domain names, attackers are creating URLs that appear legitimate at a glance but redirect victims to credential harvesters, fake crypto wallets, and malware downloads.
Our investigation traced more than 600 malicious domains leveraging this technique.
Why it matters:
Unicode confusion lets these domains slip past regex filters and automated scanners. Punycode encoding makes them DNS-valid and browser-friendly.
The tactic spreads fast, beyond crypto into travel, enterprise, and education. This is a textbook example of attackers weaponizing subtlety.
👉 Read our full analysis here: https://www.netcraft.com/blog/down-the-hiragana-hole-uncovering-a-new-wave-of-lookalike-domains
Andrew 🌻 Brandt 🐇
SAINTCON