These malicious domains serve as landing pages for sophisticated smishing (SMS phishing) campaigns, where unsuspecting users receive text messages containing links to what appear to be legitimate services. The domains follow specific naming patterns that blend authentic brand names with suspicious subdomains, creating just enough visual legitimacy to trick users into providing sensitive information or making payments through fraudulent portals. In a significant escalation of digital deception tactics, threat actors have registered over 26,000 domains in March 2025 alone, designed to impersonate legitimate brands and government services. Palo Alto Networks researchers identified that over 75% of these malicious domains share the same registrar—Hong Kong-based Dominet (HK) Limited—suggesting a coordinated campaign likely orchestrated by a single threat actor or organized group. Security researchers note that blocking Newly Registered Domains (NRDs) for a one-month period can effectively filter out approximately 85% of this malicious traffic. However, the attackers continue to evolve their techniques, implementing sophisticated cloaking methods that display different content depending on who is accessing the site, making detection increasingly challenging for both users and automated security systems. For example, a recently registered domain “gov-mfc.com” was used with the URL “hxxps://driveky.gov-mfc.com/pay” to target users with fake payment notifications for what appeared to be Kentucky driving services. This short operational lifespan helps attackers stay ahead of security controls and blocklists, which often cannot identify and block newly registered domains quickly enough to prevent victimization. This large-scale campaign represents a dramatic expansion of a technique that began gaining traction in early 2024, with researchers now tracking over 91,500 root domains employed in these attacks since the FBI issued its initial warning last April. The campaign’s scope has grown substantially, targeting services where users typically expect to receive text notifications requiring immediate action, such as delivery notifications, toll payments, and government communications. The malicious domains follow four distinct naming conventions, each carefully crafted to appear legitimate at first glance. Analysis of the attack traffic reveals a significant increase in activity during 2025 compared to the previous year, demonstrating the threat actors’ growing confidence and resource investment in this technique. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Common patterns include structures like “com-[random alphanumeric string].[TLD]” and “gov-[random alphanumeric string].[TLD]” that visually mimic legitimate URL structures. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The researchers’ telemetry has revealed alarming statistics, with over 31 million queries detected for these domains in the past quarter alone, indicating widespread effectiveness of the attackers’ methods. The campaign’s success stems partly from its ephemeral nature, with approximately 70% of traffic to these domains occurring within the first seven days after registration. Tushar is a Cyber security content editor with a passion for creating captivating and informative content.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 25 Apr 2025 17:50:09 +0000