Threat Actors Register Over 26,000 Domains Imitating Brands to Deceive Users

Researchers from Unit 42 have uncovered a massive wave of SMS phishing, or “smishing,” activity targeting unsuspecting users.

Since the FBI’s initial warning in April 2024, over 91,500 root domains associated with smishing have been identified and blocked.

However, the momentum of this malicious activity has intensified in 2025, with a staggering peak of 26,328 domains registered in March alone.

According to the team of researchers, including Reethika Ramesh and Daiping Liu, the past three months have seen over 31 million queries for these malicious domains, underscoring the scale and persistence of this campaign.

Evolving Techniques and Geolocation-Based Lures

The smishing domains follow distinct naming patterns designed to mimic legitimate entities, such as “gov-[a-z0-9]*” or “paytoll[a-z0-9],” often using varied top-level domains (TLDs) like .top, .vip, .xin, or .com.

These domains are typically short-lived, with 70% of the associated traffic occurring within just seven days of registration.

This ephemeral nature makes timely detection and mitigation critical.

Unit 42’s telemetry reveals that blocking Newly Registered Domains (NRDs) for a month can filter out 85% of smishing traffic, offering a potent defense strategy for organizations.

Alarmingly, attackers are employing cloaking techniques to evade detection and are increasingly customizing their lures based on the geolocation of recipients’ phone numbers, derived from area codes.

This tailored approach heightens the likelihood of victims falling for scams that appear hyper-local and relevant, such as fraudulent toll payment requests or delivery notifications.

The data also highlights a concentration of domain registrations, with 75.4% tied to a single registrar, Dominet (HK) Limited, based in Hong Kong.

This centralization suggests a coordinated effort by threat actors to exploit registrar vulnerabilities or lax oversight.

Compared to 2024, smishing traffic has surged in 2025, reflecting an adaptive and aggressive strategy by cybercriminals.

Recent examples of malicious domains include “gov-mfc[.]com” registered on April 23, 2025, and “paytollwec[.]vip” from March 11, 2025, often hosting URLs that impersonate trusted brands like USPS or regional toll services to trick users into providing sensitive information or making payments.

According to the Report, this smishing epidemic serves as a stark reminder of the evolving sophistication of cyber threats.

The rapid registration of tens of thousands of domains, coupled with geolocation-based targeting, demonstrates how threat actors continuously refine their tactics to maximize impact.

Organizations and individuals must remain vigilant, leveraging advanced threat intelligence and proactive defenses like NRD blocking to counteract these short-lived but highly disruptive campaigns.

As Unit 42 continues to monitor and share indicators of compromise (IOCs), staying ahead of these deceptive practices will require a collaborative effort across cybersecurity communities to protect users from falling prey to these meticulously crafted scams.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!