Ddos 
The U.S. energy industry has become a prime target for large-scale phishing operations in 2025, according to new research from Hunt Intelligence. The report reveals a sharp increase in look-alike domains designed to impersonate major brandsβwith Chevron, ConocoPhillips, PBF Energy, and Phillips 66 bearing the brunt of the attacks.
As Hunt notes, βPhishing continues to hit critical industries hard, and in 2025 weβve tracked a sharp rise in domains built to impersonate major U.S. energy companies.β
Hunt.io data shows growth in brand abuse across the sector:
- Over 1,465 phishing detections against the energy industry in the past year.
- Chevron alone faced 158 impersonating domains in 2025, up from just eight in 2024.
- Many malicious sites slip past detection, with only β1β9 of 94 flagging them, exposing gaps in detection systems.β
Attackers primarily use HTTrack-based cloning to replicate corporate websites, then inject fraudulent login or registration forms to harvest credentials and financial data.
Chevronβs global recognition makes it the most impersonated target. Hunt identified domains such as chevroncvxstocks[.]com and humanenergy-company.com.cargoxpressdelivery[.]com, both cloned with HTTrack and styled with the companyβs slogan and favicon.
βThe cloned site reproduced Chevronβs branding elements, including its official slogan βHuman Energyβ and faviconβ¦ to strengthen the illusion of legitimacy.β
One of the fake portals even masqueraded as βChev Corp Stocksβ, blending a high-yield investment scam with credential harvesting. Huntβs analysis revealed that βfraudulent βRegisterβ and βLoginβ forms were configured to issue POST requests directly to the attacker-controlled server.β
ConocoPhillips was also heavily targeted, with domains like conocophillips.live and conocophils.com. Both were cloned from legitimate content but evaded most security engines.
βThe domain conocophils.com was created 11 months ago, has a low detection score, with only 1 out of 94 security vendors flagging it as malicious.β
Another site, xn--conocopillips-2z0g.com, exploited punycode to mimic the company nameβhighlighting adversariesβ creative use of Unicode tricks to fool end users.
A single domain, advancedownloads[.]com, impersonated PBF Energy, using cloned branding while hiding evidence of development. Investigators found that attackers had staged the phishing kit locally:
βThe footer contains a link pointing to file:///C:/Do_Not_Scan/Working/Phishing/3/index.html, which suggests that the attackers developed the page locally in a Windows environment before deploying it.β
Despite the operational slip, the fake site featured an advanced payload delivery system that assembled a malicious ZIP file through chunked Base64 code execution in the victimβs browser.
Phillips 66 was targeted with phillips66-carros[.]site, which mimicked the official site but escaped notice entirely. βVirusTotal analysis shows no security vendors flagged it as malicious out of 94, highlighting its ability to evade detection.β
Additional impersonating domains like phillips66shop[.]com and phillips66lubricants[.]ru further illustrate the industrial scale of the campaign.
Hunt researchers conclude that attackers are combining phishing with fraud in increasingly industrialized ways. βThe content is recycled to scaleβ¦ while the βChev Corp Stocksβ HYIP template blends brand abuse with investment-fraud pretexts.β
Infrastructure is deliberately scattered across U.S. and European hosting providers, with operators reusing SSL certificates and server blocks to sustain campaigns while avoiding takedowns.
The Hunt Intelligence report underscores a growing trend: phishing against critical infrastructure isnβt just about credentialsβitβs about fraud, persistence, and erosion of trust in global brands.
As the researchers warn, βThe observed U.S.-focused phishing campaigns function as resilient cloning infrastructures by reusing artifacts, centralizing data exfiltration, and blending credential theft with financial fraud.β
Related Posts:
- Kaspersky Report: Energy Industry becomes the largest area affected by vulnerabilities in industrial automation systems
- SpyNote’s New Lure: The Stealthy Campaign Using Fake App Stores
- Critical WordPress Plugin Vulnerability Puts 90,000 Sites at Risk
- Beyond Cryptominers: A New Malware Strain Is Hijacking Exposed Docker APIs
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
