Table of Contents
Cybercriminals are changing their tactics. They no longer rely on email to steal credentials or intercept funds. Instead, threat actors use SEO poisoning to place fake payment portals at the top of search engine results.
SEO poisoning is a strategy that tricks users into clicking malicious links during routine transactions. Fraudsters place fake pages at the top of search engine results to deceive users. Users see these links in google and click on them with high confidence.
The attackers back these operations with highly evasive infrastructure to avoid detection and takedowns.
This blog breaks down a massive, active payment gateway fraud operation. We explore the initial discovery, the infrastructure tactics, and how organizations can defend their networks against this evolving threat.
Quick Facts: SEO Poisoning and Payment Gateway Fraud
|
How Was the Payment Fraud Campaign Discovered?
In mid-May 2026, Open Source Intelligence (OSINT) and regional press in Colombia reported an aggressive phishing campaign. It targeted customers of the energy company Air-e. The initial vector was the domain airepagos[.]st, which was a high-fidelity replica of the company’s legitimate payment portal.
The attacker did not rely on email, instead, they successfully positioned the fraudulent site at the top of Google search results. This tactic allowed them to intercept user payment intent directly.
Air-e deployed a containment campaign on its official channels. They reiterated that their authorized payment gateway operates exclusively at air-e.com. However, the media exposure of this domain was just the surface of a nationwide payment gateway fraud operation.
The initial investigation focused on the passive DNS history of the suspicious domain. Telemetry indicates that airepagos[.]st has a highly volatile hosting infrastructure. It has resolved to at least five different IP addresses associated with various providers since December 2025.
This rotation pattern is a clear indicator of malicious activity. Legitimate services maintain stable infrastructure, so constant migration is a characteristic of active campaigns seeking to evade mitigation and blocklists. This highlights the critical importance of active DNS traffic monitoring.
How Does the Fraudulent Attack Anatomy Expose Victims?
The most critical feature of this operation is its reliance on SEO poisoning instead of email. Attackers fraudulently index their replica websites to intercept users performing routine transactional searches. This vector shift neutralizes email security controls and moves the attack directly into the user’s browsing session.
The effectiveness of this tactic is evident when analyzing search behavior for the fake airepagos[.]st domain. A basic search yields the legitimate site in the first position and the attacking site in the third.
This lower position actually favors the attacker due to ad blindness. Users tend to ignore the first results because they assume they are sponsored links. They trust and click the options slightly further down and fall directly into the malicious infrastructure.
The victim’s interaction flow within the malicious infrastructure reveals a highly standardized fraud architecture. The data and capital exfiltration process divides into specific operational phases:
Phase 1: The victim finds a panel requesting their contract number and a payment button.
Phase 2: The initial interface captures the contract number and displays a form collecting Personally Identifiable Information (PII). A key behavioral indicator of compromise is the lack of connection to real databases. The attacker imposes a pre-established charge amount to force a high-value theft.
Phase 3: The victim encounters a terms and conditions section before the payment button. These act as security placebos. They are dead hyperlinks that exploit the average user’s lack of verification to add a false layer of institutional legitimacy.
Phase 4: A key redirection occurs while the user waits for payment processing. The psebre-b[.]st site appears. This domain name generates trust by referencing legitimate payment gateways. The redirection URL contains attacker-preset parameters.
Phase 5: The user reaches the centralized fraudulent payment gateway. The panel offers a QR code with a five-minute expiration timer to induce urgency. It includes simulated tutorials to facilitate the fraud conversion.
Phase 6: After pressing the payment confirmation button, a generic message appears stating the payment is received but may take up to 24 hours to reflect. This behavior is inconsistent with legitimate instant payments. The flow is designed to make the victim transfer funds to an attacker-controlled account and wait. This gives the attacker time before the victim gets suspicious.
The analysis confirmed that psebre-b[.]st acts as the universal monetization funnel for all active campaigns.
What Does the Threat Infrastructure Look Like?
The current infrastructure relies on aggressive tactical evasion and bulletproof hosting to maintain a multi-platform phishing factory.
Our investigation, on Lumu Maltiverse, targeted the current IP address hosting the domain. This address is 193.143.1[.]226 and belongs to AS 198953 (Proton66 OOO). This provider is extensively documented as bulletproof hosting. This means it is an infrastructure specifically designed to host malicious operations without being taken offline.
Reviewing the passive DNS of this address revealed the true scope of the threat. The query returned 68 records. More than 30 active .st domains stood out among them. Attackers use the same IP to impersonate energy companies, water services, financial institutions, and insurance companies. They direct victims to fake mass payment portals like PSE and Bre-B.
Most alarmingly, these are not simple parked domains or inactive pages waiting for use. They are fully functional and operational phishing portals.
The cybercriminals designed exact replicas of legitimate sites to deceive users. For example, active clones of the payment portal for Enel, a Colombian energy supplier, (web.pagos-enel[.]st) and the Bogotá Acueducto, water utility company, (pagos-acueducto[.]st) were detected.
Inspecting the current infrastructure helps us understand the attackers’ technical workflow. We detected servers in a staging phase, which are available for use but do not yet deploy the fraud.
An example is the es.suranlinea[.]st subdomain. During our review, it only responded with the default CyberPanel installation page. This confirms the network builds its infrastructure foundation long before launching the final attack.
The campaign exhibits an aggressive tactical evasion pattern for hosting management where each IP rotation lands in a different Autonomous System Number (ASN). They always choose providers documented for their tolerance of such campaigns. Despite these constant jumps to erase their tracks, domain traceability confirms this is the same continuous threat actor.
The technical evidence clearly links these separate operations to a single group. Critical domains like airepagos[.]st have registered resolution across these four infrastructures over seven uninterrupted months. Even domains from initial campaigns resolve to their most recent main server today.
How Did the Campaign Evolve Over Time?
Consolidating passive DNS with domain registration dates reveals a highly professionalized operation that escalated from public utilities to the financial sector over seven months.
Analyzing the historical IPs of the initial domain provided the key to mapping the operation retroactively. The address immediately preceding the current one was 45.153.34[.]157. This is associated with AS 51396, Pfcloud UG. This IP functioned as short-lived transitional infrastructure, active for about ten days in mid-May 2026. During that period, the attackers hosted their known public utility impersonation network and added new victims to their arsenal, such as Las Ceibas.
Moving one link further back identified the address 192.109.200[.]115 (AS 197170, TechTies Inc.). This hosted the operation between March and April 2026. This period shows a clear evolution in the attacker’s tactics. They implemented highly deceptive naming patterns, including caribesol-facture[.]st and caribemar-facture-co[.]st. These replicate the official portals of recognized companies like Air-e and Afinia. They also added subdomains to give their fraudulent infrastructure a false appearance of institutional complexity.
In April 2026, the operation diversified its targets. It moved beyond public utilities for the first time to impersonate financial and insurance entities like Sufi, Finesa, and Sura. The attackers integrated advanced visual deceptions to compromise these new targets.
A notable attack targeted Sura’s insurance sales channel using typosquatting (deliberately omitting a letter to deceive users). An example is suranlinea[.]st instead of the legitimate suraenlinea.com. We also discovered a classic homoglyph attack on this infrastructure. The domain tiendacolornbia[.]com uses the combination of the letters r and n to bypass the human eye and masquerade as the letter m.
The oldest identified infrastructure was 91.92.241[.]197 (AS 202412, Omegatech LTD). The first observed resolutions date back to November 2025. These were epmpagarfactura[.]st and afiniapagarfactura[.]st. Within weeks, this infrastructure hosted fake portals for national utility companies across major cities.
Consolidating the passive DNS of the infrastructures with domain registration dates outlines the entire operation from end to end. Three key readings emerge from this data:
Industrial cadence: The continuous registration of new domains over seven consecutive months reveals a high degree of professionalization. This is not a short-term opportunistic campaign, it is an operation with a well-established lifecycle designed to function continuously on an industrial scale.
Strategic target expansion: The campaign shows a clear escalation in ambition. While monetization has always been present, the scope in companies and industries has diversified. It began by attacking the public utilities sector in November 2025. It escalated to financial and insurance entities in April 2026. By May, it targeted the real-estate sector. Also, the monetization model has evolved. The attacker found it is more profitable to impersonate the convergence point of money. This means targeting the central payment hub (in Colombia that is the PSE system and Bre-B) instead of individual companies.
Fast weaponization and hibernation: Analyzing deployment times reveals the attacker’s operational mechanics. They acquire the domain and activate it almost instantly. The pagarbienco[.]st case shows resolution on the exact same day of registration. However, they also intentionally hibernate domains. Key targets like finesa[.]st waited about a month before activation. The aguasyaguaspse[.]st domain remained in reserve for three months. This confirms a critical threat intelligence alert. The criminal network manages an inventory of fraudulent domains ready to rotate when the operation requires it.
Which TTPs Define the Campaign?
We summarized the Tactics, Techniques, and Procedures (TTPs) observed throughout the operation. The entire attack flow maps directly to the MITRE ATT&CK framework.
| Tactic | ID | Official MITRE ATT&CK Technique | Campaign Specifics |
|---|---|---|---|
| Reconnaissance | T1589 | Gather Victim Identity Information | PII Collection |
| Reconnaissance | T1592 | Gather Victim Organization Information | Business Identification |
| Resource Development | T1583.001 | Acquire Infrastructure: Domains | Intensive use |
| Resource Development | T1583.003 | Acquire Infrastructure: Virtual Private Server | Bulletproof server leasing |
| Resource Development | T1587.002 | Develop Capabilities: Code Signing Certificates | Operational Scripts: Automated configuration |
| Resource Development | T1587.003 | Develop Capabilities: Digital Certificates | Code Signing Certificates: Mass use |
| Initial Access | T1189 | Drive-by Compromise | Primary Vector |
| Initial Access | T1566 | Phishing | Non-traditional non-interactional variant |
| Initial Access | T1204.001 | User Execution: Malicious Link | Click on Google search results |
| Defense Evasion | T1027 | Obfuscated Files or Information | Subdomains |
| Defense Evasion | T1036 | Masquerading | Legitimate brands |
| Defense Evasion | T1562.001 | Impair Defenses: Disable or Modify Tools | Disabling security tools |
| Credential Access | T1557.003 | Adversary-in-the-Middle (AiTM) | Web Portal Compromise: High-fidelity cloning |
| Credential Access | T1056.001 | Input Capture: Keylogging | Portal functionality |
| Collection | T1111 | Multi-Factor Authentication Interception | Cloned portal |
| Collection | T1005 | Data from Local System | PII Capture |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | Data transmission |
| Impact | T1657 | Financial Theft | Ultimate Goal |
| Impact | T1480 | Execution Guardrails | Condition-Dependent Impact: “Wait 24 hours” message |
What Are the Recommendations for Defense?
Organizations must defend against this threat by combining continuous network monitoring with proactive threat intelligence. The May incident exposed a massive seven-month operation rather than an isolated fake page. This operation succeeds because a single threat actor hibernates over 50 fraudulent domains to render traditional blocklists useless. Security teams must evolve their defensive postures to counter this specific evasion tactic.
IP addresses are disposable in this campaign. However, domains survive the constant infrastructure jumps. This makes continuous network evaluation and DNS query monitoring essential. Organizations must automate their defenses to ensure no user interacts with indexed malicious links.
Security teams should adopt the following strategies:
- Monitor DNS traffic continuously: Organizations must analyze network metadata to catch evasive infrastructure routing before a connection completes. Lumu Defender achieves this by monitoring DNS queries in real time.
- Leverage Actionable Threat Intelligence: Defending against rotating infrastructure requires highly curated indicators of compromise. Maltiverse, a Lumu’s threat intelligence service, provides high-fidelity threat intelligence and continuously adds new IoCs as operations evolve.
- Automate threat mitigation: Security teams need to block malicious requests the moment they occur to neutralize SEO poisoning vectors. Lumu Defender integrates directly with your existing stack to automate this exact response.
Ready to illuminate your network blind spots and stop payment gateway fraud? Explore the Lumu SecOps platform to start your continuous compromise assessment today.
List of IoCs
51 domains: 35 root + 16 subdomains (8 es. + 8 web.)
- psebre-b[.]st
- aguasb[.]st
- aguasdecartagena[.]st
- aguasyaguaspse[.]st
- airepagos[.]st
- caribemar-facture-co[.]st
- es[.]caribemar-facture-co[.]st
- web[.]caribemar-facture-co[.]st
- caribesol-facture[.]st
- es[.]caribesol-facture[.]st
- web[.]caribesol-facture[.]st
- ibalpse[.]st
- pagar-factura-afinia[.]st
- pagar-factura-las-ceibas[.]st
- pagar-sufi-apps-bancolombia[.]st
- es[.]pagar-sufi-apps-bancolombia[.]st
- web[.]pagar-sufi-apps-bancolombia[.]st
- pagarbienco[.]st
- pagarhabi[.]st
- pago-acueducto[.]st
- pagos-acueducto[.]st
- es[.]pagos-acueducto[.]st
- web[.]pagos-acueducto[.]st
- pagos-emcali[.]st
- es[.]pagos-emcali[.]st
- web[.]pagos-emcali[.]st
- pagos-enel[.]st
- es[.]pagos-enel[.]st
- web[.]pagos-enel[.]st
- pagoslasvegas[.]st
- suranlinea[.]st
- es[.]suranlinea[.]st
- web[.]suranlinea[.]st
- uribienespagos[.]st
- tiendacolornbia[.]com
- psebre-b[.]com
- afiniapagarfactura[.]st
- afiniapagarpse[.]st
- afiniapagos[.]st
- afiniapse[.]st
- airepse[.]st
- emcalipagos[.]st
- enelcodensapse[.]st
- epmfactura[.]st
- epmpagarfactura[.]st
- epmpagos[.]st
- epmpse[.]st
- finesa[.]st
- es[.]finesa[.]st
- web[.]finesa[.]st
- pagar-sufi-apps[.]st
4 IP addresses:
- 193.143.1[.]226 AS 198953 Proton66 OOO (May 2026 – Present)
- 45.153.34[.]157 AS 51396 Pfcloud UG (May 2026)
- 192.109.200[.]115 AS 197170 TechTies Inc. (Mar – Apr 2026)
- 91.92.241[.]197 AS 202412 Omegatech LTD (Nov 2025 – Feb 2026)
