Yet another round of shipping-themed smishing texts have been popping up over the last couple of days. This threat actor is impersonating missed FedEx delivery notifications (switching from a UPS theme used a few weeks ago) to entice users into entering their credit card information. The FedEx phishing pages are only accessible via phones or tablets using the URLs provided in the smishing texts. The attackers attempt to evade detection from search engines and users accessing the pages via desktops by routing them to legitimate pages for Amazon, Yahoo News/Finance, Whole Foods, or Ring.

The domains we've seen follow a distinct RDGA pattern, use CloudFlare hosting, and are distributed via email domains sharing the same mail server IP.

Sample domains: gjvuy[.]xyz,mhecm[.]pro,xvqxa[.]pro,bqcue[.]ink,zlulp[.]ink,zbhqu[.]ink,fjnrp[.]ink,wkdvb[.]ink,sfjfa[.]ink,zbhqu[.]ink,fjnrp[.]ink,wkdvb[.]ink,sfjfa[.]ink


#Infoblox #dns #smishing #phishing #InfobloxThreatIntel #threatintelligence #cybercrime #cybersecurity #infosec

An interesting traffic distribution system (TDS) we're tracking routes users to quick cash and payday loan sites that are likely scams looking to steal people's personal and financial information.

The TDS chain starts with an RDGA-generated domain following the pattern: <5 to 9 random letters>.<cfd,cyou,info,etc.>. The user is then routed to one of the actor's TDS domains dfgtrk<1 to 10>[.]com. This domain will then redirect to landing pages hosting the scammy loan/cash sites which urge users to enter PII such as name, date of birth, address, social security number, and even bank account information in order to qualify for a loan.

A lot of these sites have generic titles and SLDs mentioning cash, loans, or other financial topics, and seem to mimic legitimate financial services companies.

#dns #Infoblox #rdga #tds #InfobloxThreatIntel #threatintelligence #cybercrime #cybersecurity #infosec #scam

After three years of relentless tracking, we’ve published a [paper](https://blogs.infoblox.com/threat-intelligence/vextrios-origin-story-from-spam-to-scam-to-adtech/) that, for the first time, exposes the true identities behind VexTrio. This research connects real names to the various companies that form the VexTrio ecosystem. It begins with the origin story—how a group of Italians launched a successful spam and dating business. Over time, VexTrio expanded its operations into malicious adtech and online scams. For over a decade, the group employed deceptive tactics to defraud countless innocent internet users. These illegitimate gains funded the extravagant lifestyles of VexTrio’s key figures—who, despite increasing scrutiny, have yet to be fully stopped.

We’re deeply grateful to all the contributors who helped us reach this research milestone, especially @rmceoin and Tord from [Qurium](https://www.qurium.org/).

Like CEOs at Coldplay concerts, we keep finding malicious adtech hiding behind well-known advertising brands. While these platforms may appear credible, they allow malicious actors access to their platform, and profit from their successes.

Our posts often focus on adtech operators because they are the ones who manage the infrastructure. But they are not the only ones profiting from this business. Affiliates play a big role by driving traffic (aka visitors) to the adtech platform (TDS).

Malicious affiliates do this by tricking visitors into clicking hidden links or manipulating pages to redirect them automatically. They are so good at it that they generate a profit just due to the sheer volume of traffic they drive into the platform.

Legitimate affiliates do this by posting what they believe to be normal ads on their web pages, tempted by promises of big rewards. Unfortunately for them, this is rarely the reality, and there are many reports of affiliates being underpaid or not paid at all. Additionally, affiliates risk damaging their own brand image – no one wants their legitimate website redirecting to malware, right?

As a user, regardless of how you find yourself diverted into a malicious TDS, if you happen to fit the profile then you face the risk of being sent to a malicious landing page. Scams, disinformation, malware…you name it.

As there are many players involved in this scheme, we’ve created an infographic that highlights who they are and how they fit into the malicious adtech landscape.

Have you come across any of these shady platforms or, worse, been lured into becoming part of the scheme? Let us know!

We've seen it before, but it bears highlighting again: current affairs always lead to a domain gold rush! The newly announced "America Party" has already triggered a wave of sketchy-looking domain registrations, many using the .party TLD. Several redirect to rawdiary[.]com, a five-month-old site hosting third-party articles from sources like OANN, Newsmax and Breitbart, as well as more moderate sources like the FT and the BBC. Others are parked. These domains aren’t inherently malicious, but they're certainly opportunistic and built to look like news. Web content flips fast, so here’s a snapshot of domains unlikely to have been registered for anything in good-faith:

ameirca[.]party
amerca[.]party
amercia[.]party
americs[.]party
amerika[.]party
ameroca[.]party
ameruca[.]party
hyperamerica[.]party
theunitedstates[.]party
americanparty[.]pics
americanparty[.]vip
americaparty[.]ink
americaparty[.]town
theamericanparty[.]vip
americanparty[.]pro

The actors behind widespread toll smishing text campaigns are back; this time with a new campaign impersonating regional DMV agencies. New templates for the smishing texts urge users to pay outstanding traffic tickets via a malicious URL that leads to fake payment sites. Interestingly, these texts are often sent before the domain hosting the site is even registered.

They follow similar RDGA patterns as their other campaigns, often hosting the phishing sites on subdomains of SLDs starting with "gov-" to appear legitimate. Sample domains: dmv[.]gov-nft[.]digital, dmv[.]gov-nfy[.]digital, wisdom[.]gov-endbgv[.]vip, michigan[.]gov-etcj[.]cc, azdot[.]gov-ytns[.]cc

#dns #threatintel #infobloxthreatintel #infoblox #cybersecurity #phishing #cybercrime #infosec #smishing

The Russians aren't coming, they are already here. Without most anyone realizing, they've created an entire malicious adtech industry whose story is just as complex as the Chinese organized crime we're now realizing from their ventures into pig butchering.

VexTrio is just one Russian organized crime group in the malicious adtech world, but they are a critical one. They have a very "special" relationship with website hackers that defies logic. I'd put my money on a contractual one. all your bases belong to russian adtech hackers.

Today we've released the first piece of research that may eventually prove whether I am right. This paper is hard. i've been told. I know. We've condensed thousands of hours of research into about 30 pages. @briankrebs tried to make the main points a lot more consumable -- and wrote a fabulous complimentary article : read both!

There's so much more to say... but at the same time, between ourselves and Brian, we've released a lot of lead material ... and there's more to come. I've emphasized the Russian (technically Eastern European) crime here, but as Brian's article points out there is a whole Italian side too. and more.

We've given SURBL, Spamhaus, Cloudflare, Domain Tools, several registrars, and many security companies over 100k domains. They are also posted on our open github.

Super thanks to our collaborators at Qurium, GoDaddy Sucuri Security, and elsewhere.

#threatintel #scam #tds #vextrio #cybercrime #cybersecurity #infosec #dns #infoblox #InfobloxThreatIntel #malware #phishing #spam

https://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/

https://krebsonsecurity.com/2025/06/inside-a-dark-adtech-empire-fed-by-fake-captchas/

Our latest blog is out! It covers a rising issue that many major organization experiences: Subdomain hijacking through abandoned cloud resources.

This research follows our reporting from earlier in the year about the CDC subdomain hijack. We initially assumed that this was an isolated incident. Well… We were wrong.

We tied some of this activity to a threat actor, dubbed Hazy Hawk, who hijacks high-profile subdomains which they use to conduct large-scale scams and malware distribution.

https://blogs.infoblox.com/threat-intelligence/cloudy-with-a-chance-of-hijacking-forgotten-dns-records-enable-scam-actor/

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #HazyHawk

In our new blog, we share a personal experience of being approached for a fake remote job on Telegram and uncover the methods scammers use to deceive and exploit victims. We were eventually able to trick the scammers and withdraw some money before they finally caught onto us!

You can find the blog here: https://blogs.infoblox.com/threat-intelligence/telegram-tango-dancing-with-a-scammer/

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #pigbutchering #crypto

Infoblox Threat Intel had the opportunity to collaborate with the United Nations Office on Drugs and Crime (#UNODC) for their latest report on South East Asian Crime. The report is titled "Inflection Point". It is a great in-depth analysis of the triads and how they fuel the current scam epidemic.

Organized crime is booming - as you can see with the picture below which shows the growth in the physical footprint of the compounds they operate.

Our part of the collaboration (pages 37-42 of the 90+ page report) were around a single actor that we can track in #dns -- naturally!

We analysed a number of illegal Chinese-operated gambling websites and soon found out they were operated by the same 'gambling provider' we named Vault Viper. Vault viper develops its very own "secure gambling browser". Of course it's #malware.

Through DNS, we discovered the companies behind Vault Viper were in fact controlled by Suncity - a criminal junket whose founder has been convicted of laundering billions of dollars.

https://www.unodc.org/roseap/en/2025/04/cyberfraud-inflection-point-mekong/story.html

Illegal gambling is not harmless fun. It fuels some of the largest criminal networks in the world.

The entire report is worth reading to get the latest view from experts on the world of organized crime in Asia that is running #scam, #pigbutchering, #humantrafficking, #cybercrime, #malware, #illegalgambling, illegal porn and who knows what else. The image below shows just how much it has grown in a few years from physical footprints.

We'll be releasing a detailed report on Vault Viper in the coming months.

#infobloxthreatintel #infoblox
#organizedcrime #china

Going to RSA? We’re giving a 2 hour hands-on learning lab on traffic distribution systems (TDS). Malicious actors use these to hide their activity from security teams and deliver tailored content to victims.

Not going to RSA? We’ve written a number of articles on this topic (some included below) and we’re happy to answer questions about TDSs here on Mastodon.

https://blogs.infoblox.com/threat-intelligence/from-click-to-chaos-bouncing-around-in-malicious-traffic-distribution-systems/
https://www.infoblox.com/resources/webinars/dns-threat-briefing-q1-2025/
https://www.infoblox.com/resources/webinars/traffic-distribution-systems-at-the-heart-of-cybercrime/
https://www.infoblox.com/resources/webinars/the-big-ruse/

#dns #threatintel #cybercrime #threatintelligence #cybersecurity #infoblox #infobloxthreatintel #infosec #RSAC #RSAC25

One of our researchers recently received a text from an unknown number saying they were eligible to receive a full refund for an Amazon order. The message contained a link to a URL on t[.]co, Twitter/X's link shortener. Clicking the link led to the domain 267536[.]cc, which hosted an Amazon phishing page.

From this lead, we were able to find many more domains hosting the same content. The actor registering the domains seems to like .cc, the country code TLD for the Cocos Islands.

Sample of the domains:
236564[.]cc
267536[.]cc
671624[.]cc
687127[.]cc
319632[.]cc

Last week, while reviewing detected lookalike domains, one in particular stood out: cdsi--simi[.]com. A quick search pointed him to a legitimate U.S. military contractor, CDSI, which specializes in electronic warfare and telemetry systems. It's legitimate domain cdsi-simi[.]com features a single hyphen, whereas the lookalike domain uses two hyphens.

Passive DNS revealed a goldmine: a cloud system in Las Vegas hosting Russian domains and other impersonations of major companies.

Here are a few samples of the domains:

- reag-br[.]com Lookalike for Reag Capital Holdings, Brazil.
- creo--ia[.]com Lookalike for an industrial fabrication firm in WA State.
- admiralsmetal[.]com Lookalike for US based metals provider.
- ustructuressinc[.]com Lookalike Colorado based Heavy Civil Contractor.
- elisontechnologies[.]com Typosquat for Ellison Technologies machine fabrication.

#dns #lookalikes #lookalikeDomain #threatintel #cybercrime #threatintelligence #cybersecurity #infoblox #infobloxthreatintel #infosec #pdns #phishing #malware #scam #dod

Mastodon communities, be vigilant! Bad actors are creating accounts within the Fediverse and then using them to distribute malware. We identified one such case in which the threat actor had gone undetected since 2022. That Mastodon instance was one with a climate change focus. The threat actor was distributing an information stealer through their account.

We are happy to have helped the instance owner figure out why they have been on blocklists intermittently for the last few years, but also get that particular threat out of their Mastodon instance and safe for users.

There are undoubtedly many more of these across the Fediverse. Hopefully more awareness can get them detected and shut down faster.

For our fellow security nerds... this was #vidar malware with sha256 975932eeda7cc3feea07bc1f8576e1e73e4e001c6fe477c8df7272ee2e0ba20d
and a c2 IP 78[.]47[.]227[.]68 from the instance.
there is still at least one more Mastodon instance impacted that we are trying to reach.

#malware #stealer #mastodon #threatintel #cybercrime #threatintelligence #cybersecurity #infosec #infoblox #infobloxthreatintel #fakeaccounts #c2

Have you ever wondered what happens if you say yes to every request to receive push notifications from sketchy websites?
For the past few months we have done exactly that, exposing an old phone to an endless barrage of scareware and malicious ads.
Find out more here: https://blogs.infoblox.com/threat-intelligence/pushed-down-the-rabbit-hole/

#dns #threatintel #adtech #adware #malware #scam #phishing #cybercrime #cybersecurity #vextrio #infoblox #infobloxthreatintel #malvertising #tds

Some days ago, one of our specialists received a call from a scammer - who even knew his name - and he didn't miss the opportunity to potentially gather some threat intelligence.

The scammer said he was from a company called Blockchain and wanted to inform him that his Bitcoin wallet hadn't been touched for a long time. Don't you think that's really nice of Blockchain?

Of course, our specialist knew what to do. He asked for the company website, and the scammer eagerly provided it. After running the domain through our data, it turns out it is owned by (surprise, surprise) a crypto gang running their scams out of Georgia and Israel.

How does this scam work? This group creates extensive networks of fake trading websites promising high returns. To profit, victims just need to share their phone numbers. They are then contacted by multilingual call centers and encouraged to "invest" in crypto, AI, or other ventures. The fake website shows the victim's assets increasing in value, prompting further engagement. The criminals continue to call and entice victims to deposit more money. Unfortunately, the victim won't profit from this.

As DNS experts, we have been monitoring their infrastructure for a while now, and they have 1,133 other domains such as:

- apexcapitalmarket[.]com
- bitmininexpert[.]com
- coinfxbrokers[.]com
- cryptorinfo[.]com
- goldcapitalstocks[.]net
- kingstrades[.]net
- profxcapitalgroup[.]com
- smartcointrades[.]com
- stocktradefastminers[.]com
- tradeproinvest[.]com
- trusttrade21[.]com

Here is a reporting reference: https://www.eurojust.europa.eu/news/support-arrest-online-scammers-georgia-and-israel

#Infoblox #ThreatIntel #infosec #cybercrime #scam #cybersecurity #infobloxthreatintel #dns #domains #iocs #crypto #cryptoscams

VexTrio User Experience 4/N

@knitcode decided it was time to get crypto-scammed by VexTrio.....here's the story...

Unfortunately, when i got to the final scam to steal my funds i landed at a page that unavailable.. so my money wasn't stolen. I did capture 16 minutes of screen recording while they mined my device and tried to interact with their fake online users, so that was fun. Imgur won't let me load that long of a video so I've got screenshots to the highlights.

Here's how the scam works:
* Somehow you end up visiting a VexTrio crypto scam domain. Since we track their movements, I just collected one from our detectors.
* You get a "welcome back" with some amazing bitcoin balance.. mine was $113k! and a continue button... if you click that...
* You get a threatening "your account will be deleted in one day" for inactivity, but you have the option to log in now! excellent. click.
* but what about the password? No problem. the site has remembered your password for you. ;)
* When you login, you are asked if you want to withdraw your funds. Of course!
* It's been 364 days since you were here, so the site needs to "verify" each of your mining transactions. It takes about 10 minutes to do this while it seemingly mines your device. ;)
* users are "chatting" away talking about ethics and mining strategies. you can add comments but they won't answer you.
* Finally you get the chance to withdraw your funds... first you have to get approval from your account manager and fill out a withdrawal form. .. she doesn't have a record of you, but that's ok. you are approved to withdraw $113k.
* You need to give a credit card or paypal account in order to pay their "official" partner Binance to do the conversion. what is $64 fee for $113k? ! sign me up!
* Click the final button to pay Binance and receive your payout.... unfortunately, for me this is where I hit the oops can't display... after 16 minutes! peqemynite[.]top was not working.
* This domain was previously behind cloudflare caching but starting Nov 11th, it started resolving as Russian IP in Prospero (which interestingly shared IP with keitarotds[.]top) and then Unitel also Russia. So that's fun.
* To recap... VexTrio domain -> cryptoscam -> Binance fraud -> Russian IP.

Attached are screenshots. i have a few urlscan images of this too but the process takes so long that getting the full user experience is hard.

here's some more IOCs. There are bunch of domains on: 91.212.166[.]95. I started at globalminingbit[.]top (after the TDS) and ended at peqemynite[.]top. Here's some current domains: qegymiewo[.]top,ditosoydi[.]top,keziryevo[.]top,xujodyaza[.]top,vupahoawy[.]top,rycozaaqi[.]top,zupahayja[.]top,mafaweewa[.]top,pesaraafy[.]top.
globalminingbit[.]top is also out of the CF cover now and at Proton66 (also Russia) 193.143.1(.)195