In March 2025, cybercriminals escalated their deceptive tactics by registering more than 26,000 domains designed to impersonate reputable brands and government services. These domains serve as platforms for sophisticated SMS phishing (smishing) campaigns, where unsuspecting users receive text messages containing links that appear to lead to legitimate services.
The fraudulent domains are crafted to closely resemble authentic brand names, often incorporating suspicious subdomains that lend an air of legitimacy. This subtle mimicry is intended to deceive users into divulging sensitive information or making payments through counterfeit portals.
This large-scale campaign marks a significant expansion of a technique that began gaining traction in early 2024. Since the FBI issued its initial warning last April, researchers have tracked over 91,500 root domains employed in similar attacks. The campaign’s scope has grown substantially, targeting services where users typically expect to receive text notifications requiring immediate action, such as delivery notifications, toll payments, and government communications.
Palo Alto Networks researchers identified that over 75% of these malicious domains share the same registrar—Hong Kong-based Dominet (HK) Limited—suggesting a coordinated campaign likely orchestrated by a single threat actor or organized group. Their telemetry revealed alarming statistics, with over 31 million queries detected for these domains in the past quarter alone, indicating the widespread effectiveness of the attackers’ methods.
The campaign’s success is partly due to its ephemeral nature. Approximately 70% of traffic to these domains occurs within the first seven days after registration. This short operational lifespan helps attackers stay ahead of security controls and blocklists, which often cannot identify and block newly registered domains quickly enough to prevent victimization.
Domain Pattern Analysis and Detection Challenges
The malicious domains follow four distinct naming conventions, each carefully crafted to appear legitimate at first glance. Common patterns include structures like com-[random alphanumeric string].[TLD] and gov-[random alphanumeric string].[TLD] that visually mimic legitimate URL structures.
For example, a recently registered domain gov-mfc.com was used with the URL hxxps://driveky.gov-mfc.com/pay to target users with fake payment notifications for what appeared to be Kentucky driving services. Similarly, another domain com-ic1.top created the deceptive URL hxxps://usps.com-ic1.top/us to impersonate the United States Postal Service.
Security researchers note that blocking Newly Registered Domains (NRDs) for a one-month period can effectively filter out approximately 85% of this malicious traffic. However, the attackers continue to evolve their techniques, implementing sophisticated cloaking methods that display different content depending on who is accessing the site, making detection increasingly challenging for both users and automated security systems.
