15-05-2025
Do Not Click This Message—Just 10 Minutes To Hack Your Phone
You have been warned — do not click here.
getty
It all starts with a link. Whether it's an AI-perfected phishing email that's impossible to defend, or an unpaid toll or undelivered package text that should be easier to detect. There's an entire industry now crafting the malicious domains that trick millions of smartphone and PC users into clicking when they shouldn't.
'We've found that the average malicious site exists for less than 10 minutes,' Google says. That's the lifespan during which you receive, click and surrender your credentials or install malware, before the site is found and blocked or taken down. And you're much more likely to be hacked on a phone than a PC. Attackers know this, Zimperium warns, and so links may be benign on a PC and only dangerous on on a phone.
DomainTools says 'the sheer volume of newly observed domains in 2024 was over 106 million — approximately 289,000 daily creating a significant challenge for security teams.' And now its security research team has issued a new report that highlights just how fast the turnaround time is behind these malicious domains.
'Viral media events capture global attention,' DomainTools says. 'Our security research team recently undertook a project to identify and analyze scam and malicious domains and websites that emerge in the wake of high-profile viral media events.' This meant sampling multiple events 'including the Los Angeles Fire, NoKings, DeepSeek / China AI developments, the ongoing Trade War, and the Ukraine War.'
While the team expected credential phishing to be the primary objective, what they actually discovered was 'the predominant motivation across sampled events was direct financial profit.' This was mainly fraudulent charity websites for tragedies such as the LA fires or Myanmar earthquake, but also 'selling merchandise related to the event topic and creating and promoting meme cryptocurrency coins based on the event.'
The team cites DeepSeek as a prime example, with BeInCrypto data suggesting 'fake meme coins accrued over 46 million dollars worth before the rug was pulled. presumably indicating the scammers had cashed out.'
DomainTools used AI to generate keywords and then scoured recent domains for hits. Suspect domains are not complex — the simpler and more precise the better: 'Lafirevictimsupport[.]com, lafireonsol[.]xyz purported to collect donations on behalf of the American Red Cross.'
The FBI and others urge caution when it comes to viral events, especially when there is a sense of urgency to act now in campaigns. As ever, don't click through. If it's the American Red Cross you want to help, for example, navigate to their website directly. Similarly, any event with a one-off crafted domain is likely a scam. You can also check the top level domain. A legitimate website is unlikely to sport a .XYZ or .TOP website.
Google's new scam detection will help flag these threats, but it should be easier than it's proving to block such blatant fraud from hitting millions of phones daily.
