When one trick isn't enough… this actor brings the whole toolbox.
Actors start mixing techniques like a cyber cocktail:
- Cloud abuse with AWS S3 lures
- Algorithmically generated (RDGAs) for agility and evasion
- Redirect chains to keep analysts guessing
- TDS filtering to target victims
- Social engineering with fake alerts ("Your cloud storage is full!") or irresistible offers ("Get Netflix for free!")
- Payment scams as the final sting
Here's how it works: The actor is leveraging SMS messages to lure victims into clicking links that point to Amazon S3 buckets. The SMS links are the initial redirection point, silently forwarding the victim to the first bulk registered (RDGA) domain. The redirection is seamless, making it difficult for the victim to notice anything suspicious.
From there, the actor uses multiple RDGA algorithms to generate domains that host scam and scareware campaigns. These domains feature a variety of deceptive themes, such as fake Netflix promotions, "Your Cloud Storage is Full" alerts, or "Failed Payment" warnings.
Once the victim clicks, the redirection chain continues through custom TDS (Traffic Distribution System) domains—also powered by RDGA—before finally landing on a fraudulent payment gateway. Here, victims are tricked into subscribing to fake antivirus products, counterfeit Netflix accounts, or other bogus services.
The top left and right sections showcase different types of lures used in the attack, while the bottom section illustrates how the victim is redirected to rogue payment gateways.
IOCs
protectionsessionactivities[.]top
scanner-detected-protection-network[.]top
internetadvancedsecuritysession[.]autos
detectedservicesoftwareissue[.]autos
cleanalertsafe[.]top
cleanalertsafequick[.]top
cleansafedevicefix[.]top
clean-alert-safe-quick[.]top
quicksaferiskfree[.]top
safe-install-free-faster[.]top
safeinstallfreefaster[.]top
securedsafeservicesecurity[.]autos
quicksaferisk[.]top
#Infoblox #dns #adtech #InfobloxThreatIntel #threatintelligence #cybercrime #cybersecurity #infosec #threatintel #tds #scam
