The latest in a series of phishing scams uses a domain from the Palestinian ccTLD, dot .PS.
The domain http.PS is embedded in a link to hide the actual domain and make it look like a typical web prefix, such as “https.”
The threat actors are taking advantage of the fact that since Google Chrome version 76, the “https” part and special-case subdomain “www” are no longer shown to users, according to Malwarebytes.
What happens next: the phishing campaign downloads a skimmer javascript file that records keystrokes and uploads credit card data to a scammer’s remote server.
It appears that Russian scammers are behind this campaign, that also involves the domain autocapital.pw under the same IP address.