While fans are still flocking to Barbie for the second week in a row, bad actors are flocking to register barbie and barbenheimer domains. See the full list here:
https://github.com/DomainTools/SecuritySnacks/blob/main/2023/Barbie/barbie-domains.txt
CISOs - worried about getting an SEC notice? Looking for an attorney? 79 domains were recently registered to "help" you find one no matter where you are in the US. (we're kidding, of course, you probably want to avoid all of these)
We continue to monitor the drop of active .GA domains as part of their move away from FreeNom. Since late March we saw a drop from ~9M to ~1.5M domains, and now down to a few thousand.
200+ new domains were registered this weekend regarding Starbucks’ NFT Membership program likely targeting beta users and prospective members. See the full list on GitHub:
Monitoring Circle USDC Stablecoin new suspected fraud domain registrations from the SVB collapse:
circle-svb/.com
claims-circle/.app
circle-cashback/.com
circle-usdc/.net
circlefund/.us
circle/.claims
claimcircle-usdc/.com
circle-refund/.com
circleswap/.finance
reserve-circle/.com
New domain registrations relating to Silicon Valley Bank are emerging. Some could be phishing campaigns. Listed below is what we’re seeing now. Keep in mind not all are scammy, and not all scammy domains targeting SVB will have SVB-related terms:
We’re seeing more typosquats targeting popular Mastodon servers lately. Most look like simple adserving typosquats for now, but some of these are protected by Cloudflare, which raises our suspicions about upcoming malicious activity.
Ex:
matodon[.]online
mastoon[.]online
In investigating possible infrastructure related to the recent breach of MailChimp, we’ve identified an unrelated set of coordinated sites likely targeting user credentials. Enterprises using MailChimp should monitor the situation carefully.
Registrar: TUCOWS
Host: Grnasy s.r.o.
Nameservers: njalla
ex: mailchimp-taskus[.]com
mailchlmp[.]com
mailchimp-admin[.]comma
We detected a suspicious LastPass-related domain at lastpass[.]shop which resolves to an unrelated, innocuous food wholesaler site, but contains complex redirects to a LastPass clone page offering a probable malicious download at lastpass[.]shop/en/
The suspicious lastpass[.]shop is registered with namecheap and protected by Cloudflare, compared to the legitimate lastpass[.]com site registered with Name and hosted on Akamai.
Additionally, the download offered at lastpass[.]shop is a zip containing multiple files 10x the size of the official LastPass exe download.
With the prevalence of student loans in the news, one thing is for certain: opportunists will build scams to capitalize on the attention. Read more of what Tim Helming had to say about threat actors and forgiveness programs in SCMagazine: https://www.scmagazine.com/analysis/fraudsters-aim-to-capitalize-on-student-loan-forgiveness-confusion
Here are the newly created domains we've seen over the past few days:
getstudentloanrelief[.]net
getstudentloanreliefnow[.]com
getstudentloanreliefnow[.]org
getstudentloanrelief{.]org
studentloanrepay[.]org
citizesstudentloans[.]com
citiznsstudentloans[.]com
getstudentloan[.]top
didstudent[.]loan
astudentloan[.]net
studentloanforgivenesspro[.]site
relief4studentloans[.]com
infostudentloan[.]com
studentloansavvy[.]com
myfederalstudentloanchangednamesdoistillbebifitforthestudent[.]loan
studentloan-forgivenesseligibility[.]site
studentloanlawyers[.]org
getstudentloanreliefnow[.]net
studentloanforgivenessform[.]com
Her Majesty, Queen Elizabeth II has passed away at age 96. As with other major world events, we unfortunately expect to see questionable related domain registrations. Please be mindful when visiting news or commemoration sites relating to this.
We anticipated questionable domain registrations in relation to this event and ThreatInsight now has corroborating reports that threat actors are using phishing attacks to steal Microsoft account credentials and MFA codes: https://x.com/threatinsight/status/1570092339984584705
The allure of the blue badge can be too much! A new Instagram phishing campaign using the domain teamcorrectionbadges[.]com shares host infrastructure with several other questionable domains:
While many of these domains are already on blocklists, not all are, suggesting the bad actors might still be performing this attack. Via a predictive Domain Risk Score for these domains ranges from 88 to 99. We cannot confirm all these domains are attributable to the same actor, however.
Additional questionable domains to monitor:
truebadgeteamscase[.]com
objectionsfromcloud[.]com
casebadgeclods[.]com
badgeteamclouds[.]shop
badgecaseteam[.]com
teamcloudsbadges[.]com
teamscorrectbadge[.]com
teamcorrectionbadges[.]com
correctlybadgesteam[.]com
badgecaseteam[.]shop
