Possibly uncovering a domain spoofing scheme targeting major real estate brands — looking for guidance

Hi all,

I’ve come across what might be a coordinated domain spoofing or redirect scheme affecting multiple large companies in the real estate and homebuilding industry — including portals, brokerages, and mortgage players.

This started when I noticed strange traffic behavior involving my own business, which led me to uncover several domains mimicking major industry brands or just lots of spoofed domains sitting on the same exact IP clusters. Many redirect to real corporate login pages or appear to impersonate internal tools. There are common patterns in the hosting, certificate issuance, and timing of activity.

I’m not in security myself, but I’ve spent weeks documenting some overlapping infrastructure and a suspicious use of subdomains that feel too calculated to be random. It even gave the appearance that my own business might be involved, and I was actually accused of trademark infringement and cybersquatting, which I was not doing… which is what pushed me to dig further — and it’s led to some disturbing connections.

—Why I’m posting:

I’m not looking for a bug bounty or financial reward — just someone more technical to take a quick look and let me know:

  • Is this something real, or am I chasing shadows?
  • If real, how should I package this to responsibly disclose to the companies affected?
  • Is there value in escalating this to a broader group, or a formal watchdog?

I’ll gladly share more with anyone willing to take a deeper look (happy to move to email or another secure channel). This may be nothing, but if it’s something — it could be impacting thousands of agents, consumers, or employees who trust these brands.

Thanks for your time.