We are observing an active phishing campaign targeting Australian users, likely using data from the LinkedIn breach. Emails impersonate major Australian supermarkets and other chains such as BCF, Bunnings, Anaconda and so on. All samples to date use buff.ly links for redirection. As a precaution, the entire buff.ly domain has been temporarily blocked while this activity is investigated.

iAntiSpy version 26.01 is now available with updated databases addressing this and other recent threats.
Updates are live across all platforms, with the Mac App Store version pending Apple's review and approval.

How to upgrade
Look for the update notification in the app or download directly from iantispy.com/download.
Mac App Store users: the update is coming soon.

We're excited to announce that iAntiSpy 25.8 is now rolling out via in-app update, iantispy.com, and soon on the Mac App Store. This release brings powerful improvements focused squarely on visibility, reliability, and versioning clarity.

What's new in 25.8
1. Ability to log all connections - You can now enable optional connection logging in Settings to see every DNS query and connection your Mac makes. This feature is off by default and designed for advanced users who want deeper insight into network behavior.
2. Updated databases - Our threat blocklists have been refreshed with the latest malicious domains, tracker networks, and phishing infrastructure.
3. Updated updater - The auto-update engine has been optimized for faster, more stable version delivery under varied network conditions.
4. Updated versioning scheme - Version numbers are now more intuitive and consistent, making it easier to track updates moving forward.

As always, iAntiSpy 25.8 works silently in the background with zero annoying pop-ups, while shielding all browsers and apps on your Mac using local system extension technology.

How to upgrade
If you're using the free version, look for the update notification in the app or download directly from iantispy.com/download.
Mac App Store users: the update is coming soon.

We continue to monitor emerging phishing campaigns and tracking infrastructures worldwide.
iAntiSpy version 25.8 brings you the latest protections automatically.

Thanks for trusting iAntiSpy to help you maintain some semblance of privacy.

We are pleased to announce the release of iAntiSpy 3.1, a significant update designed to enhance your digital security. This release enhances our databases, providing robust protection against a diverse range of threats, including additional variants of the threat actor known for using .cn based collection domains. Despite their increasing sophistication, we stay one step ahead.

Additionally, we've broadened our defenses to include more language-specific phishing attempts. Users will appreciate the enhanced protection against phishing in German and Spanish.

Of particular note is our increased detection and blockage of Japanese phishing attempts like fake NHK, Mastercard, JCB, and Orico Card scams.

Our team works diligently every day to identify and thwart these attempts to compromise your security, and your wallet.

iAntiSpy 3.1 is now available for direct download from iantispy.com/download and in-app updates. Mac App Store updates will be available soon.

Subscribers to iAntiSpy Enhanced Protection (EP) are already updated and secure.

Database update - As Lunar New Year celebrations wind down, it seems some phishers were a bit too inspired by the festive spirit, handing out Japanese-language phishing mails as if they were red envelopes! Targets include Saison Card, Orico, Mastercard, UC Card, and others. The collection domains are all neatly registered under the ever-auspicious .cn TLD. Our latest databases provide protection against these threats and many others.

Update - The January 2025 update of iAntiSpy is now available from in-app update, iantispy.com, and the Mac App Store.

New year, new phish - We have observed new phishing campaigns targeting Japanese and Australian users. The Japanese variants threaten legal action (in broken Japanese) and have links pointing to various .cn domains, all allegedly registered to a "陈礼吉" [email protected]. The Australian campaigns pretend to come from myGov and link using the qrco.de redirection service. Associated domains include auincomeserv.com (Registrar: Ionos, created: 2025-01-13 17:44:44) and myatoclaims.org (namesilo, 2025-01-13 14:44:12). Our latest databases provide protection against these threats and others.

The November 2024 update to iAntiSpy is now available from in-app update, iantispy.com, and the Mac App Store. This update features changes to the notification system, internal optimizations and is packaged with the latest blocking database. If you haven't already installed it, please do now.

The previously identified threat actor has now begun leveraging the Surge.sh 'Static web publishing for Front-End Developers' service. The latest version of the iAntiSpy anti-phish database has been updated to provide protection against these new developments. We have been monitoring this threat and release updates to our databases as information becomes available.

The October 2024 update to iAntiSpy is now available from in-app update, iantispy.com, and the Mac App Store. This update features changes to the status bar, improvments to the user interface and is packaged with the latest blocking database. If you haven't already installed it, please do now.

The September 2024 update to iAntiSpy is now available from in-app update, iantispy.com, and the Mac App Store. This update features improvements to the user interface and is packaged with the latest blocking database. If you haven't already installed it, please do so now.

The previously identified threat actor has now begun leveraging the Arweave decentralized storage network. As a precautionary measure, we have implemented a block on the default Arweave HTTP gateway. The latest version of the iAntiSpy anti-phish database has been updated to provide protection against these new developments. We will continue to monitor this threat.

The threat actor we've previously discussed has been conducting a phishing campaign for some time. Today, they've started using Netlify.app subdomains for their operations.

Sample email #1:

your_email_address have Incoming Pending Messages
You have Incoming Pending Messages

The following messages have been blocked by your mail-server due to validation error.
You have six pending messages .

 
Incoming  Messages:
Status :                Subject:
your_email_address      Fwd: Payment  ------ forwarded message ----
your_email_address      Re: Statement Of Acoount 	date
your_email_address      RE: Updated PI
your_email_address      Zoom meeting request tomorrow	date.
your_email_address      Re: New Account Details
your_email_address      Re: Shipment	date.

[ DELIVER ALL MAILS ]


Note: The messages will be delivered within 1-2 hours after you receive a confirmation mail notice.
This message was sent by the MailDaemon server honeypot notification.


Thank you!
  
Copyright© 2024 Webmail, Inc.
            

The DELIVER ALL MAILS button and message links all point to a URL in the format:
https://*.netlify.app/#target_email_address

Clicking the link loads the same fake cPanel branded login page we discussed earlier. Unlike the IPFS forms, this form posts back to itself.

The current iAntiSpy for macOS anti-phish database provides immediate protection against all known variants of this threat.

A threat actor has been conducting a phishing campaign for some time, initially hosting their collection scripts on various IPFS gateways. Recently, they've shifted to using Cloudflare Workers' pages.dev subdomains for their operations. As their activity intensifies, we decided to share this information. It seems they are targeting high-value individuals, likely identified from the LinkedIn data breach and other sources.

Sample email #1:

Received-SPF: Softfail (mailfrom) identity=mailfrom; client-ip=198.12.90.248;
 helo=studiomogavero.com; [email protected]; 
 receiver=redacted-honeypot 
Received: from studiomogavero.com (unknown [198.12.90.248])
by redacted-honeypot (Postfix) with ESMTP id DECAF15BAD00
for ; Wed, 14 Aug 2024 04:44:44 +0200 (CEST)
From: "honeypot IT Desk"
To: user@honeypot
Subject:  user@honeypot Account Update !
Date: ........
............
Content-Type: text/html;charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
.............

Error Notice
Oops, we encountered an error updating the mail server of honeypot , kindly 
manually update your mailbox preference settings to prevent your incoming and
outgoing emails to be restricted. 

[ Update Preferences ]

This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify  [email protected]
            

Sample email #2:

From: "honeypot Admin"
To: user@honeypot
Subject: user@honeypot Password will expire today 8/14/2024 ?:??:?? a.m.

Password Expiration Notice
Your password will expires today 8/14/2024 ?:??:?? a.m. 
Please update your password to ensure continued access to your email account.

[ Retain Current Password ]       [ Update Keep Password ]

Account Information:
Email Address:   user@honeypot
Password Status: Expiring today 8/14/2024 ?:??:?? a.m.
 
© 2024. All Rights Reserved.
            

The Update Preferences and other buttons all link to a Cloudflare worker in the format:
https://plausable-sounding-name.pages.dev/#target_email_address (note the misspelling)

Clicking the link generally results in a fake cPanel branded login page.

Another variant still in circulation utilizes javascript obfuscation techniques allowing it to load and submit correctly from an IPFS gateway to a collection server hosted at Shinjiru Technology Sdn Bhd, a Malaysian "Offshore Web Hosting Provider". The collector domain was registered at 2023-11-19T22:35:37Z, updated at 2024-07-15T03:28:43Z and has previously pointed to Cloudflare IP addresses. Other domains associated with this actor continue to be hosted behind Cloudflare. Cloudflare appears to be at least partially aware of the issue, we will provide addtional information if deemed necessary.

The current iAntiSpy for macOS anti-phish database provides immediate protection against all known variants of this threat.