Our Quad9 documentation is now also available in #Romanian (https://docs.quad9.net/ro/) thanks to the help of our friend, Toma Minea (https://www.linkedin.com/in/toma-minea-86900582/).

It's always DNS #malware #email #DNS #infose #cybersecurity #phishing

https://blogs.infoblox.com/threat-intelligence/a-phishing-tale-of-doh-and-dns-mx-abuse/

It has been 0 days since the last #DNS issue in my home lab.

I noticed that queries for the internally used domain started failing in #BIND9, even though the DNS behind that domain (AD DC) was responding correctly. I scoured through the logs with this handy little helper:

tail -f /var/named/log/* | grep --line-buffer mydomain.fake

> lame-servers: info: broken trust chain resolving 'somehost.mydomain.fake/A/IN'

#Phishing-as-a-service operation uses DNS-over-HTTPS for evasion

https://www.bleepingcomputer.com/news/security/phishing-as-a-service-operation-uses-dns-over-https-for-evasion/

Can you explain DNS to a 5 year old kid?
Asking for a friend
#dns #askfedi

Malicious actors have taken notice of news about the US Social Security System. We've seen multiple spam campaigns that attempt to phish users or lure them to download malware.

Emails with subjects like "Social Security Administrator.", "Social Security Statement", and "ensure the accuracy of your earnings record" contain malicious links and attachments.

One example contained a disguised URL that redirected to user2ilogon[.]es in order to download the trojan file named SsaViewer1.7.exe.

Actors using social security lures are connected to malicious campaigns targeting major brands through their DNS records.

Block these:

user2ilogon[.]es
viewer-ssa-gov[.]es
wellsffrago[.]com
nf-prime[.]com
deilvery-us[.]com
wllesfrarqo-home[.]com
nahud[.]com.

#dns #lookalikes #lookalikeDomain #threatintel #cybercrime #threatintelligence #cybersecurity #infoblox #infobloxthreatintel #infosec #pdns #malware #scam #ssa

DNS requests aren't private by default! Your DNS queries can leak which websites you visit to your ISP (Internet Service Provider). Consider encrypted DNS options to keep your browsing habits more private. #PrivacyTip #DNS #OnlineSafety

blog! “How to prevent Payment Pointer fraud”

There's a new Web Standard in town! Meet WebMonetization - it aims to be a low effort way to help users passively pay website owners.

The pitch is simple. A website owner places a single new line in their HTML's <head> - something like this:

<link rel="monetization"…

Read more: https://shkspr.mobi/blog/2025/03/how-to-prevent-payment-pointer-fraud/
⸻
#CyberSecurity #dns #HTML #standards #WebMonitization

I just glanced at something called a "Nintendo DS emulator", and I've understood it.

They have no DNSKEY, you see, so they have to emulate the DS.

Vous avez un peu d'expérience avec les IDN (Internationalized Domain Names), soit des noms de domaine contenant d'autres caractères que ceux ASCII ?

Je m'interroge surtout quant à leur compatibilité par rapport aux outils et aux logiciels. Les navigateurs, OK, ils les supportent tous, je n'ai pas à m'en faire.

Pour les API et autres outils, par contre...

BREAKING: #Apple engineers have achieved a miraculous feat by configuring #iCloud Mail's #DNS to be as useful as a chocolate teapot . Meanwhile, #spammers everywhere are celebrating their newfound freedom to send emails like it's 2001. #Oops #TechFail
https://www.mail-tester.com/test-p3tdhnk3o #Mail #TechFail #ChocolateTeapot #HackerNews #ngated

Our latest newsletter is out, get it while it's hot!

https://opalsec.io/daily-news-update-friday-march-28-2025-australia-melbourne-2/

Key stories:

Oracle's under fire: A breach at Oracle Health compromised patient data, with Oracle allegedly shifting responsibility to hospitals and avoiding documentation. This follows hot on the heels of denial regarding an alleged Oracle Cloud breach, raising serious questions about their security culture.

Clop's back in the headlines: Sam's Club - a Walmart subsidiary - is investigating claims of a Clop ransomware attack, potentially linked to the Cleo file transfer vulnerability that has already hit other organizations hard.

Don't miss this bizarre twist: Cable operator WideOpenWest (WOW!) is dealing with a breach claimed by Arkana Group, who are publicizing the stolen data (usernames, passwords, etc.) with a… Russian music video. The alleged attack vector? Infostealer malware.

Get up to speed with these stories and more: https://opalsec.io/daily-news-update-friday-march-28-2025-australia-melbourne-2/

If you'd like to get the latest Cyber Security news wrapped up and delivered to your inbox every day, subscribe to our newsletter here!

https://opalsec.io/daily-news-update-friday-march-28-2025-australia-melbourne-2/#/portal/signup

howdy, #hachyderm!

over the last week or so, we've been preparing to move hachy's #DNS zones from #AWS route 53 to bunny DNS.

since this could be a pretty scary thing -- going from one geo-DNS provider to another -- we want to make sure *before* we move that records are resolving in a reasonable way across the globe.

to help us to do this, we've started a small, lightweight tool that we can deploy to a provider like bunny's magic containers to quickly get DNS resolution info from multiple geographic regions quickly. we then write this data to a backend S3 bucket, at which point we can use a tool like #duckdb to analyze the results and find records we need to tweak to improve performance. all *before* we make the change.

then, after we've flipped the switch and while DNS is propagating -- -- we can watch in real-time as different servers begin flipping over to the new provider.

we named the tool hachyboop and it's available publicly --> https://github.com/hachyderm/hachyboop

please keep in mind that it's early in the booper's life, and there's a lot we can do, including cleaning up my hacky code.

attached is an example of a quick run across 17 regions for a few minutes. the data is spread across multiple files but duckdb makes it quite easy for us to query everything like it's one table.

We published a blog yesterday about a PhaaS and phishing kit that employs DoH and DNS MX records to dynamically serve personalized phishing content. It also uses adtech infrastructure to bypass email security and sends stolen credentials to various data collection spaces, such as Telegram, Discord, and email. https://blogs.infoblox.com/threat-intelligence/a-phishing-tale-of-doh-and-dns-mx-abuse/

The #MorphingMeerkat phishing kit is exploiting DNS vulnerabilities to spoof 100+ brands, using dynamic fake login pages and anti-analysis techniques.

Read: https://hackread.com/morphing-meerkat-phishing-kit-dns-spoof-brands/

Blocky : une solution légère pour bloquer les publicités et les sites malveillants sur un réseau https://www.it-connect.fr/blocky-une-solution-legere-pour-bloquer-les-publicites-et-les-sites-malveillants-sur-un-reseau/ #Cybersécurité #DNS

Last week, while reviewing detected lookalike domains, one in particular stood out: cdsi--simi[.]com. A quick search pointed him to a legitimate U.S. military contractor, CDSI, which specializes in electronic warfare and telemetry systems. It's legitimate domain cdsi-simi[.]com features a single hyphen, whereas the lookalike domain uses two hyphens.

Passive DNS revealed a goldmine: a cloud system in Las Vegas hosting Russian domains and other impersonations of major companies.

Here are a few samples of the domains:

- reag-br[.]com Lookalike for Reag Capital Holdings, Brazil.
- creo--ia[.]com Lookalike for an industrial fabrication firm in WA State.
- admiralsmetal[.]com Lookalike for US based metals provider.
- ustructuressinc[.]com Lookalike Colorado based Heavy Civil Contractor.
- elisontechnologies[.]com Typosquat for Ellison Technologies machine fabrication.

#dns #lookalikes #lookalikeDomain #threatintel #cybercrime #threatintelligence #cybersecurity #infoblox #infobloxthreatintel #infosec #pdns #phishing #malware #scam #dod

(infoblox.com) Morphing Meerkat: Advanced Phishing-as-a-Service Platform Using DNS MX Records for Tailored Attacks https://blogs.infoblox.com/threat-intelligence/a-phishing-tale-of-doh-and-dns-mx-abuse/

This report details the discovery of a sophisticated Phishing-as-a-Service (PhaaS) platform called 'Morphing Meerkat' that has been operating for at least five years. The platform leverages DNS mail exchange (MX) records to dynamically serve fake login pages tailored to victims' email providers, spoofing over 100 brands. The threat actor behind this operation sends thousands of spam emails, primarily through specific ISPs, exploits open redirects on adtech infrastructure, compromises WordPress sites, and uses multiple credential exfiltration methods including Telegram. The phishing kit includes advanced evasion techniques such as code obfuscation, anti-analysis measures, and dynamic translation capabilities supporting over a dozen languages to target users globally.