A senior U.S. Secret Service official warned that weaknesses in the internet’s domain registration and governance model are being actively exploited to scale phishing and fraud, citing the ease with which attackers can register deceptive, brand-imitating domains and then force defenders into reactive, court-driven takedowns. The official argued that insufficient identity validation in domain registration and abuse concentration in certain networks (e.g., via ASNs) represent systemic gaps that enable business email compromise and link-based phishing campaigns across SMS and email.
Threat intelligence reporting on Canada-linked fraud activity illustrates how these domain-registration weaknesses translate into operational campaigns: attackers are using lookalike domains, SMS lures, and paid ads to drive victims to convincing fake portals impersonating PayBC, ServiceOntario, Canada Post, CRA, and Air Canada to steal credentials and payment data. CloudSEK attributed much of the activity to the “PayTool” phishing ecosystem, describing reusable phishing kits and shared infrastructure that can be rapidly rebranded and expanded from provincial payment portals into broader “Government of Canada” themed entry points. Separate coverage of Anguilla’s .ai domain boom is primarily economic/industry-focused and does not provide substantive security reporting tied to the phishing and domain-abuse problem described above.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
At the 2026 Identity, Authentication and the Road Ahead Policy Forum in Washington, D.C., U.S. Secret Service official Matt Noyes said weaknesses in the domain registration ecosystem are a major, under-addressed security flaw exploited for phishing, fraudulent advertising, and business email compromise. He urged more proactive action by major internet providers and platforms to reduce abuse.
CloudSEK reported multiple fraud clusters impersonating Canadian government and commercial services, including PayBC, ServiceOntario, Canada Post, the CRA, and Air Canada. The campaigns used SMS messages, online ads, and lookalike portals to steal personal, card, and banking information, with much of the activity linked to the PayTool phishing ecosystem.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
5 references tracked. Mallory keeps watching after this page renders.
scworld.com
Open sourcecyberscoop.com
Open sourcecybersecuritynews.com
Open sourcespamhaus.org
Open sourcespamhaus.org
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.