Tracking #NewTLDs: We discovered #CyberSquatting involving names of betting and adult sites. 13 domains registered on 2024-03-18 under .diy and .food TLDs redirect users to a gambling site through a known-suspicious traffic redirection service. Details at bit.ly/48aTOgd

We've found #stockpiled domains hosting fake work portals for cryptocurrency #scam, with a traffic spike since Oct 15. Starting in July, this campaign has 60 domains in 3 bulk registrations with distinct naming patterns, all leading to same IP. More info: bit.ly/48jduyw

1,346 domains registered in the past 3 months, peaking 11/03/24, redirect users to gambling or adult-themed pages distributing potential unwanted programs (PUPs) for Android. Some sites force multiple downloads of the same APK. More info: bit.ly/4ewMYU5 #AndroidPUPs

2025-01-09 (Thu): We've found hundreds of #stockpiled domains from an ongoing campaign that started as early as 2024-09-26. Web traffic to these domains redirects to URLs that deliver pornography-themed adware Android #APK files. More info at bit.ly/40d3DGU

We found 276 #Stockpiled domains in a #scam advertising gift cards for services like Google Play, Amazon and Roblox. To receive them, it redirects users to download extensions, purchase services thru affiliate links and divulge personal info. More info at bit.ly/40IwMKt

We uncovered a campaign involving over 6k newly registered domains (NRDs) using a novel dictionary domain generation algorithm (DGA) variant. Findings reveal a high percentage (96%) of files linked to these domains were malicious. Learn more: bit.ly/3Xy0mSe

A threat actor leveraging the same naming pattern has registered 10K+ domains for various #smishing scams. They pose as toll services for US states and package delivery services. Root domain names start with "com-" as a way to trick victims. More info at bit.ly/4ipQ0LW

Our graph-intelligence pipeline uncovers attack patterns by analyzing domain registrations with hosting data. This pipeline helped identify a cyber campaign exploiting NRDs and domain generation algorithms to avoid detection: bit.ly/3Xy0mSe

We found 80K+ domains used in investment and job #scams. Attackers #StrategicallyAged newly-registered domains for at least 1 month to evade blocking. When active, the domains redirect to URLs on linksapp[.]top and mainly target Japanese users. Details at bit.ly/41EIkPm

2025-04-10 (Thursday): Several recently-registered domains with "nintendo" in their names have appeared after Nintendo's Switch2 announcement. We found #phishing sites impersonating Nintendo and monetized parking pages from these domains. Details at bit.ly/42vRYV3

We found a campaign using domains spoofing the United States IRS. The FQDNs present a fake CAPTCHA-style page that uses #pastehijacking and instructs viewers to paste a malicious script into a run window. HTML pages have comments in Russian. Details at bit.ly/3ErDQUD

Since last year's IC3 report (bit.ly/4lKWW93), we've found and blocked 91.5k+ #smishing domains. This activity gained momentum in March 2025 with a peak in registration of 26k domains. We've noted four general domain naming patterns. More info at bit.ly/441p6pX

#Smishing campaigns related to toll scams continue to evolve by region: oag.dc.gov/release/attorn…

We uncovered a sophisticated TDS supporting UP-X, a Russian language online gambling platform. This dynamic redirection network of more than 1,000 short-lived DGA domains evades detection and resists takedowns. Details at bit.ly/43oXeu1

We discovered 54K+ domains in a #phishing campaign hosting sites that impersonate Telegram. These pages steal user-submitted login credentials and one-time passcodes (OTPs) to hijack user accounts. Details at bit.ly/4l06nk6

We discovered a #fraud campaign using #phishing emails to distribute links to fraudulent shopping sites for luxury goods. The sites use similar page templates and direct payments through PayPal, using different company names on the invoices. Details at bit.ly/4n4ZazW

Alert: Ongoing #Smishing scam impersonating California's Franchise Tax Board, and we've also found similar smishing targeting North Dakota and Ohio. Sites claim to offer tax refunds, but only collect SSN, address and payment info from victims. Details at bit.ly/46BiPkD

Threat actors are leveraging interest in the upcoming #FIFAWorldCup by registering domains that seem related to the event. But these sites promote fraudulent tickets, betting, gambling, pirated streaming and the distribution of unwanted apps. Details at bit.ly/4maHT7M

We're tracking email-based #phishing campaigns that impersonate various companies and target Japanese speakers. Attackers craft emails pretending to be notices on safety or fake purchases, with convincing URLs to trick users into clicking them. Details at bit.ly/48A07vY

Attackers are now distributing #smishing URLs with the name of a trusted entity before the @ symbol, followed by the true domain to deceive users. This wave of attacks also involves deceptively named group texts and strategically aged hostnames. Details at bit.ly/3IH6WSc