Malicious actors exploit viral media events by creating scam websites and domains that leverage public interest for financial gain, primarily through fake donations, merchandise sales, and cryptocurrency meme coin scams. This research highlights the organized nature of these actors and their rapid response to viral events, impacting public trust and online security. #DomainTools #OnlineSecurity
Keypoints
- AI-driven research identified malicious domains linked to viral media events occurring since January 2025, focusing on events like the LA Fire, DeepSeek AI, US Trade War, and Ukraine/Russia conflict.
- Scam websites commonly emerged around the peak virality of these events and persisted beyond, exploiting trending keywords in domain names and titles.
- The most prevalent scams involved fake cryptocurrency meme coins, which deceived novice investors and generated millions of dollars before collapsing.
- Fake donation sites masquerading as reputable organizations (e.g., American Red Cross, World Food Program) were widespread, particularly following natural disasters.
- Several scam sites shared common infrastructure, registrars, and design elements, indicating likely links between varied campaigns operated by the same threat actors.
- Malicious browser extensions and Windows trojans were delivered through deceptive websites, some using legitimate APIs to harvest credentials or hijack sessions.
- The overall motivation of these malicious campaigns was direct financial profit through exploiting viral events, often via deceptive fundraising, merchandise, or cryptocurrency schemes.
MITRE Techniques
- [T1566] Phishing – Use of deceptive websites and fake donation portals to collect user information (“misleading donation sites pretending to be American Red Cross and World Food Program”).
- [T1569] System Services – Delivery of malware via browser extensions and Windows trojans (“malicious browser extensions connected to remote domains to retrieve and execute arbitrary JavaScript files”).
- [T1584] Compromise Infrastructure – Use of shared hosting services and registrars like Namecheap and Vercel Inc to manage multiple scam domains across viral events (“commonly had website titles with meme coin names and clustered registrar and ISP usage”).
- [T1499] Endpoint Denial of Service – Indirectly evidenced by session hijacking via malicious JavaScript execution (“capabilities likely for credential harvesting or session hijacking”).
Indicators of Compromise
- [Domains] Scam cryptocurrency and donation sites – tradewar.space, lafirebrigade.co.uk, donorse-charitable.com, myanmarmeme.top, gork.ink, lafire.io.
- [File Names/Extensions] Malicious browser extensions and trojan delivery observed – examples include unnamed Windows trojan payloads and extensions leveraging DeepSeek API.
- [Registrar/ISP] Common use of Namecheap registrar and Vercel Inc ISP across linked scam domains supporting coordinated campaigns.
Read more: https://dti.domaintools.com/scams-malicious-domains-breaking-news/
Views: 35