Lmst

...around 60 SBL listings remain unresolved one month later!

Have we sniffed out additional bulletproof hosting providers?👃

Time will reveal all, and we will closely monitor 👀 those networks who ignored the Operation Endgame 2.0 SBL listings...

Through Operation Endgame 2.0, we have created more than 150 Spamhaus Blocklist (SBL) listings to assist with takedown efforts of cybercriminal infrastructure at ISPs that do not cooperate with law enforcement agencies. 🚔

Many of these listings involved tier-1 botnet controller infrastructure, which is commonly located at bulletproof hosting providers.🕵️

Thanks to these listings, we gained insights into how the involved ISPs react to abuse reports. Most of them responded ✅

However...⤵️

@gzobra thanks for the heads up!

Big shout out to the latest Threat Intel Community Top10 new entries!! 📣 🤩

📩 TF0
🌐 mugufinder
🌐 Mir Ali Shahidi
🌐 Contributor: PG22
🔗 Contributor: IM53
🔗 EGP Abuse Dept.

A big THANK YOU to all our contributors for your ongoing support & submissions 🙏

Contributors PG22, IM53 claim your name!

It only takes a min to review your 'Display Name' and give consent to share it on the leaderboard.

Login here: 👉 https://auth.spamhaus.org

#ThreatIntel #RawSource #Domains #IPs #URLs

@gzobra thank you for sharing. You should be able to view the formulas now.

“.ad” registry (Andorra 🇦🇩) has stepped up its game, with malicious domain detections down -84%, dropping to #33 on the list of most abused ccTLDs. Nice work. ✌️

Meanwhile, “.my” (Malaysia 🇲🇾) — despite its strict registration rules — has seen a +73% spike in abuse, shooting up to #6 with 24,294 detections. Ouch!

🌐 Full stats over at:
https://www.spamhaus.org/reputation-statistics/cctlds/domains/

The Spamhaus Project boosted:

📢 Heads-up! In just 3 WEEKS authentication will be required to access data via API across ALL our platforms. This change will help us manage heavy usage and keep things running smoothly for everyone ➡️ #SteadyPlatform #SteadySignal

Rely on our APIs?

#AuthenticateNow, to avoid any problems and maintain uninterrupted availability - three weeks will fly!

3 weeks remaining before mandatory authentication - starting June 30th.

❗Latest Spamhaus DROP listings, from the worst of the worst IP traffic:

🔥 Did you know Spamhaus provides FREE access to this layer of protection?

Get it here ➡️ https://www.spamhaus.org/blocklists/do-not-route-or-peer/

Remember, this is traffic you do not want to connect with. Not ever. DROP it and move on.

#DROP #IPs #BulletproofHosting #ThreatIntel

The Spamhaus Project boosted:

PSA: After getting duly sanctioned last month by the EU for being a conduit for Russian disinformation and cyberattacks, the people behind the massive bulletproof hosting service known as Stark Industries Solutions Inc are rebranding.

Stark's two sanctioned owners -- the Neculiti brothers -- have operated Stark via a related business called PQ Hosting, which is now changing its name to the[.]hosting.

"The PQ.Hosting project no longer exists — neither as a legal entity nor as an operational structure. From the moment of transition, full control over all operational and technical activities has passed to new owners with no connection to the previous management or beneficiaries."

Uh huh.

https://the.hosting/en/news/pqhosting-thehosting-important-news-about-the-companys-transformation

We have identified yet another ongoing IP hijacking operation primarily involving dormant APNIC IPv4 address space. Hanging off unallocated AS146887, previously used by 🇮🇳 NOOB TECHNOLOGIES PRIVATE LIMITED, the operation consists of:

➡️ AS17994 (🇳🇿 Appserv Limited, merged out of existence in 2017)
➡️ AS132899 (🇭🇰/🇹🇼/🇬🇧 URNET SOLUTIONS LTD., their UK-based entity dissolved in 2016)
➡️ AS328819 (🇿🇦 Bluecentrix PTY LTD a/k/a Smartswitch, liquidated following a 2024 court order)

As is so often in IP hijacking incidents, their network resources fell through the cracks when the company went out of business.

The miscreants, however, moved swiftly, identifying such orphaned allocations, re-registering involved domains, if necessary, and seeking a means to bring them back online for facilitation of their nefarious purposes, most frequently, snowshoe spamming.

In this case, the re-registered domains appserv[.]co[.]nz and bluecentrix[.]co[.]za even surface on the same Cloudflare nameservers, indicating the same threat actor being responsible for both hijacking incidents.

Uplink of this operation is 🇷🇺 JSC TransTeleCom (AS20485), an ISP with a history of routing rogue ASNs. Spamhaus currently observes St. Petersburg-based TransTeleCom routers providing connectivity to AS146887.

Needless to say, all IP networks and Autonomous Systems are listed in Spamhaus's DROP lists ⤵️
https://www.spamhaus.org/blocklists/do-not-route-or-peer/

If you don't already, start using them!

See https://www.spamhaus.org/resource-hub/hijacking/ for more insights into IP hijacking and involved TTPs, and keep an eye out for write-ups on the inevitable next IP hijacking incident. 🕵️

📢 OPERATION ENDGAME 2.0 UPDATE | Following last week's announcement, we’re seeing great progress with remediation efforts...

📧 3266 ISPs and hosting companies notified,
⬇ With a 40% download rate of remediation data!

If you've received a notification, and are yet to take action, here's what you need to do:

1. Go to: https://spamhaus.org/endgame-2
2. Enter the access code provided in the email.
3. Download the list of breached email accounts.
4. Verify each email account, and where necessary, contact the owner and ask them to reset their password (there's an email template on the remediation webpage).

Thank you again to everyone who is part of this important effort 🙏

#Trustandsafety #OperationENDGAME2 #Takedown

We’re now seeing a twist on the recent toll road phishing scam. Miscreants have evolved their tactics, impersonating the official government website for Department of Motor Vehicles (DMV) - no longer just the toll systems.

Instead of toll providers, these phishing sites are now disguising as trusted government portals to steal credentials and payments.

These phishing campaigns have also been observed in other regions, including the Electronic Toll Collection (ETC) system in Japan.

🔍 Has anyone else spotted variations of these campaigns in the wild?

#Phishing #CyberSecurity #ThreatIntel

This month Spamhaus' Exploits Blocklist reached 5 million IPs listed for use in third-party exploits! 🎉 For optimum filtering, apply at:

➡️ Initial connection – against the connecting IP
➡️ Once email data accepted – check IPs in received chain mail headers and IPs hosting resources in the body (e.g. URLs)

Learn more about this data set:
https://www.spamhaus.org/blocklists/exploits-blocklist/

#5million #Exploits #Blocklist

❗SCAM ALERT | We've identified a scam campaign running on Facebook as sponsored content, utilizing fake links. Here's how it works:

1️⃣ The ad features a well-known Italian TV presenter, Paolo Bonolis, and appears to link to a legitimate article on Corriere.it (a trusted news outlet). But clicking it redirects users to a fake article hosted on rapapyte[.]xyz.

2️⃣ From there, if you click the link it redirects again to another rapapyte[.]xyz page.

3️⃣ After filling in a form, users briefly see a page saying “wait to be contacted by phone by one of our representatives” (we couldn’t grab a screenshot, as it flashed by too fast) before being redirected to fxolympia[.]org.

4️⃣ The site doesn’t ask for money upfront, instead it asks you to upload personal documents, we suspect for phishing and identity theft.

We suspect miscreants are hijacking abandoned, unused or poorly protected pages instead of creating dedicated campaigns to run this scam.

⚠️ Meta, this scam is exploiting your Facebook ad platform, and deceiving users - we urge you to:

➡️ Prevent the use of fake URLs in sponsored content.

➡️ Verify the domain reputation and age used in sponsored content — especially for new or suspicious domains.

Protect your users, and stop this scam now.

📢 Mail relays | Are you forwarding mail without checks, validation, or spam filtering? You could be creating a real mess. 😵‍💫

Typos, spamtraps, and forged senders can quickly snowball into blocklistings and delivery failures.

In part two of our short series on mail relays, we jump into the chaos careless forwarding can cause, and what you can do to avoid it:

👉 https://www.spamhaus.org/resource-hub/deliverability/mail-relays-part-2-problems-with-forwarded-mail

#EmailSecurity #Deliverability #EmailFiltering

Mail relays | Problems with forwarded mail?

OPERATION ENDGAME 2.0 UPDATE | Following on from last week's announcement 📢 we are now sending notification emails 📩 to ISPs and hosting companies associated with the breached email accounts.

Here's what to do if you receive one:

👉 Go to this remediation webpage: https://www.spamhaus.org/endgame-2
👉 Enter the access code included in the email.
👉 Download the list of breached email accounts.
👉 Verify each email account, and where necessary, contact the owner and ask them to reset their password (there's a ready-made email template for you to use on the remediation webpage 😀)

Thank you to everyone who is part of this effort. 🙏

#Trustandsafety #OperationENDGAME2 #Takedown

🔥 Operation Endgame is BACK! This time targeting #BumbleBee, #Latrodectus, #DanaBot, #WarmCookie, #Qakbot and #Trickbot!

Once again this is a HUGE win, with a truly international effort! 💪

As with phase one of #OperationEndgame, Spamhaus are providing remediation support - those affected will be contacted in due course with steps to take.

For more information, read our write-up here:
👉 https://www.spamhaus.org/resource-hub/malware/botnets-disrupted-worldwide-operation-endgame-is-back/

.top remains firmly in the #2 spot for gTLDs most associated with phishing based on the number of detections we’re seeing 📈.

Missed our latest blog post on what’s going on with .🔝? And more importantly, what can be done to stop the ongoing proliferation in phishing abuse? ✋

Read the Domain Reputation Spotlight here ⤵️
https://www.spamhaus.org/resource-hub/service-providers/abuse-takes-its-toll-on-top/

#DomainReport #DomainAbuse #DotTop #Phishing