{ "name": "330 custom email domains, and what this tells us about how attackers build infrastructure for fake account creation", "slug": "330-custom-email-domains-and-what-this-tells-us-about-how-attackers-build-infrastructure-for-fake-account-creation", "description": "A large-scale fake account creation campaign was detected and blocked, involving tens of thousands of attempted registrations using bots. The attackers employed a modified Chrome browser with anti-detect techniques like canvas randomization. The campaign stood out due to the use of 330 unique custom email domains, created between August 16 and September 8, 2025, specifically for bypassing anti-abuse defenses. This approach made detection more challenging as the domains appeared legitimate and would not be found on public blocklists. The investigation highlights the limitations of relying solely on static disposable domain lists and emphasizes the need for a multi-layered defense approach, including fingerprinting, behavioral analysis, proxy detection, and email intelligence.", "published": "2025-11-18T20:53:43+00:00", "created_at": "2025-11-18T20:53:43+00:00", "modified_at": "2025-11-18T21:45:18+00:00", "created_at_opencti": "2025-11-18T20:53:43+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-11-18", "anti-abuse", "behavioral analysis", "bot detection", "domain registration", "email infrastructure", "fake accounts", "fingerprinting" ], "related_entities": { "observables": [ { "id": "", "name": "zyricon.biz" }, { "id": "", "name": "zyvantis.biz" }, { "id": "", "name": "zyrantis.biz" }, { "id": "", "name": "zyphobiz.biz" }, { "id": "", "name": "zyntravo.biz" }, { "id": "", "name": "zuhanga.store" }, { "id": "", "name": "zonelush.store" }, { "id": "", "name": "zerya.store" }, { "id": "", "name": "zerla.store" }, { "id": "", "name": "zerico.store" }, { "id": "", "name": "zentrium.store" }, { "id": "", "name": "zentivo.biz" }, { "id": "", "name": "zenqora.biz" }, { "id": "", "name": "zenithra.biz" }, { "id": "", "name": "zelixo.biz" }, { "id": "", "name": "zaferyolu.biz" }, { "id": "", "name": "yinchemails.store" }, { "id": "", "name": "yeniufuk.biz" }, { "id": "", "name": "xyntra.store" }, { "id": "", "name": "xyden.store" }, { "id": "", "name": "xerovian.biz" }, { "id": "", "name": "xonitra.biz" }, { "id": "", "name": "wetherby.store" }, { "id": "", "name": "westgrove.store" }, { "id": "", "name": "westbridge.store" }, { "id": "", "name": "voltrix.biz" }, { "id": "", "name": "vitalpath.biz" }, { "id": "", "name": "visionpartners.biz" }, { "id": "", "name": "virtelon.store" }, { "id": "", "name": "vinchemails.store" }, { "id": "", "name": "veyora.biz" }, { "id": "", "name": "veylor.biz" }, { "id": "", "name": "ventaris.biz" }, { "id": "", "name": "veradix.store" }, { "id": "", "name": "veliona.biz" }, { "id": "", "name": "velantis.biz" }, { "id": "", "name": "valorcrest.biz" }, { "id": "", "name": "valentra.biz" }, { "id": "", "name": "ustravon.biz" }, { "id": "", "name": "urbanpeak.biz" }, { "id": "", "name": "urbantrade.biz" }, { "id": "", "name": "urbanconsult.biz" }, { "id": "", "name": "univesta.biz" }, { "id": "", "name": "unitrex.store" }, { "id": "", "name": "unitara.store" }, { "id": "", "name": "umutlar.biz" }, { "id": "", "name": "uinchemails.store" }, { "id": "", "name": "ulyvora.biz" }, { "id": "", "name": "tulvora.biz" }, { "id": "", "name": "trustvia.store" }, { "id": "", "name": "trustovia.store" }, { "id": "", "name": "trustgate.biz" }, { "id": "", "name": "truevale.biz" }, { "id": "", "name": "truetrend.biz" }, { "id": "", "name": "trovantis.biz" }, { "id": "", "name": "trivora.biz" }, { "id": "", "name": "treya.store" }, { "id": "", "name": "trevia.biz" }, { "id": "", "name": "trevox.store" }, { "id": "", "name": "trelyon.biz" }, { "id": "", "name": "torvento.biz" }, { "id": "", "name": "transico.store" }, { "id": "", "name": "torvantis.biz" }, { "id": "", "name": "toptrust.biz" }, { "id": "", "name": "topgoal.biz" }, { "id": "", "name": "tkilima.online" }, { "id": "", "name": "tinchemails.store" }, { "id": "", "name": "techthrive.biz" }, { "id": "", "name": "techspire.biz" }, { "id": "", "name": "techbizgroup.biz" }, { "id": "", "name": "sylvora.biz" }, { "id": "", "name": "swifttrend.biz" }, { "id": "", "name": "summittrust.store" }, { "id": "", "name": "summitline.biz" }, { "id": "", "name": "strivaro.store" }, { "id": "", "name": "strovian.biz" }, { "id": "", "name": "stravion.biz" }, { "id": "", "name": "stravica.biz" }, { "id": "", "name": "stratovix.store" }, { "id": "", "name": "stratmore.store" }, { "id": "", "name": "strathmore.store" }, { "id": "", "name": "stonewell.store" }, { "id": "", "name": "statora.store" }, { "id": "", "name": "solvira.biz" }, { "id": "", "name": "solidora.biz" }, { "id": "", "name": "smartpeak.biz" }, { "id": "", "name": "softpeak.biz" }, { "id": "", "name": "smartobiz.biz" }, { "id": "", "name": "silverbrook.store" }, { "id": "", "name": "shopease.biz" }, { "id": "", "name": "servebiz.biz" }, { "id": "", "name": "savorent.biz" }, { "id": "", "name": "rovexa.biz" }, { "id": "", "name": "risepoint.biz" }, { "id": "", "name": "risevibe.biz" }, { "id": "", "name": "ridgewell.store" }, { "id": "", "name": "ridgepoint.biz" }, { "id": "", "name": "ridgehaven.store" }, { "id": "", "name": "ridgefield.store" }, { "id": "", "name": "redmont.store" }, { "id": "", "name": "ravencrest.store" }, { "id": "", "name": "qryvion.biz" }, { "id": "", "name": "qeyra.store" }, { "id": "", "name": "qenzor.biz" }, { "id": "", "name": "pylorix.biz" }, { "id": "", "name": "pryva.store" }, { "id": "", "name": "pyloria.biz" }, { "id": "", "name": "pryvista.biz" }, { "id": "", "name": "prionix.store" }, { "id": "", "name": "primetrax.store" }, { "id": "", "name": "primetra.store" }, { "id": "", "name": "primebiz.biz" }, { "id": "", "name": "plorantis.biz" }, { "id": "", "name": "plenxor.biz" }, { "id": "", "name": "pinchemails.store" }, { "id": "", "name": "peakpoint.biz" }, { "id": "", "name": "peakfold.store" }, { "id": "", "name": "oxirax.store" }, { "id": "", "name": "oxio.store" }, { "id": "", "name": "ovrix.store" }, { "id": "", "name": "oryvia.biz" }, { "id": "", "name": "orvenix.biz" }, { "id": "", "name": "orvelta.biz" }, { "id": "", "name": "optivora.biz" }, { "id": "", "name": "optivex.store" }, { "id": "", "name": "optivex.biz" }, { "id": "", "name": "optimobiz.biz" }, { "id": "", "name": "optiron.biz" }, { "id": "", "name": "omviora.biz" }, { "id": "", "name": "omvex.store" }, { "id": "", "name": "omvex.biz" }, { "id": "", "name": "omnivera.biz" }, { "id": "", "name": "omnilis.store" }, { "id": "", "name": "omnitor.biz" }, { "id": "", "name": "omniglobe.store" }, { "id": "", "name": "olyvante.biz" }, { "id": "", "name": "olinge.store" }, { "id": "", "name": "oceansky.biz" }, { "id": "", "name": "oakmere.store" }, { "id": "", "name": "oakleigh.store" }, { "id": "", "name": "noxenta.biz" }, { "id": "", "name": "novizo.biz" }, { "id": "", "name": "novabiz.biz" }, { "id": "", "name": "northvale.biz" }, { "id": "", "name": "northminster.store" }, { "id": "", "name": "northdale.store" }, { "id": "", "name": "northcrest.store" }, { "id": "", "name": "nexverra.store" }, { "id": "", "name": "nexuswave.biz" }, { "id": "", "name": "nexiron.biz" }, { "id": "", "name": "nexabiz.biz" }, { "id": "", "name": "neurovia.biz" }, { "id": "", "name": "myronex.biz" }, { "id": "", "name": "myntora.biz" }, { "id": "", "name": "myntivar.biz" }, { "id": "", "name": "myntis.store" }, { "id": "", "name": "montorra.biz" }, { "id": "", "name": "montcrest.store" }, { "id": "", "name": "miravon.biz" }, { "id": "", "name": "minchemails.store" }, { "id": "", "name": "millhaven.store" }, { "id": "", "name": "meriton.store" }, { "id": "", "name": "meriona.biz" }, { "id": "", "name": "maxrion.biz" }, { "id": "", "name": "marketvibe.biz" }, { "id": "", "name": "marketzap.biz" }, { "id": "", "name": "magnora.biz" }, { "id": "", "name": "magnaris.store" }, { "id": "", "name": "lyvantis.biz" }, { "id": "", "name": "luxtrion.biz" }, { "id": "", "name": "loryvia.biz" }, { "id": "", "name": "lucivon.biz" }, { "id": "", "name": "lorix.store" }, { "id": "", "name": "loomflow.store" }, { "id": "", "name": "lorvex.biz" }, { "id": "", "name": "linchemails.store" }, { "id": "", "name": "lexindus.store" }, { "id": "", "name": "legatora.store" }, { "id": "", "name": "laryvo.biz" }, { "id": "", "name": "kyvera.biz" }, { "id": "", "name": "kytrion.biz" }, { "id": "", "name": "kyroa.store" }, { "id": "", "name": "kyntravo.biz" }, { "id": "", "name": "kryvent.biz" }, { "id": "", "name": "klyptus.biz" }, { "id": "", "name": "klyvera.biz" }, { "id": "", "name": "klyvante.biz" }, { "id": "", "name": "kingsvale.store" }, { "id": "", "name": "kingshaven.store" }, { "id": "", "name": "kingsmere.store" }, { "id": "", "name": "kinchemails.store" }, { "id": "", "name": "kiklume.store" }, { "id": "", "name": "kimderdiki.biz" }, { "id": "", "name": "keyvora.biz" }, { "id": "", "name": "kensworth.store" }, { "id": "", "name": "kendrix.biz" }, { "id": "", "name": "kalegroup.biz" }, { "id": "", "name": "juravia.store" }, { "id": "", "name": "jukinge.store" }, { "id": "", "name": "jukengi.store" } ], "attack_patterns": [ { "id": "ee82762a-2958-4901-aade-341277d9b410", "name": "T1078.004" }, { "id": "75702b35-b790-4504-a1e0-7829e76f22e9", "name": "T1585" }, { "id": "ef72da1d-2eaa-4d94-8913-06978609cfb4", "name": "T1608.001" }, { "id": "edd1455b-2879-4b08-be3e-2aa78fb15652", "name": "T1585.002" }, { "id": "3e7e47ba-d8ad-4aa8-a4fc-1167cec2e125", "name": "T1587.001" }, { "id": "6babd5aa-5112-4f14-a660-60d756a65d6d", "name": "T1586" }, { "id": "c340d47a-2ea8-41ca-9a0b-a72559b89bbf", "name": "T1584" } ] }, "external_refs": [ "https://securityboulevard.com/2025/11/330-custom-email-domains-and-what-this-tells-us-about-how-attackers-build-infrastructure-for-fake-account-creation/", "https://otx.alienvault.com/pulse/691ceae73fedb4c4eb5d0c5a" ] }