Date: 03/24/2025
Severity: High
Summary
Cybercriminals in the UAE are impersonating Dubai Police to defraud consumers, using social engineering tactics such as smishing, phishing, and vishing. Victims are tricked into paying non-existent fines, including traffic tickets and license renewals, via fraudulent phone calls. This scam has been amplified during the holiday season, particularly around UAE National Day (Eid Al Etihad). Dubai Police have warned against providing financial details over the phone, as official institutions do not request such information. A recent report from the UAE Financial Intelligence Unit revealed that fraud, especially vishing, phishing, and smishing, led to losses of AED 1.2 billion (USD 326 million) between 2021 and 2023, posing a significant risk to financial security in the region.
Indicators of Compromise (IOC) List
URL/Domain | www.ityht.icu ju.fhjre.icu ex.xnkkg.icu ws.tyrrt.icu zc.bnfhf.icu ww.xbhff.icu fs.fdghe.icu www.zvdeasa.icu sx.ssgxvx.icu fc.xcbbx.icu bc.cnbjgds.icu gf.uoyty.icu qq.bcvgdf.icu fc.hjffd.icu tg.sdhju.icu xx.cxbdf.icu ws.bnfhfd.icu az.vcnjh.icu gv.ityht.icu yg.utyus.icu ws.vdsfsh.icu pl.fhm.icu fs.vjddg.icu ut.ddgjcv.icu ws.dsgsv.icu va.sdwdf.icu dsw.jffdd.icu jffdd.icu erfdg.icu fswwr.icu rfsfh.icu yrn.rfsfh.icu poc.kjf.icu dsfjd.icu gev.dsfjd.icu vhu.kgfhre.icu kgfhre.icu vgu.kgfhre.icu zvm.icu wds.zvm.icu zvdeasa.icu fs.zvdeasa.icu cxzve.icu ccss.cxzve.icu fgrecb.icu rc.fgrecb.icu vnvcn.icu fcs.vnvcn.icu kjf.icu uhbds.icu dsgey.icu fdg.icu xcber.icu dub.xcber.icu dcxbj.icu dub.dcxbj.icu adfte.icu rfcxb.icu auedu.rfcxb.icu edfsg.icu qad.edfsg.icu qad.uhbds.icu qad.dsgey.icu qad.fdg.icu oijsd.icu rdf.oijsd.icu xstyj.icu rdf.xstyj.icu fhiugcx.icu yhbfl.fhiugcx.icu asfjte.icu tfs.asfjte.icu dfuewe.icu yhbfl.dfuewe.icu etyur.icu tfs.etyur.icu bxahj.icu aued.bxahj.icu czsfhjh.icu aued.czsfhjh.icu cxbha.icu tfs.cxbha.icu dcnar.icu hgf.dcnar.icu gjhdf.icu zvvbgf.icu ijnvb.icu tfs.gjhdf.icu okj.ijnvb.icu aued.zvvbgf.icu asytfsv.icu aued.asytfsv.icu sagy.site urwyu.icu sxf.sagy.site dah.icu uhk.urwyu.icu yg.dah.icu yoidg.icu rfv.yoidg.icu bvwds.icu hgf.bvwds.icu joujg.icu ygv.joujg.icu dubaipoliauey.top fhjrw.icu ityht.icu uoyty.icu ssgxvx.icu bnfhf.icu cnbjgds.icu sdhju.icu cxbdf.icu yrtrer.icu ddvvs.icu dfhkk.icu gfjut.icu tgv.gfjut.icu fhjyd.icu ygv.etw.icu yt.dfhkk.icu hg.ddvvs.icu jjfdfe.icu cxdfh.icu bcvgdf.icu ddgjcv.icu dsgsv.icu vdsfsh.icu hjffd.icu xnkkg.icu vc.jjfdfe.icu fdghe.icu dq.fhjyd.icu xcbbx.icu fhjre.icu sdwdf.icu vcnjh.icu utyus.icu ghl.icu vjddg.icu bnfhfd.icu fgf.yrtrer.icu etw.icu dsgwe.icu tyrrt.icu dubaipoit.com |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | userdomainname like "xcbbx.icu" or url like "xcbbx.icu" or userdomainname like "cxbha.icu" or url like "cxbha.icu" or userdomainname like "dubaipoit.com" or url like "dubaipoit.com" or userdomainname like "gfjut.icu" or url like "gfjut.icu" or userdomainname like "ws.dsgsv.icu" or url like "ws.dsgsv.icu" or userdomainname like "rfsfh.icu" or url like "rfsfh.icu" or userdomainname like "dfhkk.icu" or url like "dfhkk.icu" or userdomainname like "yrn.rfsfh.icu" or url like "yrn.rfsfh.icu" or userdomainname like "etw.icu" or url like "etw.icu" or userdomainname like "fc.xcbbx.icu" or url like "fc.xcbbx.icu" or userdomainname like "xx.cxbdf.icu" or url like "xx.cxbdf.icu" or userdomainname like "dub.dcxbj.icu" or url like "dub.dcxbj.icu" or userdomainname like "dub.xcber.icu" or url like "dub.xcber.icu" or userdomainname like "dcxbj.icu" or url like "dcxbj.icu" or userdomainname like "cxzve.icu" or url like "cxzve.icu" or userdomainname like "tfs.etyur.icu" or url like "tfs.etyur.icu" or userdomainname like "xstyj.icu" or url like "xstyj.icu" or userdomainname like "vgu.kgfhre.icu" or url like "vgu.kgfhre.icu" or userdomainname like "kgfhre.icu" or url like "kgfhre.icu" or userdomainname like "bnfhfd.icu" or url like "bnfhfd.icu" or userdomainname like "sxf.sagy.site" or url like "sxf.sagy.site" or userdomainname like "sdhju.icu" or url like "sdhju.icu" or userdomainname like "dfuewe.icu" or url like "dfuewe.icu" or userdomainname like "sagy.site" or url like "sagy.site" or userdomainname like "zc.bnfhf.icu" or url like "zc.bnfhf.icu" or userdomainname like "urwyu.icu" or url like "urwyu.icu" or userdomainname like "ghl.icu" or url like "ghl.icu" or userdomainname like "hjffd.icu" or url like "hjffd.icu" or userdomainname like "dsgwe.icu" or url like "dsgwe.icu" or userdomainname like "zvdeasa.icu" or url like "zvdeasa.icu" or userdomainname like "ccss.cxzve.icu" or url like "ccss.cxzve.icu" or userdomainname like "fdghe.icu" or url like "fdghe.icu" or userdomainname like "sx.ssgxvx.icu" or url like "sx.ssgxvx.icu" or userdomainname like "vnvcn.icu" or url like "vnvcn.icu" or userdomainname like "vdsfsh.icu" or url like "vdsfsh.icu" or userdomainname like "uhbds.icu" or url like "uhbds.icu" or userdomainname like "ityht.icu" or url like "ityht.icu" or userdomainname like "bvwds.icu" or url like "bvwds.icu" or userdomainname like "zvm.icu" or url like "zvm.icu" or userdomainname like "yhbfl.fhiugcx.icu" or url like "yhbfl.fhiugcx.icu" or userdomainname like "fhjrw.icu" or url like "fhjrw.icu" or userdomainname like "yg.utyus.icu" or url like "yg.utyus.icu" or userdomainname like "dubaipoliauey.top" or url like "dubaipoliauey.top" or userdomainname like "etyur.icu" or url like "etyur.icu" or userdomainname like "oijsd.icu" or url like "oijsd.icu" or userdomainname like "dq.fhjyd.icu" or url like "dq.fhjyd.icu" or userdomainname like "vhu.kgfhre.icu" or url like "vhu.kgfhre.icu" or userdomainname like "qad.uhbds.icu" or url like "qad.uhbds.icu" or userdomainname like "ex.xnkkg.icu" or url like "ex.xnkkg.icu" or userdomainname like "tyrrt.icu" or url like "tyrrt.icu" or userdomainname like "qad.fdg.icu" or url like "qad.fdg.icu" or userdomainname like "fc.hjffd.icu" or url like "fc.hjffd.icu" or userdomainname like "fswwr.icu" or url like "fswwr.icu" or userdomainname like "ws.tyrrt.icu" or url like "ws.tyrrt.icu" or userdomainname like "dsw.jffdd.icu" or url like "dsw.jffdd.icu" or userdomainname like "ddgjcv.icu" or url like "ddgjcv.icu" or userdomainname like "ws.vdsfsh.icu" or url like "ws.vdsfsh.icu" or userdomainname like "fs.zvdeasa.icu" or url like "fs.zvdeasa.icu" or userdomainname like "ddvvs.icu" or url like "ddvvs.icu" or userdomainname like "aued.asytfsv.icu" or url like "aued.asytfsv.icu" or userdomainname like "yg.dah.icu" or url like "yg.dah.icu" or userdomainname like "gv.ityht.icu" or url like "gv.ityht.icu" or userdomainname like "aued.zvvbgf.icu" or url like "aued.zvvbgf.icu" or userdomainname like "fhjre.icu" or url like "fhjre.icu" or userdomainname like "asfjte.icu" or url like "asfjte.icu" or userdomainname like "rdf.oijsd.icu" or url like "rdf.oijsd.icu" or userdomainname like "hgf.dcnar.icu" or url like "hgf.dcnar.icu" or userdomainname like "ygv.joujg.icu" or url like "ygv.joujg.icu" or userdomainname like "okj.ijnvb.icu" or url like "okj.ijnvb.icu" or userdomainname like "xcber.icu" or url like "xcber.icu" or userdomainname like "tg.sdhju.icu" or url like "tg.sdhju.icu" or userdomainname like "utyus.icu" or url like "utyus.icu" or userdomainname like "va.sdwdf.icu" or url like "va.sdwdf.icu" or userdomainname like "edfsg.icu" or url like "edfsg.icu" |
Detection Query 2 | userdomainname like "aued.bxahj.icu" or url like "aued.bxahj.icu" or userdomainname like "tfs.asfjte.icu" or url like "tfs.asfjte.icu" or userdomainname like "fcs.vnvcn.icu" or url like "fcs.vnvcn.icu" or userdomainname like "bnfhf.icu" or url like "bnfhf.icu" or userdomainname like "fs.fdghe.icu" or url like "fs.fdghe.icu" or userdomainname like "cnbjgds.icu" or url like "cnbjgds.icu" or userdomainname like "yt.dfhkk.icu" or url like "yt.dfhkk.icu" or userdomainname like "qq.bcvgdf.icu" or url like "qq.bcvgdf.icu" or userdomainname like "www.zvdeasa.icu" or url like "www.zvdeasa.icu" or userdomainname like "vjddg.icu" or url like "vjddg.icu" or userdomainname like "dsgsv.icu" or url like "dsgsv.icu" or userdomainname like "ijnvb.icu" or url like "ijnvb.icu" or userdomainname like "auedu.rfcxb.icu" or url like "auedu.rfcxb.icu" or userdomainname like "kjf.icu" or url like "kjf.icu" or userdomainname like "ut.ddgjcv.icu" or url like "ut.ddgjcv.icu" or userdomainname like "dcnar.icu" or url like "dcnar.icu" or userdomainname like "poc.kjf.icu" or url like "poc.kjf.icu" or userdomainname like "cxdfh.icu" or url like "cxdfh.icu" or userdomainname like "ju.fhjre.icu" or url like "ju.fhjre.icu" or userdomainname like "tgv.gfjut.icu" or url like "tgv.gfjut.icu" or userdomainname like "tfs.gjhdf.icu" or url like "tfs.gjhdf.icu" or userdomainname like "yoidg.icu" or url like "yoidg.icu" or userdomainname like "www.ityht.icu" or url like "www.ityht.icu" or userdomainname like "ssgxvx.icu" or url like "ssgxvx.icu" or userdomainname like "rfv.yoidg.icu" or url like "rfv.yoidg.icu" or userdomainname like "qad.edfsg.icu" or url like "qad.edfsg.icu" or userdomainname like "bxahj.icu" or url like "bxahj.icu" or userdomainname like "hg.ddvvs.icu" or url like "hg.ddvvs.icu" or userdomainname like "tfs.cxbha.icu" or url like "tfs.cxbha.icu" or userdomainname like "pl.fhm.icu" or url like "pl.fhm.icu" or userdomainname like "jjfdfe.icu" or url like "jjfdfe.icu" or userdomainname like "ww.xbhff.icu" or url like "ww.xbhff.icu" or userdomainname like "bc.cnbjgds.icu" or url like "bc.cnbjgds.icu" or userdomainname like "gf.uoyty.icu" or url like "gf.uoyty.icu" or userdomainname like "ws.bnfhfd.icu" or url like "ws.bnfhfd.icu" or userdomainname like "az.vcnjh.icu" or url like "az.vcnjh.icu" or userdomainname like "fs.vjddg.icu" or url like "fs.vjddg.icu" or userdomainname like "jffdd.icu" or url like "jffdd.icu" or userdomainname like "erfdg.icu" or url like "erfdg.icu" or userdomainname like "dsfjd.icu" or url like "dsfjd.icu" or userdomainname like "gev.dsfjd.icu" or url like "gev.dsfjd.icu" or userdomainname like "wds.zvm.icu" or url like "wds.zvm.icu" or userdomainname like "fgrecb.icu" or url like "fgrecb.icu" or userdomainname like "rc.fgrecb.icu" or url like "rc.fgrecb.icu" or userdomainname like "dsgey.icu" or url like "dsgey.icu" or userdomainname like "fdg.icu" or url like "fdg.icu" or userdomainname like "adfte.icu" or url like "adfte.icu" or userdomainname like "rfcxb.icu" or url like "rfcxb.icu" or userdomainname like "qad.dsgey.icu" or url like "qad.dsgey.icu" or userdomainanme like "rdf.xstyj.icu" or url like "rdf.xstyj.icu" or userdomainname like "fhiugcx.icu" or url like "fhiugcx.icu" or userdomainname like "yhbfl.dfuewe.icu" or url like "yhbfl.dfuewe.icu" or userdomainname like "czsfhjh.icu" or url like "czsfhjh.icu" or userdomainname like "aued.czsfhjh.icu" or url like "aued.czsfhjh.icu" or userdomainname like "gjhdf.icu" or url like "gjhdf.icu" or userdomainname like "zvvbgf.icu" or url like "zvvbgf.icu" or userdomainname like "asytfsv.icu" or url like "asytfsv.icu" or userdomainname like "dah.icu" or url like "dah.icu" or userdomainname like "uhk.urwyu.icu" or url like "uhk.urwyu.icu" or userdomainname like "hgf.bvwds.icu" or url like "hgf.bvwds.icu" or userdomainname like "joujg.icu" or url like " joujg.icu" or userdomainname like "uoyty.icu" or url like "uoyty.icu" or userdomainname like "cxbdf.icu" or url like "cxbdf.icu" or userdomainname like "yrtrer.icu" or url like "yrtrer.icu" or userdomainname like "fhjyd.icu" or url like "fhjyd.icu" or userdomainname like "ygv.etw.icu" or url like "ygv.etw.icu" or userdomainname like "bcvgdf.icu" or url like "bcvgdf.icu" or userdomainname like "xnkkg.icu" or userdomainname like "vc.jjfdfe.icu" or url like "vc.jjfdfe.icu" or userdomainname like "sdwdf.icu" or url like "sdwdf.icu" or userdomainname like "vcnjh.icu" or url like "vcnjh.icu" or userdomainname like "fgf.yrtrer.icu" or url like "fgf.yrtrer.icu" |
Reference:
https://www.resecurity.com/blog/article/cybercriminals-impersonate-dubai-police-to-defraud-consumers-in-the-uae-smishing-triad-in-action