![[The AI Show Episode 143]: ChatGPT Revenue Surge, New AGI Timelines, Amazon’s AI Agent, Claude for Education, Model Context Protocol & LLMs Pass the Turing Test](https://www.marketingaiinstitute.com/hubfs/ep%20143%20cover.png)
![[FREE EBOOKS] AI and Business Rule Engines for Excel Power Users, Machine Learning Hero & Four More Best Selling Titles](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![Building Telegram Mini App based on existing frontend app [closed]](https://cdn.sstatic.net/Sites/softwareengineering/Img/apple-touch-icon@2.png?v=1ef7363febba)
![Hostinger Horizons lets you effortlessly turn ideas into web apps without coding [10% off]](https://i0.wp.com/9to5mac.com/wp-content/uploads/sites/6/2025/04/IMG_1551.png?resize=1200%2C628&quality=82&strip=all&ssl=1)
![This new Google TV streaming dongle looks just like a Chromecast [Gallery]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/04/thomson-cast-150-google-tv-1.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![iPadOS 19 May Introduce Menu Bar, iOS 19 to Support External Displays [Rumor]](https://www.iclarified.com/images/news/97137/97137/97137-640.jpg)
![Apple Drops New Immersive Adventure Episode for Vision Pro: 'Hill Climb' [Video]](https://www.iclarified.com/images/news/97133/97133/97133-640.jpg)
Threat Actors Registered 26k+ Domains Mimic Brands to Trick Users
In a significant escalation of digital deception tactics, threat actors have registered over 26,000 domains in March 2025 alone, designed to impersonate legitimate brands and government services. These malicious domains serve as landing pages for sophisticated smishing (SMS phishing) campaigns, where unsuspecting users receive text messages containing links to what appear to be legitimate services. […] The post Threat Actors Registered 26k+ Domains Mimic Brands to Trick Users appeared first on Cyber Security News.
In a significant escalation of digital deception tactics, threat actors have registered over 26,000 domains in March 2025 alone, designed to impersonate legitimate brands and government services.
These malicious domains serve as landing pages for sophisticated smishing (SMS phishing) campaigns, where unsuspecting users receive text messages containing links to what appear to be legitimate services.
The domains follow specific naming patterns that blend authentic brand names with suspicious subdomains, creating just enough visual legitimacy to trick users into providing sensitive information or making payments through fraudulent portals.
This large-scale campaign represents a dramatic expansion of a technique that began gaining traction in early 2024, with researchers now tracking over 91,500 root domains employed in these attacks since the FBI issued its initial warning last April.
The campaign’s scope has grown substantially, targeting services where users typically expect to receive text notifications requiring immediate action, such as delivery notifications, toll payments, and government communications.
Palo Alto Networks researchers identified that over 75% of these malicious domains share the same registrar—Hong Kong-based Dominet (HK) Limited—suggesting a coordinated campaign likely orchestrated by a single threat actor or organized group.
The researchers’ telemetry has revealed alarming statistics, with over 31 million queries detected for these domains in the past quarter alone, indicating widespread effectiveness of the attackers’ methods.
The campaign’s success stems partly from its ephemeral nature, with approximately 70% of traffic to these domains occurring within the first seven days after registration.
This short operational lifespan helps attackers stay ahead of security controls and blocklists, which often cannot identify and block newly registered domains quickly enough to prevent victimization.
Analysis of the attack traffic reveals a significant increase in activity during 2025 compared to the previous year, demonstrating the threat actors’ growing confidence and resource investment in this technique.
Domain Pattern Analysis and Detection Challenges
The malicious domains follow four distinct naming conventions, each carefully crafted to appear legitimate at first glance.
Common patterns include structures like “com-[random alphanumeric string].[TLD]” and “gov-[random alphanumeric string].[TLD]” that visually mimic legitimate URL structures.
For example, a recently registered domain “gov-mfc.com” was used with the URL “hxxps://driveky.gov-mfc.com/pay” to target users with fake payment notifications for what appeared to be Kentucky driving services.
Similarly, another domain “com-ic1.top” created the deceptive URL “hxxps://usps.com-ic1.top/us” to impersonate the United States Postal Service.
Security researchers note that blocking Newly Registered Domains (NRDs) for a one-month period can effectively filter out approximately 85% of this malicious traffic.
However, the attackers continue to evolve their techniques, implementing sophisticated cloaking methods that display different content depending on who is accessing the site, making detection increasingly challenging for both users and automated security systems.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
The post Threat Actors Registered 26k+ Domains Mimic Brands to Trick Users appeared first on Cyber Security News.
.webp?#)
