Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
ruby.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
If you are interested in the Ruby programming language, come join us! Tell us about yourself when signing up. If you just want to join Mastodon, another server will be a better place for you.

Administered by:

Server stats:

1.1K
active users

ruby.social: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

#lookalikes

0 posts0 participants0 posts today
Public
Infoblox Threat Intel

Malicious actors have taken notice of news about the US Social Security System. We've seen multiple spam campaigns that attempt to phish users or lure them to download malware.

Emails with subjects like "Social Security Administrator.", "Social Security Statement", and "ensure the accuracy of your earnings record" contain malicious links and attachments.

One example contained a disguised URL that redirected to user2ilogon[.]es in order to download the trojan file named SsaViewer1.7.exe.

Actors using social security lures are connected to malicious campaigns targeting major brands through their DNS records.

Block these:

user2ilogon[.]es
viewer-ssa-gov[.]es
wellsffrago[.]com
nf-prime[.]com
deilvery-us[.]com
wllesfrarqo-home[.]com
nahud[.]com.

#dns #lookalikes #lookalikeDomain #threatintel #cybercrime #threatintelligence #cybersecurity #infoblox #infobloxthreatintel #infosec #pdns #malware #scam #ssa

Public *
Infoblox Threat Intel

Last week, while reviewing detected lookalike domains, one in particular stood out: cdsi--simi[.]com. A quick search pointed him to a legitimate U.S. military contractor, CDSI, which specializes in electronic warfare and telemetry systems. It's legitimate domain cdsi-simi[.]com features a single hyphen, whereas the lookalike domain uses two hyphens.

Passive DNS revealed a goldmine: a cloud system in Las Vegas hosting Russian domains and other impersonations of major companies.

Here are a few samples of the domains:

- reag-br[.]com Lookalike for Reag Capital Holdings, Brazil.
- creo--ia[.]com Lookalike for an industrial fabrication firm in WA State.
- admiralsmetal[.]com Lookalike for US based metals provider.
- ustructuressinc[.]com Lookalike Colorado based Heavy Civil Contractor.
- elisontechnologies[.]com Typosquat for Ellison Technologies machine fabrication.

#dns #lookalikes #lookalikeDomain #threatintel #cybercrime #threatintelligence #cybersecurity #infoblox #infobloxthreatintel #infosec #pdns #phishing #malware #scam #dod

Public
Infoblox Threat Intel

While everyone is enjoying Carnival in Brazil, threat actors are still out there trying to lure people into their traps. We have found a cluster of lookalikes to the Brazilian DMV office (DETRAN in Portuguese). We observed at least two instances where they were impersonating the DMV office for the Brazilian states of Paraná and Maranhão.

The actor(s) create domains with the same label, but on several different TLDs (mostly highly abused). Here are some examples of what they look like.

consultes-seu-debitos2025.<space|site|shop|cloud>
debitos-sp-2025.<club|com|lat|net|online|store|xyz>
de3trasn2025.<click|fun|life|online|xyz>
departamentodetran2025.<click|icu|lat>
detran2025.<click|icu|lat|sbs>
l1cenciamento-detran2025.<click|icu|lat|sbs>

#lookalikes #dns #threatintel #cybercrime #threatintelligence #cybersecurity #infoblox #infobloxthreatintel

urlscan.io/result/802374b7-6c8
urlscan.io/result/721b12bb-d5f

urlscan.iodetranma.vercel.app - urlscan.iourlscan.io - Website scanner for suspicious and malicious URLs
Public
Infoblox Threat Intel

Continued fun in mobile threats.. One of our analyst received these two different threats on her household Android phones on the same day.. usually Google does a pretty good job filtering them out, but failed here. These show two different #dns trends that we see in practice. The use of a shortener which redirects to an Amazon lookalike domain -- we often just see the lookalike in the message.

The amazon one led to amazonfey[.]co and the same actor had over 300 active lookalikes to Amazon and other services. These guys are fairly easy to track in DNS using fingerprinting. Blocking at DNS providers will help reduce where Google, Apple, and other service providers miss some.

The Wells Fargo / Apple alert used an old domain -- a "drop catch" that has been picked up by a threat actor. This might look obvious but people work on alarm -- if you have a Wells Fargo account and see a big charge, you might just click without thinking.

#dns #cybersecurity #InfobloxThreatIntel #Infoblox #dropCatchDomains #IOCs #threatIntel #cybercrime #lookalikes

Public
Infoblox Threat Intel

Multiple Airbnb phishing lookalikes were registered over the weekend. The domains all have been registered with cloudflare and have a Chinese registrant organization. The domains resolve to a webpage that mimics the actual Airbnb website, prompting the user to input their username and password. If the user attempts to register a new account, a verification code is required before the account can be created. See screenshots.

Sample of domains: airbnb03vip[.]com, airbnb02vip[.]com, airbnb01vip[.]com

#dns#threatintel#infoblox
Public
Infoblox Threat Intel

A special kind of lookalike are ones designed to be used for tricking users into giving up MFA credentials... we see about 100 of those newly registered a day... a common trick now is to add a -inc to the domain name. Here are some recent ones of those verify-yourinformations[.]click, easy-mfa[.]site, mfa-ca[.]site, truistweb-verify[.]com, verify-nft[.]com, ticket-okta[.]com.... suspicious new "inc" domains often take a real domain and add the -inc to it... risa-inc[.]com.. there is a real domain risa[.]com. and gigadat-inc[.]live... often these will be parked until use.

#dns#threatintel#mfa
ExploreLive feeds
About