Malicious actors have taken notice of news about the US Social Security System. We've seen multiple spam campaigns that attempt to phish users or lure them to download malware.

Emails with subjects like "Social Security Administrator.", "Social Security Statement", and "ensure the accuracy of your earnings record" contain malicious links and attachments.

One example contained a disguised URL that redirected to user2ilogon[.]es in order to download the trojan file named SsaViewer1.7.exe.

Actors using social security lures are connected to malicious campaigns targeting major brands through their DNS records.

Block these:

user2ilogon[.]es
viewer-ssa-gov[.]es
wellsffrago[.]com
nf-prime[.]com
deilvery-us[.]com
wllesfrarqo-home[.]com
nahud[.]com.

#dns #lookalikes #lookalikeDomain #threatintel #cybercrime #threatintelligence #cybersecurity #infoblox #infobloxthreatintel #infosec #pdns #malware #scam #ssa

Last week, while reviewing detected lookalike domains, one in particular stood out: cdsi--simi[.]com. A quick search pointed him to a legitimate U.S. military contractor, CDSI, which specializes in electronic warfare and telemetry systems. It's legitimate domain cdsi-simi[.]com features a single hyphen, whereas the lookalike domain uses two hyphens.

Passive DNS revealed a goldmine: a cloud system in Las Vegas hosting Russian domains and other impersonations of major companies.

Here are a few samples of the domains:

- reag-br[.]com Lookalike for Reag Capital Holdings, Brazil.
- creo--ia[.]com Lookalike for an industrial fabrication firm in WA State.
- admiralsmetal[.]com Lookalike for US based metals provider.
- ustructuressinc[.]com Lookalike Colorado based Heavy Civil Contractor.
- elisontechnologies[.]com Typosquat for Ellison Technologies machine fabrication.

#dns #lookalikes #lookalikeDomain #threatintel #cybercrime #threatintelligence #cybersecurity #infoblox #infobloxthreatintel #infosec #pdns #phishing #malware #scam #dod

While everyone is enjoying Carnival in Brazil, threat actors are still out there trying to lure people into their traps. We have found a cluster of lookalikes to the Brazilian DMV office (DETRAN in Portuguese). We observed at least two instances where they were impersonating the DMV office for the Brazilian states of Paraná and Maranhão.

The actor(s) create domains with the same label, but on several different TLDs (mostly highly abused). Here are some examples of what they look like.

consultes-seu-debitos2025.<space|site|shop|cloud>
debitos-sp-2025.<club|com|lat|net|online|store|xyz>
de3trasn2025.<click|fun|life|online|xyz>
departamentodetran2025.<click|icu|lat>
detran2025.<click|icu|lat|sbs>
l1cenciamento-detran2025.<click|icu|lat|sbs>

#lookalikes #dns #threatintel #cybercrime #threatintelligence #cybersecurity #infoblox #infobloxthreatintel

https://urlscan.io/result/802374b7-6c8b-433b-b6e0-32561f74b7d3/
https://urlscan.io/result/721b12bb-d5fe-4c7e-b2b5-724e07aa22e0/

https://apple.news/AN4SNkzWiR0ubW0AyTzrXqA

Has anyone ever noticed the remarkable resemblance between Barron Trump and the young Adolf Hitler?

I wonder if they could be the related? I think we should be told.

#BarronTrump
#LookAlikes
#PrivateEye
(http://private-eye.co.uk/lookalikes)

#JasonKelce & his #lookalikes spent the weekend spreading #gay #holiday #cheer

Kelce played 13 seasons for the #PhiladelphiaEagles. But in the #gay #community, the #NFL #legend will always be known as a #Bear!

#Women #Transgender #LGBTQ #LGBTQIA #Entertainment #Sports #Representation #Culture

https://www.queerty.com/jason-kelce-his-lookalikes-spent-the-weekend-spreading-gay-holiday-cheer-20241216

Continued fun in mobile threats.. One of our analyst received these two different threats on her household Android phones on the same day.. usually Google does a pretty good job filtering them out, but failed here. These show two different #dns trends that we see in practice. The use of a shortener which redirects to an Amazon lookalike domain -- we often just see the lookalike in the message.

The amazon one led to amazonfey[.]co and the same actor had over 300 active lookalikes to Amazon and other services. These guys are fairly easy to track in DNS using fingerprinting. Blocking at DNS providers will help reduce where Google, Apple, and other service providers miss some.

The Wells Fargo / Apple alert used an old domain -- a "drop catch" that has been picked up by a threat actor. This might look obvious but people work on alarm -- if you have a Wells Fargo account and see a big charge, you might just click without thinking.

#dns #cybersecurity #InfobloxThreatIntel #Infoblox #dropCatchDomains #IOCs #threatIntel #cybercrime #lookalikes

Has anyone ever noticed the remarkable resemblance between drug-using Nazi and commander in chief of aviation-technology development, Elon Musk, and Hermann Göring?

I wonder if they could be the related? I think we should be told.

#ElonMusk
#Nazi
#PrivateEye
#Lookalikes

(http://private-eye.co.uk/lookalikes)

#art #portraits #lookalikes #doubles #doppleganger #paintings #gallery #artgallery #pictures #classical #artwork
#reincarnation #weird #spooky #strange #coincidence #amazing #identical
Quite simply one of the most amazing things I’ve ever seen on the internet. Every so often this link reappears, and it never fails to floor me.
Is this spooky or what?

https://www.boredpanda.com/museum-lookalikes-gallery-doppelgangers/

#lookalikes #SophyRidgeSky #monalisa #sky #skynews #LeonardoDiVinci #smile #celebrities #newspresenters #SophyRidge
Is it just me, or is Sophy Ridge from Sky News perfecting her Mona Lisa smile?

Multiple Airbnb phishing lookalikes were registered over the weekend. The domains all have been registered with cloudflare and have a Chinese registrant organization. The domains resolve to a webpage that mimics the actual Airbnb website, prompting the user to input their username and password. If the user attempts to register a new account, a verification code is required before the account can be created. See screenshots.

Sample of domains: airbnb03vip[.]com, airbnb02vip[.]com, airbnb01vip[.]com

A special kind of lookalike are ones designed to be used for tricking users into giving up MFA credentials... we see about 100 of those newly registered a day... a common trick now is to add a -inc to the domain name. Here are some recent ones of those verify-yourinformations[.]click, easy-mfa[.]site, mfa-ca[.]site, truistweb-verify[.]com, verify-nft[.]com, ticket-okta[.]com.... suspicious new "inc" domains often take a real domain and add the -inc to it... risa-inc[.]com.. there is a real domain risa[.]com. and gigadat-inc[.]live... often these will be parked until use.

Is it just me or ...?

#LookAlikes #doppelganger #ElonMusk

Sorry, I just saw another thing in my news feed where he was declaring humans obsolete because AI or some other such nonsense.

I'm going to tell my nieces and nephews that this is Donald J. Trump.
#Lookalikes
#DonaldTrump

I see the Torygraph is displaying an unusual sense of humour for once!

https://www.telegraph.co.uk/news/2023/02/07/boris-johnsons-ancestor-did-not-have-syphilis-new-scans-show/

@histodons At left: Bessie King (a cousin of M. Carey Thomas) as "Rex," ca. 1872. At right: Kristen Stewart as Bridget Sullivan in the 2018 film "Lizzie."

http://triptych.brynmawr.edu/cdm/singleitem/collection/BMC_photoarc/id/2519/rec/1

https://www.nytimes.com/2018/09/11/movies/lizzie-review-chloe-sevigny-kristen-stewart-borden.html

“After the storms, many Bay Area drivers dealing with pothole damage”

(https://www.cbsnews.com/sanfrancisco/news/after-the-storms-many-bay-area-drivers-dealing-with-pothole-damage/)

Potholes have definitely been a problem here.

It also turns out, though, that my very clever foster dog is a prodigious digger — primarily for gophers, but I couldn’t help noticing something which leaves me with a nagging suspicion…

#PrivateEye
#Lookalikes
#SFBayArea
#PotHoles
#DogsOfMastodon

Painting by #JohnSingerSargent that looks like #JonStewart