🚗 Re‑tax, don't do it?! 💷
We're seeing an ongoing phishing campaign impersonating the UK Government Vehicle Tax website, telling victims to "Renew your Vehicle Tax Now".
No need for official reference numbers or details from your vehicle log book — this page will happily collect a handful of personal and payment card details before helpfully dumping you back at the GOV.UK search page, all as if nothing ever happened.
📝 Victims are prompted to enter their name, address, postcode and mobile number…
💳 ...along with their payment card number, expiry date and card verification value (CVV)
In other words, pretty much everything you'd need to make fraudulent charges — or resell the details on to other scammers.
Unsurprisingly, this activity originates from an off‑the‑shelf phishing kit, sold and advertised on Telegram by an actor we're tracking. It's one of several kits they offer, targeting both government and commercial brands worldwide.
As to be expected, this kit has been deployed on a mix of compromised hosts and dedicated registered domains, such as this example in January:
⛔️ `licence‑updates[.]com`
The current campaign is abusing Bluehost's shared hosting, with multiple `mybluehost[.]me` subdomains serving identical phishy content:
⛔️ `ksh[.]bfm[.]mybluehost[.]me`
⛔️ `qqw[.]cjf[.]mybluehost[.]me`
⛔️ `qsh[.]xka[.]mybluehost[.]me`
⛔️ `wvj[.]xnj[.]mybluehost[.]me`
FRANKIE SAYS: If you didn't start on GOV.UK, the only thing getting renewed 'immediatley' [sic] is the scammer's stolen card inventory!
#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #phishing
