This cybersecurity investigation has uncovered a sophisticated domain spoofing campaign targeting consumers through fraudulent websites impersonating major technology and e-commerce brands. The campaign centers around six malicious domains registered through .us Registry Services LLC on April 18, 2002: hub.com.us, apple.com.us, amazon.com.us, supporta.com.us, consumer.com.us, and company.us. These domains deliberately mimic legitimate brand names by adding the ".us" extension to create convincing but fraudulent web addresses.
Technical analysis reveals extensive infrastructure connections between all six domains, with 19 documented relationships showing shared hosting and technical resources. The domains operate on the same infrastructure with moderate confidence levels of 0.50, indicating coordinated management by the same threat actors. Key connections include company.us linked to apple.com.us, amazon.com.us, hub.com.us, and supporta.com.us, while hub.com.us serves as a central node connecting to apple.com.us, amazon.com.us, supporta.com.us, and consumer.com.us. This interconnected network allows the scammers to quickly pivot between different brand impersonations while maintaining operational control.
Consumer reports document specific attack vectors used in this campaign, with victims receiving fraudulent emails claiming to be from PayPal regarding recurring payments. One documented case shows scammers using the apple.com.us domain in fake payment notifications, directing victims to contact "Reseller Point" about unauthorized charges. Additional reports describe emails with subject lines like "Recurring Payment Reactivated" that include fake merchant profile IDs such as "I-42RBYUJN34FN" to create the appearance of legitimate transaction alerts. These emails are designed to create urgency and panic, prompting victims to click malicious links or provide sensitive financial information.
To protect yourself from this and similar campaigns, always verify the legitimacy of unexpected payment notifications by logging directly into your official account through the company's verified website rather than clicking email links. Legitimate companies like Apple, Amazon, and PayPal will never use unofficial domain extensions like ".com.us" for official communications. If you receive suspicious emails or calls, hang up immediately, do not click any links, and report the incident to the FTC at reportfraud.ftc.gov or to the FCC for phone-based scams. Before interacting with any unfamiliar domain or phone number, check its legitimacy through official consumer protection resources or by contacting the purported company directly through verified contact information.
This campaign represents a moderate threat level due to its sophisticated infrastructure and convincing brand impersonation tactics. The coordinated use of multiple domains and the targeting of financial services communications indicate an organized operation designed for large-scale consumer fraud. Consumers should remain vigilant for emails from domains using unusual extensions and immediately report any suspected fraudulent communications to federal authorities to help disrupt this ongoing campaign.