freiburg.social

2 posts2 participants0 posts today

Infoblox Threat IntelMalicious actors have taken notice of news about the US Social Security System. We've seen multiple spam campaigns that attempt to phish users or lure them to download malware. Emails with subjects like "Social Security Administrator.", "Social Security Statement", and "ensure the accuracy of your earnings record" contain malicious links and attachments. One example contained a disguised URL that redirected to user2ilogon[.]es in order to download the trojan file named SsaViewer1.7.exe.Actors using social security lures are connected to malicious campaigns targeting major brands through their DNS records. Block these:user2ilogon[.]es viewer-ssa-gov[.]es wellsffrago[.]com nf-prime[.]com deilvery-us[.]com wllesfrarqo-home[.]com nahud[.]com. <a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dns</a> <a href="https://infosec.exchange/tags/lookalikes" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#lookalikes</a> <a href="https://infosec.exchange/tags/lookalikeDomain" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#lookalikeDomain</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybercrime</a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintelligence</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infoblox</a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infobloxthreatintel</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/pdns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#pdns</a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#malware</a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#scam</a> <a href="https://infosec.exchange/tags/ssa" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ssa</a>

Infoblox Threat IntelLast week, while reviewing detected lookalike domains, one in particular stood out: cdsi--simi[.]com. A quick search pointed him to a legitimate U.S. military contractor, CDSI, which specializes in electronic warfare and telemetry systems. It's legitimate domain cdsi-simi[.]com features a single hyphen, whereas the lookalike domain uses two hyphens. Passive DNS revealed a goldmine: a cloud system in Las Vegas hosting Russian domains and other impersonations of major companies. Here are a few samples of the domains:- reag-br[.]com Lookalike for Reag Capital Holdings, Brazil. - creo--ia[.]com Lookalike for an industrial fabrication firm in WA State. - admiralsmetal[.]com Lookalike for US based metals provider. - ustructuressinc[.]com Lookalike Colorado based Heavy Civil Contractor. - elisontechnologies[.]com Typosquat for Ellison Technologies machine fabrication. <a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dns</a> <a href="https://infosec.exchange/tags/lookalikes" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#lookalikes</a> <a href="https://infosec.exchange/tags/lookalikeDomain" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#lookalikeDomain</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybercrime</a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintelligence</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infoblox</a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infobloxthreatintel</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/pdns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#pdns</a> <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#phishing</a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#malware</a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#scam</a> <a href="https://infosec.exchange/tags/dod" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dod</a>

Infoblox Threat IntelWhile everyone is enjoying Carnival in Brazil, threat actors are still out there trying to lure people into their traps. We have found a cluster of lookalikes to the Brazilian DMV office (DETRAN in Portuguese). We observed at least two instances where they were impersonating the DMV office for the Brazilian states of Paraná and Maranhão. The actor(s) create domains with the same label, but on several different TLDs (mostly highly abused). Here are some examples of what they look like. consultes-seu-debitos2025.<space|site|shop|cloud> debitos-sp-2025.<club|com|lat|net|online|store|xyz> de3trasn2025.<click|fun|life|online|xyz> departamentodetran2025.<click|icu|lat> detran2025.<click|icu|lat|sbs> l1cenciamento-detran2025.<click|icu|lat|sbs> <a href="https://infosec.exchange/tags/lookalikes" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#lookalikes</a> <a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dns</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybercrime</a> <a href="https://infosec.exchange/tags/threatintelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintelligence</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infoblox</a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infobloxthreatintel</a> <a href="https://urlscan.io/result/802374b7-6c8b-433b-b6e0-32561f74b7d3/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://urlscan.io/result/802374b7-6c8b-433b-b6e0-32561f74b7d3/</a> <a href="https://urlscan.io/result/721b12bb-d5fe-4c7e-b2b5-724e07aa22e0/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://urlscan.io/result/721b12bb-d5fe-4c7e-b2b5-724e07aa22e0/</a>

My Head’s Exploding 🤯 💥<a href="https://journa.host/@w7voa" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@w7voa</a> Suuuuuure sounds like all the things needed for a rock-solid conviction, to deter the perpetrator-applauding audience, and calm the fear-ridden, wealthy community, has all fallen into place. How convenient for everyone…right? <a href="https://mastodon.world/tags/lookalikes" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#lookalikes</a> <a href="https://mastodon.world/tags/grainofsalt" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#grainofsalt</a> <a href="https://mastodon.world/tags/policeinvestigate" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#policeinvestigate</a> <a href="https://mastodon.world/tags/questionauthority" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#questionauthority</a> <a href="https://mastodon.world/tags/ShineTheLight" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ShineTheLight</a>

Infoblox Threat IntelContinued fun in mobile threats.. One of our analyst received these two different threats on her household Android phones on the same day.. usually Google does a pretty good job filtering them out, but failed here. These show two different <a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dns</a> trends that we see in practice. The use of a shortener which redirects to an Amazon lookalike domain -- we often just see the lookalike in the message. The amazon one led to amazonfey[.]co and the same actor had over 300 active lookalikes to Amazon and other services. These guys are fairly easy to track in DNS using fingerprinting. Blocking at DNS providers will help reduce where Google, Apple, and other service providers miss some. The Wells Fargo / Apple alert used an old domain -- a "drop catch" that has been picked up by a threat actor. This might look obvious but people work on alarm -- if you have a Wells Fargo account and see a big charge, you might just click without thinking. <a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dns</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/InfobloxThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InfobloxThreatIntel</a> <a href="https://infosec.exchange/tags/Infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Infoblox</a> <a href="https://infosec.exchange/tags/dropCatchDomains" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dropCatchDomains</a> <a href="https://infosec.exchange/tags/IOCs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#IOCs</a> <a href="https://infosec.exchange/tags/threatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatIntel</a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybercrime</a> <a href="https://infosec.exchange/tags/lookalikes" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#lookalikes</a>

Matt HodgkinsonHas anyone noticed how similar Russian president Vladimir Putin and actor Eddie Marsan look?<a href="https://scicomm.xyz/tags/LookAlikes" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#LookAlikes</a> <a href="https://scicomm.xyz/tags/CelebrityLookAlike" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CelebrityLookAlike</a> <a href="https://scicomm.xyz/tags/EddieMarsan" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EddieMarsan</a> <a href="https://scicomm.xyz/tags/VladimirPutin" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#VladimirPutin</a>

Infoblox Threat IntelA special kind of lookalike are ones designed to be used for tricking users into giving up MFA credentials... we see about 100 of those newly registered a day... a common trick now is to add a -inc to the domain name. Here are some recent ones of those verify-yourinformations[.]click, easy-mfa[.]site, mfa-ca[.]site, truistweb-verify[.]com, verify-nft[.]com, ticket-okta[.]com.... suspicious new "inc" domains often take a real domain and add the -inc to it... risa-inc[.]com.. there is a real domain risa[.]com. and gigadat-inc[.]live... often these will be parked until use. <a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dns</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/mfa" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#mfa</a> <a href="https://infosec.exchange/tags/lookalikes" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#lookalikes</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybercrime</a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infoblox</a>

Bundestag First Said Kontext<a href="https://mastodon.social/tags/Lookalikes" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Lookalikes</a> tauchte zum ersten Mal im Protokoll der 145. Sitzung des 20. Deutschen Bundestages am 15.12.2023 auf. Das Protokoll findet sich unter <a href="https://dserver.bundestag.de/btp/20/20145.pdf" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://dserver.bundestag.de/btp/20/20145.pdf</a>

OhSnap!DragonI'm going to tell my nieces and nephews that this is Donald J. Trump. <a href="https://lounge.town/tags/Lookalikes" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Lookalikes</a> <a href="https://lounge.town/tags/DonaldTrump" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DonaldTrump</a>

Lizzie Ehrenhalt 🏳️‍🌈 ✡️<a href="https://a.gup.pe/u/histodons" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@histodons</a> At left: Bessie King (a cousin of M. Carey Thomas) as "Rex," ca. 1872. At right: Kristen Stewart as Bridget Sullivan in the 2018 film "Lizzie." <a href="http://triptych.brynmawr.edu/cdm/singleitem/collection/BMC_photoarc/id/2519/rec/1" rel="nofollow noopener noreferrer" target="_blank">http://triptych.brynmawr.edu/cdm/singleitem/collection/BMC_photoarc/id/2519/rec/1</a><a href="https://www.nytimes.com/2018/09/11/movies/lizzie-review-chloe-sevigny-kristen-stewart-borden.html" rel="nofollow noopener noreferrer" target="_blank">https://www.nytimes.com/2018/09/11/movies/lizzie-review-chloe-sevigny-kristen-stewart-borden.html</a><a href="https://historians.social/tags/QueerHistory" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#QueerHistory</a> <a href="https://historians.social/tags/lookalikes" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#lookalikes</a> <a href="https://historians.social/tags/drag" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#drag</a> <a href="https://historians.social/tags/TransHistory" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#TransHistory</a> <a href="https://historians.social/tags/GayStew" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#GayStew</a> <a href="https://historians.social/tags/photography" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#photography</a> <a href="https://historians.social/tags/GildedAge" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#GildedAge</a>

Recent searches

Search options

Administered by:

Server stats:

#lookalikes