The IT Nerd

Coming off the heels of Netcraft’s insight into homoglyph swapping scams, here’s some new insight for you to read.

Telegram quickly gained favor with bad actors for distributing ransomware to pulling off romance scams, however, new research from Netcraft finds the messaging app may be losing favor with fraudsters.  

What’s replacing it? Going full circle back to good old-fashioned email.   Among Netcraft researchers’ latest findings:  

• While the number of websites using Telegram integrations tripled from May to June, the number of phishing sites using Telegram to transmit stolen data dropped sharply 
• As platforms crack down, the battleground for credential theft is shifting  
• Simultaneous to the drop in Telegram’s usage, there was a 25% uptick in the use of email for credential delivery   

You can read the research here: https://www.netcraft.com/blog/from-bots-to-inboxes-how-phishing-infrastructure-is-shifting-in-2025

Cybercriminals are always looking for new ways to trick people, using exploitative tactics to steal money, data, and sensitive information. Netcraft has observed a recent shift in how they have been leaning on a subtle but clever tactic that exploits how we visually process text using the Japanese Hiragana character ん. Netcraft uncovered novel attacks targeting cryptocurrency wallets and exchanges, prominent travel websites, large cloud services, and as we’ve also seen, security researchers use it in testing.

Initial reports earlier in August have identified that campaigns are leveraging this abuse against Booking.com. However, our own investigation revealed that this technique can be tracked back to November 25, 2024, beginning with the domain ioんhardware-wallet[.]best. Netcraft later identified more than 600 related domains using this technique.

Figure 1: The Hiragana character “ん” (Latin “n”) deployed in a URL

By using carefully chosen lookalike Unicode characters in domain names, attackers can make fake websites URLs that look almost identical to legitimate ones. This type of attack, often called a homoglyph attack, works because different scripts or writing systems have characters that look similar; think about a Latin ’a’ and a Greek ‘α’ (alpha). This is not a new attack vector, dating back to the early 2000s, but threat actors have found a new twist exploiting an edge case in the processing rules designed to prevent confusion.

These attacks rely on the use of “confusable” characters like Unicode symbols that resemble Latin letters or symbols but are encoded differently. Recent activity has begun to use the Japanese character “ん” (hiragana ‘n’). At a quick glance, it is intended to look like a forward slash “/”. And when it’s dropped into a domain name, it’s easy to see how it can be convincing. That tiny swap is enough to make a phishing site domain look real, which is the goal of threat actors trying to steal logins and personal information or distribute malware.

Figure 2: How Hiragana ん appears in Chrome’s URL display. The host domain name is “comprehensive-protection[.]guru” in the example shown.

To make these deceptive domains functional, threat actors rely on Punycode, a way to encode Unicode characters into ASCII so they can be used in DNS. For instance, a domain like example.comんlogin would be encoded as example.xn--comlogin-0o4g, allowing it to be registered and resolved like any other domain.

Tracing the Campaign’s Early Activity

Our investigation revealed that the majority of the 600 domains leveraging this deceptive character technique were aimed at cryptocurrency users. These domains frequently impersonated legitimate browser extensions, particularly fake versions of the Google Chrome Web Store, as part of an effort to lure victims into downloading malicious wallet applications. These wallets include Phantom, Rabby, OKX, Coinbase, MetaMask, Exodus, PancakeSwap, Bitget, and Trust.

Mapping the Infrastructure Behind New Domain Activity

Days after the Booking.com domains were uncovered, we identified a wave of newly registered domains that appeared shortly after the initial public reporting:

• chromewebstore[.]google[.]comんdetailんokx-wallet.comprehensive-protection[.]guru
• chromewebstore.google[.]comんdetailんrabby-wallet.comprehensive-protection[.]guru/

We decided to dig deeper to understand their intentions.

Fake Chrome Extension, Real Wallet Theft

Figure 3: Fake Chrome extension page mimicking OKX Wallet download

First, we took chromewebstore[.]google[.]comんdetailんokx-wallet.comprehensive-protection[.]guru and examined the contents of the phishing page, which mimicked Google’s Chrome Web Store to download the OKX cryptocurrency wallet browser extension. Clicking “Add to Chrome” prompted us to add the OKX Wallet as an extension, however, this was fake. Instead, it redirected to /welcome, which prompted us to either create or import a wallet.

Figure 4: Navigation path leading to fake OKX Wallet import page

Once a seed phrase was entered, we tracked that the phrase was sent to process.php, which appeared to validate the phrase before harvesting it. After validation, the seed phrase was leaked, giving threat actors unlimited access to the victim’s Bitcoin wallet.

When a Browser Button Becomes a Malware Dropper

Figure 5: Fake Chrome Extension page mimicking Rabby Wallet download

While this page looks nearly identical to the example above, the outcome is quite different. Clicking ‘Add to Chrome’ did not redirect us to a web-based seed phrase stealer. Instead, it immediately downloaded an .exe file named “acmacodkjbdgmoleebbolmdjsighsdch.exe,” a malicious file that the page implies is a browser extension for Chrome named Rabby Wallet (a commonly available wallet for the Ethereum and EVM cryptocurrencies). After the download, the page presents a fake error message appears, claiming the installation failed and instructing the page visitor to manually open the downloaded file.

Figure 6: Error message used to trick users into running the malicious file

Upon closer analysis, the .exe appears to be malicious. The file is signed with a valid cryptographic signature, issued to OLAN LLC, which introduces a new layer of uncertainty. It is possible that the certificate belongs to a legitimate IT services company, and that the threat actors are now leveraging it for malicious activity, as other campaigns have abused other commercial IT administration tools, such as ConnectWise.

Further investigation revealed that the malware communicates with 826exe.carnegie.workers[.]dev. In communication we intercepted between the executable and this address, the program transmitted profile data about the infected system to its command & control service, including the logged-in user account name, machine name, operating system version, and other parameters.

Figure 7: The initial C2 check-in communication with profile data masked out

Subsequent connections to the C2 address revealed that the program self-identifies as “Performance Enhancement Tool v.3.7.2” and deploys a payload into a folder named PerformanceModules under the logged in user’s AppData\Local folder path.

Figure 8: The “Performance Enhancement Tool” executable communicates with its C2 that it has deployed a payload under the MyTestExtension folder

Inside that folder, the malware placed a subfolder named Module_ with eight random hexadecimal characters appended to the folder name, and inside that folder, creates a folder named MyTestExtension that contains more than 900 files that appear to contain some of the actual Rabby Wallet code, as well as scripts, images, and text that seems to have nothing to do with Rabby Wallet, including references to online Web games. Some of the graphics embedded in this code appear to prompt the user with guidance on how to change the cryptocurrency wallet address their currency is contained within.

Figure 9: The “Rabby Wallet” code appears inside this MyTestExtension folder the file drops into the user’s AppData path

Additionally, we identified a malicious payload hosted at storage.googleapis[.]com/8-26b/acmacodkjbdgmoleebbolmdjsighsdch.exe. This suggests a well-orchestrated setup that blends certificate abuse, cloud-hosted payloads, and evasive infrastructure to facilitate data theft or remote access.

Figure 10: Fraudulent extension mimicking Rabby Wallet interface

The Spread of Phishing Abuse Continues

Following the initial wave of phishing domains targeting Booking.com and popular cryptocurrency wallets, our investigation uncovered a broader and rapidly evolving infrastructure leveraging the deceptive character. While many of these domains initially focused on impersonating cryptocurrency platforms, we have since identified a growing number of domains that extend beyond crypto and travel sectors.

A significant portion of these newly observed domains currently lack active content, but their structural patterns, registration timing, and thematic similarities suggest they are likely part of a coordinated setup. Notably, we saw these domains that do not target cryptocurrency, begin appearing shortly after public reporting on August 14, 2025, indicating that threat actors may be quickly adopting this tactic across multiple verticals.

Some of the newly discovered domains appear to target major tech platforms. For instance, we found several Microsoft-themed domains such as:

Microsoft[.]comんmeetup-joinん19meeting[.]otc4zjbhztytnji4ny0[.]com

Microsoft[.]comんmeetup-joinん19meeting[.]x1ls8966x1kpvhfamqo[.]com

Microsoft[.]comんmeetup-joinん19meeting[.]1lckz6ox3gfx4l6wud7[.]com

These domains are crafted to look like legitimate meetings or collaborating links, likely aiming to exploit trust in workspace tools.

In addition, we identified a domain impersonating Cloudflare:

Cloudflare[.]comんdetailんrestric-access[.]com-restrict[.]net

This domain is impersonating Cloudflare’s access control feature. Interestingly, both the original Booking.com phishing domain hxxps://account[.]booking[.]comんdetailんrestric-access[.]www-account-booking[.]com/en/ and the Cloudflare domain share the same hostname segment: restric-access. This reuse of hostname structure across different brands likely suggests a shared domain generation pattern or toolkit, possibly indicating a common threat actor or automated infrastructure setup.

Other domains seem to target educational services. Examples include:

sdu[.]edu[.]cnんcasんlogin[.]pass-sdu-edu[.]cn

These resemble login portals for universities and could be used in credential harvesting campaigns targeting students.

We also observed additional crypto-related domains like booth[.]pmんgiftsん8f53a3a2-adbc-4d10-9d03-f338215de494ん[.]sakurayuki[.]dev, which appears to be themed around digital gifts or giveaways, a common lure in crypto phishing. Another domain www[.]revolut[.]comんviewんtransactionんb3edf3638c29m4qdl5kdlx3んstatus[.]online, mimics the all-in-one finance application, likely intended to exploit user trust and familiarity with financial platforms.

In addition to these, we found several domains that are likely test cases or proof-of-concept setups, possibly created by researchers or security teams:

google[.]comんdetailsんaccount[.]test[.]c0ffee[.]ca

mail[.]lgss-spb[.]ruんlogin[.]donot[.]press

nubank[.]comんsuacontaんcadastropessoal[.]webphishing[.]com

These domains contain keywords such as “test”, “donot[.]press”, and “webphishing”, which suggest they are likely not part of active malicious campaigns but rather used for experimentation or awareness.

While these domains are not currently serving malicious content, their existence highlights how quickly this tactic is spreading. It’s common for threat actors to register domains in advance, either to avoid detection or to prepare infrastructure for future campaigns. The consistent use of the ん character across both malicious and experimental domains reinforces its potential as a tool for visual deception.

Implications for Defenders

One of the challenges with tracking these kinds of phishing campaigns is that Unicode makes detection and monitoring more complex than traditional Latin characters. Characters like ん are visually similar to Latin letters but are coded differently, meaning it is possible that they can slip past basic string-matching filters or regex-based detection rules.

Chrome’s IDN policy allows certain scripts, such as Latin and Hiragana to be used within a single label. This is permitted to support multilingual domain names, but with some exceptions to prevent abuse. For example, Chrome restricts combinations that are known to be highly confusable or deceptive. However, the policy still allows enough flexibility that threat actors can exploit visually similar characters like ん in phishing domains.

Many security tools and URL scanners aren’t configured to normalize or visually compare Unicode characters, which allows these domains to evade automated detection.

Outpacing Confusable Character Threats

The use of confusable Unicode characters in phishing domains isn’t new but is evolving. The abuse of Hiragana ん is just one example of how subtle character swaps can bypass filters and fool even vigilant users. Netcraft will continue to monitor this tactic, track emerging infrastructure, and share updates as attackers refine their methods.

Netcraft has released a new blog on LLMs falling for phishing, analyzing what happens when you ask AI where to log in to various well-known platforms, the real-world impact of phishing sites recommended by an AI model, and an AI coding assistants poisoning campaign.

Netcraft’s analysis revealed that 34% of all suggested domains were not brand-owned, potentially harmful, and many of the unregistered domains could easily be claimed and weaponized by attackers, opening the door to large-scale phishing campaigns that are indirectly endorsed by user-trusted AI tools.

Netcraft observed a real-world instance where Perplexity suggested a phishing site when asked what the URL is to log in to Wells Fargo, which was surfaced by AI versus SEO, recommending the link directly to the user, bypassing traditional signals like domain authority or reputation.

Netcraft also uncovered a campaign to poison AI coding assistants in which the threat actor created a malicious API designed to impersonate a legitimate blockchain interface, engineering the entire ecosystem around it to bypass filters and reach developers through AI-generated code suggestions. 

Multiple fake accounts shared a project seeded across accounts with rich bios, profile images, social media accounts, and credible coding activity with the malicious API hidden inside the repository, which were crafted to be indexed by AI training pipelines. 

Netcraft found victims who copied this malicious code into their public projects, some of which show signs of being built using AI coding tools, so those poisoned repos are feeding back into the training loop, causing a supply chain attack.

You can read the blog post here.

Netcraft has released new research uncovering an organized SEO poisoning operation where compromised websites are manipulated to boost malicious URLs in search engine rankings using Hacklink, a black market service designed specifically to help adversaries automate their exploitation efforts, often with devastating results for targeted industries such as online gambling. 

Scammers use Hacklink control panels to insert links to phishing or illicit websites into the source code of legitimate but compromised domains, which are tailored with anchor text to specific keywords so that when users search for relevant terms, such as gambling-related phrases, they are served search results that include, and sometimes prioritize, the attacker-controlled websites.

The injected content is subtle, often invisible to site owners or casual visitors, but highly effective at influencing Google’s PageRank system. Sites are chosen by threat actors based on their reputational value, with links from .gov, .edu, and ccTLDs used to boost the credibility of their malicious content. While legitimate SEO is a cornerstone of digital marketing, the techniques used here cross into fraud, with fake pharmacies, adult content, and phishing pages all benefiting from artificially elevated visibility. 

One particularly concerning and active tactic for this growing campaign of SEO poisoning is the targeting of online casinos/gambling companies operating in the Turkish market with organized groups like “Neon SEO Academy” and “SEOLink” offering services to manipulate SEO rankings for phishing and fraud.

You can read the research here.

Netcraft has observed a recent spike in recruitment scams, uncovering significant impact from three unique adversaries, each leveraging different tactics to target job seekers:

• Threat Actor #1 impersonates employers in the tech vertical using advance fee fraud (AFF) tactics – Celadonsoft & SoftServ 
• Threat Actor #2 impersonates a logistics recruitment agency using similar AFF tactics: localized scams focused on 18 geographies & 63,000 people targeted in the U.S. alone – Picked Well
• Threat Actor #3 impersonates the Government of Singapore to steal victims’ personal identity number and Telegram account details 

You can find the blog now live at https://www.netcraft.com/blog/diving-into-the-talent-pool-threat-actors-target-job-seekers-with-complex-recruitment-scams/. 

Netcraft has published a new blog post detailing its initial analysis of threat actors and malicious campaigns deployed using Truth Social, the social media platform created by Trump Media & Technology Group (TMTG) in 2022, to target its users. 

Key findings include:

• Threat actors immediately target new Truth Social users — Netcraft received over 30 messages within hours of creating an account.
• Truth Social’s group structure gives threat actors easy access to target groups with more than 100,000 members.
• Advance Fee Fraud scams average $250, with some scammers asking for as much as $1,000 at once on Truth Social.
• Central European, French-speaking threat actor targets global victims by impersonating trusted brands, including Spotify, Disney+, EasyPark, Sky, Netflix, and Google.

You can read the blog post here.

With Cyber Week (running from Black Friday to Cyber Monday) just around the corner, online stores are offering significant discounts to entice consumers to buy products from their online stores. While legitimate brands provide great offers, some discounts are an indication of more malevolent activity—fraudulent online stores. In 2023, there was a 135% increase in fake online stores leading up to the holidays and has continued through 2024.

Netcraft has released its latest blog, exploring the company’s research into the global growth of fake stores, including activity that makes use of e-commerce platform, SHOPYY to target Black Friday shoppers.

SHOPYY is a Chinese e-commerce platform offering a broad portfolio of technical solutions to help retailers build and optimize online stores, promote products, and accept different payment types. SHOPYY also provides hosting and domain registration on behalf of store operators.

While some legitimate businesses use SHOPYY, Netcraft research has detected thousands of SHOPYY-powered fake stores and the Use of Large Language Models (LLMs) to generate text for product listings.

Highlights of the research include:

• An increase of 110% in fake stores identified between August and October 2024
• 20% more fake stores in November this year than in November 2023
• Tens of thousands of fake stores utilizing e-commerce tech platform SHOPYY
• More than 66% of SHOPYY-powered sites identified as fake stores

You can read the research here.

Netcraft has published its latest research into a phishing kit used in campaigns targeting the UK, US, Spain, Australia, and Japan from September 2024.

Over 1,500 related IP addresses and phishing domains have been identified, targeting victims with fake charges related to motorists, government payments, and postal scams.

The kit, which uses a branded mascot and interactive features added for entertainment, has identified over 2,000 phishing websites.

Netcraft discovered organizations targeted across the public sector and the postal, digital services, and banking sectors.

Threat actors using the kit to deploy phishing websites often rely on Cloudflare’s anti-bot and hosting obfuscation capabilities to prevent detection.

The kit uses Mandarin Chinese throughout and provides users with an admin panel to configure and manage phishing campaigns.

You can read the details here.

Earlier this month, RAC issued an alert warning UK motorists to be wary of threat actors utilizing QR code stickers luring them to malicious websites. These sites are designed to impersonate parking payment providers to exfiltrate personal data and payment information.

Netcraft has released its latest research diving into the recent surge in QR code parking scams in the UK and through Europe. The research provides insight into the criminals behind the attack while their behaviours and characteristics reveal the scale and strategic approach being used. 

Insights include: 

• At least two threat groups identified, one of which Netcraft can link to customs tax and postal scams carried out earlier this year. 
• Up to 10,000 potential victims identified visiting this group’s phishing websites 
• At least 2,000 form submissions, indicating how much personal data has been extracted from victims, including payment information. 
• Evidence suggesting the group is running activity across Europe, including France, Germany, Italy, and Switzerland.

You can get more details here.

Netcraft has revealed a novel crypto phishing campaign in which a threat actor that Netcraft has been tracking for a year is using AI-generated content to create 17,000 phishing lure sites impersonating more than 30 major crypto brands, including Coinbase, Crypto.com, Metamask, and Trezor. 

The lure and phishing sites are part of a massive multi-step attack, including those that capture login credentials and two-factor authentication (2FA) codes, as AI allows attackers to create high-quality content at an unprecedented scale, impossible with manual effort. 

Hosted on Gitbook, a documentation platform for software developers, the sites claim to provide advice and tutorials for a wide range of crypto industry brands. They contain a CTA link redirecting to domains with a UUID to track user visits and appear to be registered with access keys and hosted by Amazon.

The redirect URLs use advanced traffic distribution systems to mask the relationships between attack infrastructure, choosing the redirect destination based on different factors (i.e., hide the phishing infrastructure from security researchers).

The end phishing sites in this campaign aim to obtain one of two credentials: the victim’s login details for the cryptocurrency platform or the seed recovery phrase for the victim’s wallet. Netcraft has been tracking this campaign and has observed the attackers evolving their strategies in response to countermeasures. 

You can read the details here.