Phishing and cyber-enabled financial fraud have transformed from scattered criminal activity into a global economic threat. The World Economic Forum’s “Fighting Cyber Enabled Fraud 2025” report warns that advanced fraud networks now operate at industrial scale, exploiting cross-border digital infrastructure, AI-generated content, and anonymous domain services

The report calls for a systemic, multi-stakeholder defense model—one that starts with upstream prevention and extends through mitigation and international collaboration.

In this landscape, India’s CERT-In, under the leadership of Director General Dr. Sanjay Bahl, stands out not only for the magnitude of its data processing, but also for its shift toward proactive, automated fraud detection.

India’s Detection Engine: 9,800 Billion Queries and Counting

According to the WEF/IST paper, CERT-In used AI and situational awareness systems to analyse more than 9,800 billion DNS queries in 2024.
From this unprecedented pool of traffic, the agency was able to:

• Detect 2.2 billion queries linked to malicious domains
• Identify 128 million phishing-related domains
• Mitigate 3,044 phishing sites that affected nearly 695,000 users
• Share DNS-based threat intelligence with international partners in real time

This volume—highlighted on page 6 of the report—places India among the world’s most active national cyber-defense authorities, operating what security analysts describe as a “continental-scale early-warning system.”

A senior official familiar with the agency’s strategy noted that its rapid scaling was made possible by “a disciplined commitment to automation, global signal-sharing, and data-driven governance”—a remark widely interpreted as reflecting the operational philosophy at CERT-In’s helm.

Leadership Through Coordination, Not Visibility

While the WEF report does not single out individuals, government insiders and industry observers say the agency’s recent transformation owes much to a quiet but deliberate shift in leadership culture within CERT-In.

Instead of episodic interventions, the agency has adopted a framework built on:

• AI-led prevention
• Mass-scale monitoring
• Coordinated response and inter-agency sharing
• Global data exchange protocols

This approach has allowed CERT-In to move from reactive cyber-incident response to real-time systemic mitigation—a strategic pivot that experts say reflects “mature institutional stewardship.”

Several cybersecurity executives interviewed for this story attributed the shift to “consistent, low-visibility leadership focused on capacity building rather than public-facing announcements”—a sentiment repeated in multiple industry briefings.

A New Global Role for India’s Cyber Infrastructure

What makes CERT-In’s emergence notable is not just its domestic impact, but the global relevance of its data and threat intelligence.

The WEF paper cites India as a key contributor to safeguarding international DNS ecosystems, especially as phishing evolves into a transnational criminal enterprise. With 128 million phishing domains flagged, India is now a central contributor to worldwide fraud-mitigation workflows.

Global privacy-preserving indicator-sharing systems—highlighted in the mitigation section of the WEF report—are increasingly dependent on large, trustworthy national datasets. India’s scale, combined with CERT-In’s automation footprint, makes its threat intelligence uniquely valuable.

Security researchers say these developments suggest India is no longer merely responding to cybercrime trends, but helping shape global norms for digital safety.

What’s Next?

The WEF report calls on national agencies to adopt deeper upstream prevention, stronger domain-registration controls, and coordinated AI-assisted detection.
CERT-In, analysts say, is already moving in that direction, positioning India as a model for large-scale cyber-fraud mitigation.

As the digital ecosystem expands across payments, identity infrastructure, and AI-driven platforms, CERT-In’s role is likely to become even more central. The agency’s trajectory—shaped by a leadership approach that emphasizes capacity, infrastructure, and quiet institutional discipline—offers a template for nations seeking to counter the next decade of cyber-enabled fraud.

The420 Web Desk — November 25, 2025 | 9:34 AM

A fast-spreading phishing tactic is blurring the line between real device notifications and malicious alerts, posing a serious threat to users’ personal data worldwide. Cybersecurity analysts have identified a surge in browser-based attacks that disguise themselves as trusted system prompts, tricking users into handing over credentials for platforms like Netflix, PayPal, TikTok, MetaMask, and more.

When a Fake Notification Looks Real

Security researchers report that attackers are increasingly using web-push notifications—normally a routine browser feature—to mimic official system alerts. The attack begins when a user unknowingly allows notifications from a deceptive website. Once enabled, cybercriminals gain the ability to push fraudulent system-style warnings at any time, even after the user has closed the original page.

“The templates we uncovered impersonate providers such as MetaMask, Netflix, Cloudflare, PayPal, TikTok, and many others,” said Brenda Robb of BlackFog Security. “Each is crafted to resemble a legitimate security alert from these platforms.”

The technique exploits a core human instinct: trusting the device’s own notifications without question.

Matrix Push C2: A Coordinated Attack System

These attacks are not isolated. According to a new BlackFog threat-intelligence report, the alerts originate from a sophisticated command-and-control framework called Matrix Push C2. The platform weaponizes browser permissions to deliver a continuous stream of deceptive alerts.

The system utilizes three key tactics:

• Push notifications engineered to imitate system-level warnings
• Fake security messages invoking well-known brands
• Redirect chains leading to professional-looking credential-harvesting pages

BlackFog researchers described the platform as one that “turns web browsers into an attack-delivery vehicle” by exploiting permission settings users rarely reevaluate.

A Week of Attacks That Don’t Look Like Attacks

The discovery of Matrix Push comes amid a series of stealth-based cyber incidents that reflect a changing threat model.

Earlier this week, analysts uncovered Sturnus, a new Android banking trojan capable of capturing encrypted instant-message content by grabbing it directly from the device’s screen. Researchers also highlighted the rise of clipboard-based attacks, where malicious actors quietly access and extract sensitive information from copy-and-paste operations.

Together, these cases point to an emerging trend: attackers are shifting toward misusing built-in system features—notifications, clipboards, on-screen data—rather than deploying traditional malware that antivirus tools can easily detect.

Push-notification phishing is especially dangerous because it embeds itself into a trusted visual space, making malicious alerts almost indistinguishable from genuine system warnings.

A Growing, Persistent Threat

Experts warn that these attacks will not fade anytime soon. Several realities make the threat durable:

1. Phishing remains the most effective cybercrime tactic.
2. Operating systems will continue to support notification systems that attackers can mimic.
3. Cybercriminals are refining platforms like Matrix Push C2 to increase sophistication and scale.

Blocking notifications entirely isn’t feasible for most users, and visually verifying each alert is unrealistic during daily device use. The challenge, researchers say, lies in balancing convenience with security—a tension attackers are exploiting with increasing precision.

As Black Friday and Cyber Monday approach, cybersecurity researchers are warning of a growing wave of holiday-themed scam websites designed to trick consumers into revealing payment information. These fraudulent online stores, engineered to mimic popular retail brands, are appearing at unprecedented scale, posing a serious risk to shoppers during the 2025 holiday season.

Industrialized Online Fraud

Researchers have identified over 2,000 new fraudulent domains in recent months, including typosquatted Amazon URLs and more than a thousand suspicious .shop sites impersonating major brands. Many of these domains were dormant for months before suddenly going live with full product catalogs, holiday graphics, and payment portals timed to coincide with peak online shopping traffic.

Scam sites use aggressive tactics to drive impulsive purchases, including flash banners, countdown timers, fake trust badges, and pop-ups warning that items are “almost sold out.” Analysts describe this as psychological manipulation designed to pressure shoppers into buying before evaluating risks.

Centralized Operations and Hidden Infrastructure

Evidence suggests these scams are centrally coordinated, rather than isolated incidents. Numerous malicious domains share identical servers, content delivery networks, and hosting providers, often behind services like Cloudflare that obscure the operators’ identities. Some domains even rely on the same assets—banners, product grids, and JavaScript files—reused across hundreds of sites.

Researchers describe the network as “industrialized fraud,” with automated storefront generation, repeated layouts, and cloned code allowing rapid deployment of new scam sites. Domain registration patterns reveal a surge in new .shop domains from obscure registrars, created just weeks before the shopping season.

How Scammers Monetize Data

Fraudsters route payment information entered by unsuspecting shoppers to shell merchant websites, often based overseas, which process transactions on behalf of the scammers. This allows them to bypass automated fraud detection systems, resulting in unauthorized withdrawals, identity theft, and financial losses. Because many sites operate through reverse-proxied infrastructure, law enforcement faces challenges in tracking and shutting down operators before they abandon the domains.

Exploiting Brand Trust

The .shop top-level domain has become a focal point for large-scale impersonation campaigns. Fake sites mimic established brands such as Apple, Samsung, Ray-Ban, and Dell, often using minor lexical variations like “box,” “sale,” or “lucky” to appear legitimate. Many of these sites reuse pre-designed scam kits, replicating layouts, slogans, and checkout frameworks across multiple domains.

Tips for Holiday Shoppers

Experts advise consumers to exercise caution this holiday season:

• Verify URLs: Only shop through official brand websites.
• Avoid unfamiliar domains: Be wary of new or suspicious-looking sites.
• Resist high-pressure tactics: Treat “limited stock” warnings or flash deals with skepticism.

With online shopping and cyber-fraud evolving in tandem, vigilance and awareness remain the best defenses against these sophisticated holiday scams.