Mais de 1 milhão de domínios correm o risco de técnica de sequestro de domínio 'alvos fáceis'

Mais de um milhão de domínios são suscetíveis à aquisição por agentes maliciosos por meio do que foi chamado de Patos sentados ataque. O poderoso vetor de ataque, que explora fraquezas no sistema de nomes de domínio (DNS), está sendo explorado por mais de uma dúzia de criminosos cibernéticos da Rússia para sequestrar domínios furtivamente, revelou uma análise conjunta publicada pela Infoblox e…

View On WordPress

Infoblox DNS Traffic Control Module + Premium

DNS Predators Hijack Domains to Supply their Attack Infrastructure

Source: https://blogs.infoblox.com/threat-intelligence/dns-predators-hijack-domains-to-supply-their-attack-infrastructure/

More info: https://insights.infoblox.com/resources-research-report/infoblox-research-report-dns-predators-attack-vipers-hawks-hijack-sitting-ducks-domains

[ad_1] Late last year, security researchers made a startling discovery: Kremlin-backed disinformation campaigns were bypassing moderation on social media platforms by leveraging the same malicious advertising technology that powers a sprawling ecosystem of online hucksters and website hackers. A new report on the fallout from that investigation finds this dark ad tech industry is far more resilient and incestuous than previously known. Image: Infoblox. In November 2024, researchers at the security firm Qurium published an investigation into “Doppelganger,” a disinformation network that promotes pro-Russian narratives and infiltrates Europe’s media landscape by pushing fake news through a network of cloned websites. Doppelganger campaigns use specialized links that bounce the visitor’s browser through a long series of domains before the fake news content is served. Qurium found Doppelganger relies on a sophisticated “domain cloaking” service, a technology that allows websites to present different content to search engines compared to what regular visitors see. The use of cloaking services helps the disinformation sites remain online longer than they otherwise would, while ensuring that only the targeted audience gets to view the intended content. Qurium discovered that Doppelganger’s cloaking service also promoted online dating sites, and shared much of the same infrastructure with VexTrio, which is thought to be the oldest malicious traffic distribution system (TDS) in existence. While TDSs are commonly used by legitimate advertising networks to manage traffic from disparate sources and to track who or what is behind each click, VexTrio’s TDS largely manages web traffic from victims of phishing, malware, and social engineering scams. BREAKING BAD Digging deeper, Qurium noticed Doppelganger’s cloaking service used an Internet provider in Switzerland as the first entry point in a chain of domain redirections. They also noticed the same infrastructure hosted a pair of co-branded affiliate marketing services that were driving traffic to sketchy adult dating sites: LosPollos[.]com and TacoLoco[.]co. The LosPollos ad network incorporates many elements and references from the hit series “Breaking Bad,” mirroring the fictional “Los Pollos Hermanos” restaurant chain that served as a money laundering operation for a violent methamphetamine cartel. The LosPollos advertising network invokes characters and themes from the hit show Breaking Bad. The logo for LosPollos (upper left) is the image of Gustavo Fring, the fictional chicken restaurant chain owner in the show. Affiliates who sign up with LosPollos are given JavaScript-heavy “smartlinks” that drive traffic into the VexTrio TDS, which in turn distributes the traffic among a variety of advertising partners, including dating services, sweepstakes offers, bait-and-switch mobile apps, financial scams and malware download sites. LosPollos affiliates typically stitch these smart links into WordPress websites that have been hacked via known vulnerabilities, and those affiliates will earn a small commission each time an Internet user referred by any of their hacked sites falls for one of these lures. The Los Pollos advertising network promoting itself on LinkedIn. According to Qurium, TacoLoco is a traffic monetization network that uses deceptive tactics to trick Internet users into enabling “push notifications,” a cross-platform browser standard that allows websites to show pop-up messages which appear outside of the browser. For example, on Microsoft Windows systems these notifications typically show up in the bottom right corner of the screen — just above the system clock. In the case of VexTrio and TacoLoco, the notification approval requests themselves are deceptive — disguised as “CAPTCHA” challenges designed to distinguish automated bot traffic from real visitors. For years, VexTrio and its partners have successfully tricked countless users into enabling these site notifications, which are then used to continuously pepper the victim’s device with a variety of phony virus alerts and misleading pop-up messages. Examples of VexTrio landing pages that lead users to accept push notifications on their device. According to a December 2024 annual report from GoDaddy, nearly 40 percent of compromised websites in 2024 redirected visitors to VexTrio via LosPollos smartlinks. ADSPRO AND TEKNOLOGY On November 14, 2024, Qurium published research to support its findings that LosPollos and TacoLoco were services operated by Adspro Group, a company registered in the Czech Republic and Russia, and that Adspro runs its infrastructure at the Swiss hosting providers C41 and Teknology SA. Qurium noted the LosPollos and TacoLoco sites state that their content is copyrighted by ByteCore AG and SkyForge Digital AG, both Swiss firms that are run by the owner of Teknology SA, Guilio Vitorrio Leonardo Cerutti. Further investigation revealed LosPollos and TacoLoco were apps developed by a company called Holacode, which lists Cerutti as its CEO. The apps marketed by Holacode include numerous VPN services, as well as one called Spamshield that claims to stop unwanted push notifications. But in January, Infoblox said they tested the app on their own mobile devices, and found it hides the user’s notifications, and then after 24 hours stops hiding them and demands payment. Spamshield subsequently changed its developer name from Holacode to ApLabz, although Infoblox noted that the Terms of Service for several of the rebranded ApLabz apps still referenced Holacode in their terms of service. Incredibly, Cerutti threatened to sue me for defamation before I’d even uttered his name or sent him a request for comment (Cerutti sent the unsolicited legal threat back in January after his company and my name were merely tagged in an Infoblox post on LinkedIn about VexTrio). Asked to comment on the findings by Qurium and Infoblox, Cerutti vehemently denied being associated with VexTrio. Cerutti asserted that his companies all strictly adhere to the regulations of the countries in which they operate, and that they have been completely transparent about all of their operations. “We are a group operating in the advertising and marketing space, with an affiliate network program,” Cerutti responded. “I am not [going] to say we are perfect, but I strongly declare we have no connection with VexTrio at all.” “Unfortunately, as a big player in this space we also get to deal with plenty of publisher fraud, sketchy traffic, fake clicks, bots, hacked, listed and resold publisher accounts, etc, etc.,” Cerutti continued. “We bleed lots of money to such malpractices and conduct regular internal screenings and audits in a constant battle to remove bad traffic sources. It is also a highly competitive space, where some upstarts will often play dirty against more established mainstream players like us.” Working with Qurium, researchers at the security firm Infoblox released details about VexTrio’s infrastructure to their industry partners. Just four days after Qurium published its findings, LosPollos announced it was suspending its push monetization service. Less than a month later, Adspro had rebranded to Aimed Global. A mind map illustrating some of the key findings and connections in the Infoblox and Qurium investigations. Click to enlarge. A REVEALING PIVOT In March 2025, researchers at GoDaddy chronicled how DollyWay — a malware strain that has consistently redirected victims to VexTrio throughout its eight years of activity — suddenly stopped doing that on November 20, 2024. Virtually overnight, DollyWay and several other malware families that had previously used VexTrio began pushing their traffic through another TDS called Help TDS. Digging further into historical DNS records and the unique code scripts used by the Help TDS, Infoblox determined it has long enjoyed an exclusive relationship with VexTrio (at least until LosPollos ended its push monetization service in November). In a report released today, Infoblox said an exhaustive analysis of the JavaScript code, website lures, smartlinks and DNS patterns used by VexTrio and Help TDS linked them with at least four other TDS operators (not counting TacoLoco). Those four entities — Partners House, BroPush, RichAds and RexPush — are all Russia-based push monetization programs that pay affiliates to drive signups for a variety of schemes, but mostly online dating services. “As Los Pollos push monetization ended, we’ve seen an increase in fake CAPTCHAs that drive user acceptance of push notifications, particularly from Partners House,” the Infoblox report reads. “The relationship of these commercial entities remains a mystery; while they are certainly long-time partners redirecting traffic to one another, and they all have a Russian nexus, there is no overt common ownership.” Renee Burton, vice president of threat intelligence at Infoblox, said the security industry generally treats the deceptive methods used by VexTrio and other malicious TDSs as a kind of legally grey area that is mostly associated with less dangerous security threats, such as adware and scareware. But Burton argues that this view is myopic, and helps perpetuate a dark adtech industry that also pushes plenty of straight-up malware, noting that hundreds of thousands of compromised websites around the world every year redirect victims to the tangled web of VexTrio and VexTrio-affiliate TDSs. “These TDSs are a nefarious threat, because they’re the ones you can connect to the delivery of things like information stealers and scams that cost consumers billions of dollars a year,” Burton said. “From a larger strategic perspective, my takeaway is that Russian organized crime has control of malicious adtech, and these are just some of the many groups involved.” WHAT CAN YOU DO? As KrebsOnSecurity warned way back in 2020, it’s a good idea to be very sparing in approving notifications when browsing the Web. In many cases these notifications are benign, but as we’ve seen there are numerous dodgy firms that are paying site owners to install their notification scripts, and then reselling that communications pathway to scammers and online hucksters. If you’d like to prevent sites from ever presenting notification requests, all of the major browser makers let you do this — either across the board or on a per-website basis. While it is true that blocking notifications entirely can break the functionality of some websites, doing this for any devices you manage on behalf of your less tech-savvy friends or family members might end up saving everyone a lot of headache down the road. To modify site notification settings in Mozilla Firefox, navigate to Settings, Privacy & Security, Permissions, and click the “Settings” tab next to “Notifications.” That page will display any notifications already permitted and allow you to edit or delete any entries. Tick the box next to “Block new requests asking to allow notifications” to stop them altogether. In Google Chrome, click the icon with the three dots to the right of the address bar, scroll all the way down to Settings, Privacy and Security, Site Settings, and Notifications. Select the “Don’t allow sites to send notifications” button if you want to banish notification requests forever. In Apple’s Safari browser, go to Settings, Websites, and click on Notifications in the sidebar. Uncheck the option to “allow websites to ask for permission to send notifications” if you wish to turn off notification requests entirely. [ad_2] Source link

Infoblox, Google Cloud partner to protect hybrid and multicloud enterprise resources

Infoblox and Google Cloud announced a partnership that powers new products from each company that they say will help enterprise organizations accelerate their cloud adoption with advanced networking and security capabilities. Infoblox Universal DDI for Google’s Cloud WAN combines Google Cloud Cross-Cloud Network infrastructure with Infoblox’s DNS and DHCP capabilities to enable enterprise…

DDI Market on Track to Reach $5.8 Billion by 2034 – 8.8% CAGR

DDI (DNS, DHCP, and IP Address Management) market encompasses solutions that streamline the management of network services essential for modern IT infrastructures. It includes software and hardware tools that automate and integrate DNS and DHCP services with IP address management, enhancing network efficiency, security, and compliance. This market is driven by the increasing complexity of network environments, the proliferation of connected devices, and the need for robust, scalable solutions to support digital transformation initiatives across industries.

To Request Sample Report : https://www.globalinsightservices.com/request-sample/?id=GIS20287 &utm_source=SnehaPatil&utm_medium=Article

The DDI (DNS, DHCP, and IP Address Management) market is witnessing robust growth, propelled by the increasing complexity of network infrastructures and the proliferation of connected devices. DNS services lead the market, driven by the critical need for efficient domain name resolution in expanding digital ecosystems. DHCP services follow closely, supported by the demand for automated IP address allocation in dynamic network environments. IP Address Management solutions are gaining momentum, reflecting the necessity for centralized control and visibility in IP address distribution.

Geographically, North America stands at the forefront, benefiting from advanced technological adoption and a strong emphasis on cybersecurity. Europe ranks as the second-highest performing region, with regulatory compliance and data protection initiatives fueling market expansion. Within these regions, the United States and Germany emerge as key contributors, owing to their robust IT infrastructure and innovation-driven economies. The Asia-Pacific region is poised for rapid growth, driven by digital transformation initiatives and burgeoning telecom sectors.

Market Segmentation

Type: Software, Hardware, Services

Product: Integrated Platforms, Standalone Solutions, Cloud-based Systems, On-premise Systems

Services: Consulting, Implementation, Support and Maintenance, Managed Services

Technology: AI and Machine Learning, Blockchain, IoT Integration, Big Data Analytics, Automation, Cloud Computing

Component: Network Components, Security Components, Database Components, Interface Components

Application: Network Management, Data Management, Security Management, Compliance Management

Deployment: Cloud, On-premises, Hybrid

End User: Telecommunications, IT and ITeS, Banking, Financial Services, and Insurance, Healthcare, Retail, Manufacturing, Government, Education

In 2024, the DDI (DNS, DHCP, and IPAM) Market was characterized by a total volume of approximately 150 million units, projected to grow to 250 million units till 2028. The DNS segment commands the largest market share at 45%, followed by DHCP at 30%, and IPAM at 25%. The DNS segment’s dominance is driven by the increasing demand for scalable network solutions and enhanced security features. Prominent players in the market include Infoblox, BlueCat Networks, and EfficientIP, each holding substantial market positions. Infoblox leads with a focus on automation and security enhancements, while BlueCat Networks emphasizes cloud integration.

#ddi #dns #dhcp #ipmanagement #networksecurity #cybersecurity #cloudcomputing #iot #bigdata #automation #machinelearning #blockchain #networkinfrastructure #telecommunications #digitaltransformation #dataprotection #networkefficiency #aiintegration #networksolutions #hybridcloud #datamanagement #managedservices #networkautomation #cloudsecurity #networkmonitoring #datacenter #5gtechnology #networking #ipaddressmanagement #cyberthreats #smartnetworks #digitalinnovation #regulatorycompliance #networkvisibility #cloudintegration #networkperformance #scalablenetworks #enterpriseit #ddiservices #infosec #softwaredefinednetworking

Senior Software Engineer (C# AND .NET)

Senior Software Engineer (C# AND .NET)Engineering Bangalore, IndiaDescriptionIt’s an exciting time to be at Infoblox. Named a Top 25 Cyber Security Company by The Software Report and one of Inc. magazine’s Best Workplaces for 2020, Infoblox is the leader in cloud-first networking and security services. Our solutions empower organizations to take full advantage of the cloud to deliver network…

"Hemos encontrado varios actores que han secuestrado dominios y los han mantenido en su poder durante largos períodos de tiempo, pero no hemos podido determinar el propósito del secuestro", concluyó Infoblox. "Estos dominios suelen tener una gran reputación y los proveedores de seguridad no suelen detectarlos, lo que crea un entorno en el que los actores astutos pueden distribuir malware, cometer fraudes desenfrenados y suplantar las credenciales de los usuarios sin consecuencias".

Chinese Actor SecShow Conducts Massive DNS Probing on Global Scale

The Hacker News : Cybersecurity researchers have shed more light on a Chinese actor codenamed SecShow that has been observed conducting Domain Name System (DNS) on a global scale since at least June 2023. The adversary, according to Infoblox security researchers Dr. Renée Burton and Dave Mitchell, operates from the China Education and Research Network (CERNET), a project funded by the Chinese government. "These http://dlvr.it/T87l05 Posted by : Mohit Kumar ( Hacker )

Muddling Meerkat hackers manipulate DNS using China’s Great Firewall

Source: https://www.bleepingcomputer.com/news/security/muddling-meerkat-hackers-manipulate-dns-using-chinas-great-firewall/

More info: https://blogs.infoblox.com/threat-intelligence/a-cunning-operator-muddling-meerkat-and-chinas-great-firewall/

Report: https://insights.infoblox.com/resources-report/infoblox-report-muddling-meerkat-the-great-firewall-manipulator

Supervisor, Endeavor Aid

Activity name: Supervisor, Endeavor Aid Corporate: Infoblox Activity description: Supervisor, Endeavor AidBuyer Provider Bangalore, Republic of IndiaDescriptionIt’s an exhilarating generation to be at Infoblox. Named a Lead 25 Cyber Safety Corporate through The Device File and one in all Inc. brochure’s Perfect Places of work for 2020, Infoblox is the chief in cloud-first networking and safety…

View On WordPress

[ad_1] Cybersecurity researchers have lifted the lid on two threat actors that orchestrate investment scams through spoofed celebrity endorsements and conceal their activity through traffic distribution systems (TDSes). The activity clusters have been codenamed Reckless Rabbit and Ruthless Rabbit by DNS threat intelligence firm Infoblox. The attacks have been observed to lure victims with bogus platforms, including cryptocurrency exchanges, which are then advertised on social media platforms. An important aspect of these scams is the use of web forms to collect user data. "Reckless Rabbit creates ads on Facebook that lead to fake news articles featuring a celebrity endorsement for the investment platform," security researchers Darby Wise, Piotr Glaska, and Laura da Rocha said. "The article includes a link to the scam platform which contains an embedded web form persuading the user to enter their personal information to 'register' for the investment opportunity." Some of these forms, besides requesting users' names, phone numbers, and email addresses, offer the ability to auto-generate a password, a key piece of information that's used to progress to the next phase of the attack -- validation checks. The threat actors perform HTTP GET requests to legitimate IP validation tools, such as ipinfo[.]io, ipgeolocation[.]io, or ipapi[.]co, in order to filter out traffic from countries that they are not interested in. Checks are also carried out to ensure that the provided numbers and email addresses are authentic. Should the user be deemed worthy of exploitation, they are subsequently routed through a TDS that either takes them directly to the scam platform where they are coaxed into parting with their funds by promising high returns, or to a different page that instructs them to wait for a call from their representative. "Some campaigns use call centers to provide the victims with instructions on how to set up an account and transfer money into the fake investment platform," the researchers explained. "For users who do not pass the validation step, many campaigns will simply display a 'thank you' landing page." An important aspect of the activity is the use of a registered domain generation algorithm (RDGA) to set up domain names for the sketchy investment platforms, a technique also adopted by other threat actors like Prolific Puma, Revolver Rabbit, and VexTrio Viper. Unlike traditional domain generation algorithms (DGAs), RDGAs make use of a secret algorithm to register all the domain names. Reckless Rabbit is said to have been creating domains as far back as April 2024, primarily targeting users in Russia, Romania, and Poland, while excluding traffic from Afghanistan, Somalia, Liberia, Madagascar, and others. The Facebook ads used to direct users to the fake news articles are interspersed with advertising content related to items listed for sale on marketplaces like Amazon in a bid to evade detection and enforcement action. What's more, the ads contain unrelated images and display a decoy domain (e.g., "amazon[.]pl") that's different from the actual domain the user will be redirected to once they click on the link (e.g., "tyxarai[.]org"). Ruthless Rabbit, on the other hand, is believed to have been actively running investment scam campaigns since at least November 2022 that are aimed at Eastern European users. What sets this threat actor apart is that they run their own cloaking service ("mcraftdb[.]tech") to perform validation checks. Users who get past the verification checks are subsequently routed to an investment platform where they are urged to enter their financial information to complete the registration process. "A TDS enables threat actors to strengthen their infrastructure, making it more resilient by providing the ability to hide malicious content from security researchers and bots," Infoblox said. This is not the first time such fraudulent investment scam campaigns have been discovered in the wild. In December 2024, ESET exposed a similar scheme dubbed Nomani that uses a combination of social media malvertising, company-branded posts, and artificial intelligence (AI) powered video testimonials featuring famous personalities. Then last month, Spanish authorities revealed they have arrested six individuals aged between 34 and 57 for allegedly running a large-scale cryptocurrency investment scam that used AI tools to generate deepfake ads featuring popular public figures to deceive people. Renee Burton, vice president of threat intelligence at Infoblox, told The Hacker News that they "would have to take a closer look to see if there is any evidence" to ascertain if there are any connections between these activities and those conducted by Reckless Rabbit and Ruthless Rabbit. "Threat actors like Reckless and Ruthless Rabbits will be relentless in their attempts to trick as many users as possible," the researchers said. "Because these types of scams have proven to be highly profitable for them, they will continue to grow rapidly—both in number and sophistication." Mystery Box Scams Proliferate via Facebook Ads The development comes as Bitdefender is warning of a spike in sophisticated subscription scams that make use of a network of more than 200 convincing fake websites to trick users into paying monthly subscriptions and sharing their credit card data. "Criminals create Facebook pages and take out full ads to promote the already classic 'mystery box' scam and other variants," the Romanian company said. "The 'mystery box' scam has evolved and now includes almost hidden recurring payments, alongside links to websites to various shops. Facebook is used as the main platform for these new and enhanced mystery box scams." The rogue sponsored ads advertise clearance sales from brands like Zara or offer a chance to buy a "mystery box" containing Apple products and seek to entice users by claiming that they can grab one of them by paying a minimal sum of money, sometimes as low as $2. The cybercriminals deploy various tricks to sidestep detection efforts, including creating multiple versions of the ad, only one of which is malicious, while the others display random product images. These scams, like the ones perpetrated by Reckless Rabbit and Ruthless Rabbit, incorporate a survey component to ensure that the victims are real people and not bots. Additionally, the payment pages rope unsuspecting users into a subscription program that earns the threat actors recurring revenues under the pretext of giving them a discount. "Criminals have been pumping funds in ads promoting impersonated content creators, using the same subscription model that seems to be now the driving revenue stream of these scams," Bitdefender researchers Răzvan Gosa and Silviu Stahie said. "Scammers often change the impersonated brands, and they've begun expanding past the existing mystery boxes. They are now trying to sell low-quality products or imitation articles, fake investments, supplements, and much more." U.S. Treasury Sanctions Junta-Linked Militia in Myanmar Over Scam Compounds The findings also follow a wave of sanctions imposed by the U.S. Department of the Treasury against the Myanmar-linked Karen National Army (KNA) for assisting organized crime syndicates operate multi-billion-dollar scam compounds, as well as facilitating human trafficking and cross-border smuggling. The actions also target the group's leader Saw Chit Thu, and his two sons, Saw Htoo Eh Moo and Saw Chit Chit. Saw Chit Thu was sanctioned by the United Kingdom in 2023 and the European Union in 2024 for becoming a key enabler of scam operations in the region. "Cyber scam operations, such as those run by the KNA, generate billions in revenue for criminal kingpins and their associates, while depriving victims of their hard-earned savings and sense of security," said Deputy Secretary Michael Faulkender. In these so-called romance baiting scams, fraudsters -- who are themselves trafficked to the scam sites by luring them with high-paying jobs -- are coerced into targeting strangers online, building rapport with them over time, and then induce them to invest in bogus cryptocurrency and trading platforms controlled by the criminal actors. "The KNA profits from cyber scam schemes on an industrial scale by leasing land it controls to other organized crime groups, and providing support for human trafficking, smuggling, and the sale of utilities used to provide energy to scam operations," the Treasury Department said. "The KNA also provides security at scam compounds in Karen State." The United Nations Office on Drugs and Crime (UNODC) last month divulged the scam centers are still expanding despite recent crackdowns, generating annual profits to the tune of about $40 billion. Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. [ad_2] Source link

Cybercriminals are constantly evolving their tactics to lure unsuspecting victims into their traps, and a recent report by cybersecurity firm Infoblox sheds…

Infoblox SOC Insights reduces critical security operations challenges

http://securitytc.com/T2nLkZ