A new round of mobile phish is imitating the State of California’s “Franchise Tax Board” in a round of phishing sites that are gaining prominence in the past few days. I visited ftb.ca-gov-sg[.]top/notice from a burner phone to see how the scheme works (the page doesn’t load from the Windows browsers I tested.)
After harvesting all of my private information, the site informs me that I had a $1050 refund available. The phish claims that “Bank Routing” is unavailable due to “system maintenance” and offers the option to send my refund via my Credit Card if I just provide the card number, expiration date, and CVV.
urlscan.io shows at least 300 domains have been observed, all using a hostname pattern that starts with “ftb.cagov” or “ftb.ca-gov” following by some random characters and using TLDs “.cfd” or “.cc”
Most of the observed domains were registered at Dominet (HK) Limited, and likely all are hosted at TENCENT, though most are having their location protected by the reverse proxy service at CloudFlare. (All of the non-CloudFlare ones are on TenCent).
Some recent example hostnames are:
- ftb.cagov-ac[.]cfd
- ftb.cagov-bd[.]cfd
- ftb.cagov-ch[.]cfd
- ftb.ca-gov-ci[.]cfd
- ftb.cagov-ckt[.]cc
- ftb.cagov-ga[.]cc
- ftb.ca-gov-gd[.]cfd
- ftb.cagov-gi[.]cc
- ftb.cagov-go[.]cc
- ftb.cagov-idr[.]cc
- ftb.cagov-nb[.]cfd
- ftb.cagov-ork[.]cc
- ftb.ca-gov-pf[.]cfd
- ftb.cagov-rld[.]cc
- ftb.cagov-tes[.]cc
- ftb.cagov-tuf[.]cc
- ftb.cagov-tug[.]cc
- ftb.cagov-tum[.]cc
- ftb.cagov-vkd[.]cc
- ftb.cagov-whe[.]cc
- ftb.cagov-wht[.]cc
- ftb.cagov-whu[.]cc
- ftb.cagov-why[.]cc
- ftb.ca-gov-yg[.]cfd
- ftb.cagov-ytk[.]cc
There have been 190 domains observed by URLScan that included the pattern “*.cagov-xx.cc” with the first round imitating California’s DMV from June 23rd to June 25th. The “FTB” pattern began August 19th with ftb.cagov-ge[.]cc/notice and continuing with 143 more reported domains, including 32 domains reported today. The “cagov-XX.cfd” pattern began on August 31st and has been seen using 31 domains. “ca-gov-XX.cfd” also began August 31st and has used 58 domains so far, all hosted at TENCENT.
Searching by IP address using ZETAlytics ZoneCruncher, we find at least 105 domains hosted on four TenCent IP addresses:
41 domains hosted on 170.106.140[.]181
38 domains hosted on 43.153.19[.]10
14 domains hosted on 49.51.188[.]94
12 domains hosted on 43.130.56[.]94
