Threat Actors Register Over 26,000 Domains Imitating Brands to Deceive Users

Researchers from Unit 42 have uncovered a massive wave of SMS phishing, or “smishing,” activity targeting unsuspecting users.

Since the FBI’s initial warning in April 2024, over 91,500 root domains associated with smishing have been identified and blocked.

However, the momentum of this malicious activity has intensified in 2025, with a staggering peak of 26,328 domains registered in March alone.

According to the team of researchers, including Reethika Ramesh and Daiping Liu, the past three months have seen over 31 million queries for these malicious domains, underscoring the scale and persistence of this campaign.

Evolving Techniques and Geolocation-Based Lures

The smishing domains follow distinct naming patterns designed to mimic legitimate entities, such as “gov-[a-z0-9]*” or “paytoll[a-z0-9],” often using varied top-level domains (TLDs) like .top, .vip, .xin, or .com.

These domains are typically short-lived, with 70% of the associated traffic occurring within just seven days of ...