Intel Name: Phishing domains for the holidays
Date of Scan: November 14, 2024
Impact: High
Summary: In early November, a threat actor registered over 550 phishing domains impersonating legitimate booking sites, banks, crypto wallets, and restaurants. The email contact for these registrations is “ilotirabec207@gmail.com”. Many of the domains were previously registered and later “dropcaught” by the attacker. While most of the domains are stockpiled and not yet active, some are currently being used in phishing campaigns. About 90% of the active domains use Cloudflare for domain fronting, with the remaining 10% hosted on shared servers, potentially revealing their real IP addresses. These scams are designed to trick victims into revealing sensitive information, such as login credentials and financial details, ahead of the holiday season.