Inside the 2025 Energy Phishing Wave: Chevron, Conoco, PBF, Phillips 66
Summary:
According to a new report from Hunt[.]io Intelligence, critical sectors continue to be heavily impacted by phishing, and the US energy sector has become a significant target for large-scale phishing operations in 2025. The report highlights a sharp rise in fraudulent domains impersonating major brands such as Chevron, ConocoPhillips, PBF Energy, and Phillips 66 via cloned websites. According to Hunt[.]io phishing intelligence, 30 distinct global brands have been abused for impersonation by threat actors. Hunt[.]io data shows over 1,465 phishing detections for malicious activity targeting the global energy sector in the past 12 months. This Hunt[.]io research has been narrowed in scope to focus on brands operating in the United States. Chevron, specifically, saw a massive increase in domains impersonating their legitimate website, jumping from 8 in 2024 to 158 in 2025. Many of these malicious sites, which were notably created with the open-source application HTTrack for rapidly replicating legitimate websites with malicious modifications, successfully evade detection, as indicated by half of the malicious domains in this report, which show low (approximately 5% on average) and inconsistent detection across security vendors on VirusTotal. Adversaries use these cloned sites to harvest credentials and financial data by embedding the sites with things like fraudulent ‘Login’ and ‘Register’ forms as lures.
Their report provides specific examples of these phishing attacks against US-based companies. Chevron’s global recognition through its international operations makes the company a prime target, with fake domains like chevroncvxstocks[.]com and humanenergy-company[.]com.cargoxpressdelivery[.]com, which blend brand abuse with investment scam frameworks for credential harvesting. ConocoPhillips was also heavily targeted with domains like conocophillips[.]live and xn--conocopillips-2z0g[.]com, the latter using a Punycode technique to deceive users. PBF Energy was impersonated by a site that had a footer containing a link pointing to file:///C:/Do_Not_Scan/Working/Phishing/3/index.html, which suggests that the attackers developed the page locally in a Windows environment before deploying it. Phillips 66 was targeted by several undetected domains, including phillips66-carros[.]site. Attackers are using sophisticated methods, including reusing content and infrastructure across campaigns, to create a resilient and industrialized network for credential theft and financial fraud. The report concludes that these campaigns are not just about stealing credentials but also about financial fraud and eroding trust in major brands.
Security Officer Comments:
The Hunt[.]io Intelligence report reveals a concerning escalation in cyber threats targeting the U.S. energy sector. The sheer volume and sophistication of these phishing campaigns, particularly the use of difficult-to-detect, rapidly generatable cloned sites, suggest that these threat actor operations targeting US critical sectors are developing into more industrialized and highly scalable forms of fraud. The finding that many malicious domains go largely undetected by security vendors highlights the importance of organizations hunting for similar domains. This trend poses a severe risk not just to corporate data but also to the operational integrity of critical infrastructure.
Suggested Corrections:
IOCs are available here.
Suggested Corrections Strategies from Hunt[.]io:
https://hunt.io/blog/us-energy-phishing-wave-report
According to a new report from Hunt[.]io Intelligence, critical sectors continue to be heavily impacted by phishing, and the US energy sector has become a significant target for large-scale phishing operations in 2025. The report highlights a sharp rise in fraudulent domains impersonating major brands such as Chevron, ConocoPhillips, PBF Energy, and Phillips 66 via cloned websites. According to Hunt[.]io phishing intelligence, 30 distinct global brands have been abused for impersonation by threat actors. Hunt[.]io data shows over 1,465 phishing detections for malicious activity targeting the global energy sector in the past 12 months. This Hunt[.]io research has been narrowed in scope to focus on brands operating in the United States. Chevron, specifically, saw a massive increase in domains impersonating their legitimate website, jumping from 8 in 2024 to 158 in 2025. Many of these malicious sites, which were notably created with the open-source application HTTrack for rapidly replicating legitimate websites with malicious modifications, successfully evade detection, as indicated by half of the malicious domains in this report, which show low (approximately 5% on average) and inconsistent detection across security vendors on VirusTotal. Adversaries use these cloned sites to harvest credentials and financial data by embedding the sites with things like fraudulent ‘Login’ and ‘Register’ forms as lures.
Their report provides specific examples of these phishing attacks against US-based companies. Chevron’s global recognition through its international operations makes the company a prime target, with fake domains like chevroncvxstocks[.]com and humanenergy-company[.]com.cargoxpressdelivery[.]com, which blend brand abuse with investment scam frameworks for credential harvesting. ConocoPhillips was also heavily targeted with domains like conocophillips[.]live and xn--conocopillips-2z0g[.]com, the latter using a Punycode technique to deceive users. PBF Energy was impersonated by a site that had a footer containing a link pointing to file:///C:/Do_Not_Scan/Working/Phishing/3/index.html, which suggests that the attackers developed the page locally in a Windows environment before deploying it. Phillips 66 was targeted by several undetected domains, including phillips66-carros[.]site. Attackers are using sophisticated methods, including reusing content and infrastructure across campaigns, to create a resilient and industrialized network for credential theft and financial fraud. The report concludes that these campaigns are not just about stealing credentials but also about financial fraud and eroding trust in major brands.
Security Officer Comments:
The Hunt[.]io Intelligence report reveals a concerning escalation in cyber threats targeting the U.S. energy sector. The sheer volume and sophistication of these phishing campaigns, particularly the use of difficult-to-detect, rapidly generatable cloned sites, suggest that these threat actor operations targeting US critical sectors are developing into more industrialized and highly scalable forms of fraud. The finding that many malicious domains go largely undetected by security vendors highlights the importance of organizations hunting for similar domains. This trend poses a severe risk not just to corporate data but also to the operational integrity of critical infrastructure.
Suggested Corrections:
IOCs are available here.
Suggested Corrections Strategies from Hunt[.]io:
- Continuous Brand Domain Intelligence: Track new domains using favicon hashes, HTTrack comments, and title string matches (e.g., ‘Chevron Corporation - Human Energy’) to uncover clusters of look-alike sites.
- Registrar-Integrated Rapid Takedowns: Build escalation playbooks with registrars and hosting providers, automating abuse reports with evidence such as HTTrack artifacts and Hunt[.]io verdicts.
- Investor Portal Decoy Detection: Monitor for cloned ‘Investor Relations’ sections, exposed /investors/ directories, and HYIP-style stock portals that attackers used against Chevron and PBF Energy.
- IOC-Driven SIEM/SOAR Playbooks: Create rules for recurring artifacts such as Chevron’s favicon MD5, /inc/register path patterns, and HTTrack HTML comments, ensuring detection scales across cloned infrastructure.
- Account Access Hardening: Apply MFA and conditional access specifically on energy sector portals and investor platforms, where adversaries cloned login and register forms to harvest credentials.
- Artifact-Based Hunt Rules: Hunt proactively for HTTrack fingerprints, favicon hash reuse, fake investor portals (/investors/ directories), and HYIP-style templates that adversaries recycled across campaigns.
- Cross-Sector Intelligence Sharing: Collaborate with industry ISACs and global threat intelligence communities to stay ahead of attacker tactics.
https://hunt.io/blog/us-energy-phishing-wave-report