When one trick isn't enough… this actor brings the whole toolbox.
Actors start mixing techniques like a cyber cocktail:
- Cloud abuse with AWS S3 lures
- Algorithmically generated (RDGAs) for agility and evasion
- Redirect chains to keep analysts guessing
- TDS filtering to target victims
- Social engineering with fake alerts ("Your cloud storage is full!") or irresistible offers ("Get Netflix for free!")
- Payment scams as the final sting
Here's how it works: The actor is leveraging SMS messages to lure victims into clicking links that point to Amazon S3 buckets. The SMS links are the initial redirection point, silently forwarding the victim to the first bulk registered (RDGA) domain. The redirection is seamless, making it difficult for the victim to notice anything suspicious.
From there, the actor uses multiple RDGA algorithms to generate domains that host scam and scareware campaigns. These domains feature a variety of deceptive themes, such as fake Netflix promotions, "Your Cloud Storage is Full" alerts, or "Failed Payment" warnings.
Once the victim clicks, the redirection chain continues through custom TDS (Traffic Distribution System) domains—also powered by RDGA—before finally landing on a fraudulent payment gateway. Here, victims are tricked into subscribing to fake antivirus products, counterfeit Netflix accounts, or other bogus services.
The top left and right sections showcase different types of lures used in the attack, while the bottom section illustrates how the victim is redirected to rogue payment gateways.
IOCs
protectionsessionactivities[.]top
scanner-detected-protection-network[.]top
internetadvancedsecuritysession[.]autos
detectedservicesoftwareissue[.]autos
cleanalertsafe[.]top
cleanalertsafequick[.]top
cleansafedevicefix[.]top
clean-alert-safe-quick[.]top
quicksaferiskfree[.]top
safe-install-free-faster[.]top
safeinstallfreefaster[.]top
securedsafeservicesecurity[.]autos
quicksaferisk[.]top
#Infoblox #dns #adtech #InfobloxThreatIntel #threatintelligence #cybercrime #cybersecurity #infosec #threatintel #tds #scam
WhatsApp, doc?
We recently observed about 800 lookalike domains impersonating WhatsApp. These domains are all on the .com, .cc, and .cn TLDs and exhibit a few naming patterns:
Randomized short .cc domains:
- whatsqgs[.]cc, whatsqka[.]cc, whatsqys[.]cc
Structured .com domains:
- app-<3 letters>-whatshktw[.]com
- app-<3 letters>-whatsappcc[.]com
Structured .cn domains:
- <4 letters>-wahtsapp[.]cn
These domains were all created within the last 20 days, tops, and given the bulk registration and consistent infrastructure, point to a coordinated campaign. All 800+ domains are hosted in ASN 205960 (KR, 'IP Transit'), share the same nameserver domain (domainnamedns[.]com), and embed a highly-suspicious Chinese analytics loader from aizhantj[.]com (seriously, this thing is weird; check the references below). The sites present fake WhatsApp login/download portals in Chinese, suggesting East-Asian targeting.
Selection of IOCs
app-xfn-whatsappcc[.]com
app-xbb-whatsappcc[.]com
app-wum-whatshktw[.]com
ptjh-wahtsapp[.]com
kemc-wahstapp[.]cn
hzfv-wahstapp[.]cn
iiqu-wahstapp[.]cn
ggeu-wahstapp[.]cn
whatsyuy[.]cc
xjdp-wahstapp[.]cn
yaue-wahstapp[.]cn
zvxd-wahstapp[.]cn
References
https://urlscan.io/result/0199f335-4b61-76ca-851f-c832a7d5f9bd/#transactions (tj.js is the weird analytics GET request)
https://urlscan.io/result/0199f34a-e9a8-7788-a057-29a6c9a3f133 (the loader itself)
https://www.shodan.io/search?query=aizhantj.com
#infoblox #phishing #lookalikes #infosec #threatintel #dns #whatsapp
