Closed Trainax closed 2 years ago
@Trainax please provide specific urls. The first redirects to Google even when I VPN to Italy or the US and the second one is blank Maybe the attackers took them down?
Here are the screenshots my friend made
The SMS he received
After clicking the link in the SMS this page opened
I got redirected to hxxpx[:]//corriertt.parceldlvr[.]xyz/lmed/it/clstrack/?p=100&uclick=u3ftdu&uclickhash=u3ftdu-u3ftdu-k2-0-x9-fnwj-he6o-fa03b0
. Can you add that?
Also, I think, based on the url, that avomas.me
might be some kind of url shortener.
The end was https://choicemonitor.top/register/8p/cc/index.php?affiliate_id=30__&cid=61cb2b7d66619c0001abdb8a
but who knows? That could be legit
I got redirected to
hxxpx[:]//corriertt.parceldlvr[.]xyz/lmed/it/clstrack/?p=100&uclick=u3ftdu&uclickhash=u3ftdu-u3ftdu-k2-0-x9-fnwj-he6o-fa03b0
. Can you add that?
Sure, I will add it to my list in the first comment
Also, I think, based on the url, that
avomas.me
might be some kind of url shortener.
It might be. I don't know. I inserted it in my first comment because I thought it was the website used specifically for this. I will remove it for now.
The end was
https://choicemonitor.top/register/8p/cc/index.php?affiliate_id=30__&cid=61cb2b7d66619c0001abdb8a
but who knows? That could be legit
I have searched and found this article in Italian which says that website is a smishing attempt, in the article screenshot there is what it looks like to be the same webpage but with a different domain, so I think the website I have linked earlier could also be the same thing
Yep, now that I look into it, it seems to be a trial version of a payment gateway hosted on the scammer's domain. Thanks @Trainax
Do you think I should also add choicemonitor.top
to my list in the first comment?
I think yes, but I'm no expert. I am working on reporting it for abuse so hope it will soon be down (though some abuse teams take months to reply)
I have added it to my add request list for now.
Thanks @iam-py-test and have a nice day!
Hey nice conversation you had... I come to think of phishing rather than scam, one of same, but phishing will request some personal info; So what would happen if you click the "monitora il tuo ordine" ?? will it start request information's?
Hey nice conversation you had... I come to think of phishing rather than scam, one of same, but phishing will request some personal info; So what would happen if you click the "monitora il tuo ordine" ?? will it start request information's?
I think phishing is a type of scam, but I'm not sure I just said scammer as "phisher" just sounds wrong to me. It does request information though (payment info)
Well according to the Old guy (the 90's) definition and Wikipedia then the short version is for differences
Scam is trying to convince you to buy something that isn't real, like a car that do not exist.
Phishing it when they are disguising themself like a a nice car like a nice new BMW 7M while the car in fact is a old Fiat 500
The common is to hustle money, but in two different ways
BMW | FIAT |
---|---|
PS: The reason I caught this is I have seen similar patterns in https://github.com/mitchellkrogza/phishing
So what would happen if you click the "monitora il tuo ordine"?
My friend said that after clicking the button a web page opened which showed the package was being held at the distribution center and the website was asking for money to unlock the package from the distribution center and allow the delivery.
I modified my first comment to add another domain and modify the list from scam to phishing
The new domain seems dead:
@iam-py-test that is only a temporarily down message, I have added it to https://github.com/mitchellkrogza/phishing so I think it will be marked as suspected as phishing later by cloudflare
Thanks @Trainax for reporting these and spending the time to investigate this case, also a HUGE thanks to you friend for taking those awesome screenshots for documentation. It is for sure people like you who make our time well spend on maintaining thees blacklists no matter who's project it is.
I would like to add another domain. Yesterday I received a SMS telling me I have left some articles in the shopping cart of an online shop I've never heard before and I think this is also phishing.
Here's the screenshot of the message I received.
Translation:
My name with "OMG" at the end, you have left some articles in the shopping cart! link <3
I think it is phishing because there is <3 at the end of the message and because searching "hellothere shop" on Google doesn't bring that domain up
Probably a phish too:
Probably a phish too:
Currently the attached code (url) hellothere.shop/a/OUevEKzLtg2P7xAs
redirects to the ~Spyware domain google
This that the end destination for above link @iam-py-test ? or is it an entirely new case? (choicemonitor.top
- 403 Fobidden, smells like a phishing site)
Yep, dead Maybe they are watching for references??
Yep, dead
Should I understand this as you can't reproduce choicemonitor.top
?
Maybe they are watching for references??
Many of those phishing url only have a few shorts in them to avoid being detected / confirm, that's among the reason why my issue templates requires some proofs, and a screenshot is a powerful on :smirk: :wink:
I can't investigate further right now as I'm busy doing something else
Happy New Year everyone!
Since we are doing this I would like to also add other domains which were in other SMS I have received.
First SMS
Translation
Second warning: name, we have tried to get in touch with you for your gift of AMAZON-PRIME. To request it follow this link: link
Second SMS
Translation
Shipment from DPDgroup in stock. To manage the redelivery: link
Third SMS
Translation
Dear customer, we have just shipped your order n. Q769767. Track your shipment here: link
Fourth SMS
Translation
My name, your package will be returned! Last chance to confirm: link
Fifth SMS
This SMS pretends to be from a bank
Translation
Bank name Dear customer, there is an anomaly with your bank account, we invite you to verify at the following link: link
Sixth SMS
Translation
Your package has been held at our distribution center. Please follow the instructions here: link
As you can see some of these SMS were sent some time ago, so I don't know if the domains are still active. I've added them to my add request for now, but if they have being deactivated in the meantime I will remove them
Damned, Have been reconsidering a new phone number :open_mouth:
Usually I would say each of these are a new issue (My politic) and I for sure embrace these reports non the less.
jt2v.com
(DEAD)Usually I would say each of these are a new issue (My politic) and I for sure embrace these reports non the less.
I too would consider opening one issue for each domain, however every domain except hellothere.shop
, conv-alida-recapiro-com.preview-domain.com
, disordsnltros.gifts
and maybe jt2v.com
are all about a package being held or similar so I thought about grouping them.
Do you think I shoud move those domains to a separate issue?
The second one just returned a 404 for me, but is detected by 3 engines: https://www.virustotal.com/gui/url/b45f9e872da1341bf0675e1d3666177b101e591c5ed5b35845159a01d3e54f4e
Third is also a 404 and VT clean
Four has been taken down and is detected by MS
Five returns a 404 but is detected by 4 engines: https://www.virustotal.com/gui/url/e1742ef8efd269542f57adfc1f81231518c757ffdf94aa3397631ce67786f4f6
Six is online and phishing, though detected by MS and two engines (https://www.virustotal.com/gui/url/7b6b75d77e0734f35b6c5ec4a94b21bb178ed5e6804f895089da848bb07f0531?nocache=1). Other domains include italtrack.checkitemtt.top
and choicemonitor.top
Do you think I should move those domains to a separate issue?
Next time :smile: Now it is done and as far I know, nodoby died
@iam-py-test
first, second, third etc, could you right the domain/url instead, it become impossible to decode and follow your answer
And what was the real answer to choicemonitor.top
is it a independent phishing domain that should be blacklisted as phishing or is it a innocent real payment gateway abused by scammers?
@iam-py-test
first, second, third etc, could you right the domain/url instead, it become impossible to decode and follow your answer
I meant relating to the OP's comment https://github.com/blocklistproject/Lists/issues/600#issuecomment-1003527561
And what was the real answer to
choicemonitor.top
is it a independent phishing domain that should be blacklisted as phishing or is it a innocent real payment gateway abused by scammers?
No idea. I reached out to the owners, but, due to New Years, I have revived no response.
Super, putting it on hold to you ping back
Hello everyone. Two weeks have gone by. Are there any updates on this?
Can we close this issue with a PR?
Hello everyone. Two weeks have gone by. Are there any updates on this?
Can we close this issue with a PR?
It doesn't matter if @cryptogap @blocklistproject doesn't check this repo @fishcharlie maybe you can handle it instead?
I'll look at this later today.
Thanks @fishcharlie
URL you wish to be added:
trackital.checkposttt.top
corriertt.parceldlvr.xyz
choicemonitor.top
hellothere.shop
=> See https://github.com/blocklistproject/Lists/issues/600#issuecomment-1003392878jt2v.com
loratech.pe
aranu.ir
realestatemashahir.ir
conv-alida-recapiro-com.preview-domain.com
ufesif.com
disordsnltros.gifts
=> This is a domain I saw today in one of the Discord servers I moderate. It was spammed by a user in different channels on the server and the message said it was for free Nitro.Why you believe this should be added: The domains which don't have a comment on the right are used to scam people with the "your package has been held" SMS scam. These domains were inside SMS messages which were sent to my friend or me.
Add to list: phishing
Other info you think we should know:
The SMS said (translated from Italian):