Date: 09/08/2025
Severity: Critical
Summary
We’ve identified an SMS phishing (smishing) campaign posing as the California Franchise Tax Board. The fraudulent websites use domain names that combine terms like “FTB,” “CA,” and “gov” to deceive users. These sites falsely promise tax refunds, but their true purpose is to harvest sensitive personal information, including Social Security numbers, addresses, and payment details.
Indicators of Compromise (IOC) List
Domains\URLs : | ftb.gov-ca-ly.bar ftb.gov-ca-os.bar ftb.gov-ca-ul.bar ftb.gov-ca-wv.bar ftb.cagov-alo.cc ftb.ca-ne.cc ftb.ca-nu.cc ftb.cagov-bd.cfd ftb.cagov-lba.cc ftb.cagov-ose.cc ftb.ca-gov-qn.cfd ftb.cagov-tug.cc ftb.ca-gov-xq.top ftb.ca-lb.cc ftb.ca-lf.cc ftb.ca-ra.cc ftb.cagov-zbv.cc ftb.ca-zxc.cc |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains\URLs : | domainname like "ftb.gov-ca-ly.bar" or url like "ftb.gov-ca-ly.bar" or siteurl like "ftb.gov-ca-ly.bar" or domainname like "ftb.cagov-bd.cfd" or url like "ftb.cagov-bd.cfd" or siteurl like "ftb.cagov-bd.cfd" or domainname like "ftb.gov-ca-os.bar" or url like "ftb.gov-ca-os.bar" or siteurl like "ftb.gov-ca-os.bar" or domainname like "ftb.ca-lb.cc" or url like "ftb.ca-lb.cc" or siteurl like "ftb.ca-lb.cc" or domainname like "ftb.ca-ra.cc" or url like "ftb.ca-ra.cc" or siteurl like "ftb.ca-ra.cc" or domainname like "ftb.ca-ne.cc" or url like "ftb.ca-ne.cc" or siteurl like "ftb.ca-ne.cc" or domainname like "ftb.ca-nu.cc" or url like "ftb.ca-nu.cc" or siteurl like "ftb.ca-nu.cc" or domainname like "ftb.ca-gov-xq.top" or url like "ftb.ca-gov-xq.top" or siteurl like "ftb.ca-gov-xq.top" or domainname like "ftb.gov-ca-ul.bar" or url like "ftb.gov-ca-ul.bar" or siteurl like "ftb.gov-ca-ul.bar" or domainname like "ftb.ca-zxc.cc" or url like "ftb.ca-zxc.cc" or siteurl like "ftb.ca-zxc.cc" or domainname like "ftb.cagov-tug.cc" or url like "ftb.cagov-tug.cc" or siteurl like "ftb.cagov-tug.cc" or domainname like "ftb.cagov-alo.cc" or url like "ftb.cagov-alo.cc" or siteurl like "ftb.cagov-alo.cc" or domainname like "ftb.ca-gov-qn.cfd" or url like "ftb.ca-gov-qn.cfd" or siteurl like "ftb.ca-gov-qn.cfd" or domainname like "ftb.cagov-zbv.cc" or url like "ftb.cagov-zbv.cc" or siteurl like "ftb.cagov-zbv.cc" or domainname like "ftb.gov-ca-wv.bar" or url like "ftb.gov-ca-wv.bar" or siteurl like "ftb.gov-ca-wv.bar" or domainname like "ftb.cagov-lba.cc" or url like "ftb.cagov-lba.cc" or siteurl like "ftb.cagov-lba.cc" or domainname like "ftb.cagov-ose.cc" or url like "ftb.cagov-ose.cc" or siteurl like "ftb.cagov-ose.cc" or domainname like "ftb.ca-lf.cc" or url like "ftb.ca-lf.cc" or siteurl like "ftb.ca-lf.cc" |
Reference:
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-09-05-IOCs-for-Smishing-impersonating-CA-francise-tax-board.txt