[Add request] - trackital.checkposttt.top & other domains

[Trainax]

URL you wish to be added:

• trackital.checkposttt.top
• corriertt.parceldlvr.xyz
• choicemonitor.top
• hellothere.shop => See https://github.com/blocklistproject/Lists/issues/600#issuecomment-1003392878
• jt2v.com
• loratech.pe
• aranu.ir
• realestatemashahir.ir
• conv-alida-recapiro-com.preview-domain.com
• ufesif.com
• disordsnltros.gifts => This is a domain I saw today in one of the Discord servers I moderate. It was spammed by a user in different channels on the server and the message said it was for free Nitro.

Why you believe this should be added: The domains which don't have a comment on the right are used to scam people with the "your package has been held" SMS scam. These domains were inside SMS messages which were sent to my friend or me.

Add to list: phishing

Other info you think we should know:

The SMS said (translated from Italian):

Your package has been held at our shipping center. Please follow the instructions here:

[iam-py-test]

@Trainax please provide specific urls. The first redirects to Google even when I VPN to Italy or the US and the second one is blank Maybe the attackers took them down?

[Trainax]

Here are the screenshots my friend made

The SMS he received

After clicking the link in the SMS this page opened

[iam-py-test]

I got redirected to hxxpx[:]//corriertt.parceldlvr[.]xyz/lmed/it/clstrack/?p=100&uclick=u3ftdu&uclickhash=u3ftdu-u3ftdu-k2-0-x9-fnwj-he6o-fa03b0. Can you add that? Also, I think, based on the url, that avomas.me might be some kind of url shortener. The end was https://choicemonitor.top/register/8p/cc/index.php?affiliate_id=30__&cid=61cb2b7d66619c0001abdb8a but who knows? That could be legit

[Trainax]

I got redirected to hxxpx[:]//corriertt.parceldlvr[.]xyz/lmed/it/clstrack/?p=100&uclick=u3ftdu&uclickhash=u3ftdu-u3ftdu-k2-0-x9-fnwj-he6o-fa03b0. Can you add that?

Sure, I will add it to my list in the first comment

Also, I think, based on the url, that avomas.me might be some kind of url shortener.

It might be. I don't know. I inserted it in my first comment because I thought it was the website used specifically for this. I will remove it for now.

The end was https://choicemonitor.top/register/8p/cc/index.php?affiliate_id=30__&cid=61cb2b7d66619c0001abdb8a but who knows? That could be legit

I have searched and found this article in Italian which says that website is a smishing attempt, in the article screenshot there is what it looks like to be the same webpage but with a different domain, so I think the website I have linked earlier could also be the same thing

[iam-py-test]

Yep, now that I look into it, it seems to be a trial version of a payment gateway hosted on the scammer's domain. Thanks @Trainax

[Trainax]

Do you think I should also add choicemonitor.top to my list in the first comment?

[iam-py-test]

I think yes, but I'm no expert. I am working on reporting it for abuse so hope it will soon be down (though some abuse teams take months to reply)

[Trainax]

I have added it to my add request list for now.

Thanks @iam-py-test and have a nice day!

[spirillen]

Hey nice conversation you had... I come to think of phishing rather than scam, one of same, but phishing will request some personal info; So what would happen if you click the "monitora il tuo ordine" ?? will it start request information's?

[iam-py-test]

Hey nice conversation you had... I come to think of phishing rather than scam, one of same, but phishing will request some personal info; So what would happen if you click the "monitora il tuo ordine" ?? will it start request information's?

I think phishing is a type of scam, but I'm not sure I just said scammer as "phisher" just sounds wrong to me. It does request information though (payment info)

[spirillen]

Well according to the Old guy (the 90's) definition and Wikipedia then the short version is for differences

Scam is trying to convince you to buy something that isn't real, like a car that do not exist.

Phishing it when they are disguising themself like a a nice car like a nice new BMW 7M while the car in fact is a old Fiat 500

The common is to hustle money, but in two different ways

BMW	FIAT

PS: The reason I caught this is I have seen similar patterns in https://github.com/mitchellkrogza/phishing

[Trainax]

So what would happen if you click the "monitora il tuo ordine"?

My friend said that after clicking the button a web page opened which showed the package was being held at the distribution center and the website was asking for money to unlock the package from the distribution center and allow the delivery.

I modified my first comment to add another domain and modify the list from scam to phishing

[iam-py-test]

The new domain seems dead:

[spirillen]

@iam-py-test that is only a temporarily down message, I have added it to https://github.com/mitchellkrogza/phishing so I think it will be marked as suspected as phishing later by cloudflare

Thanks @Trainax for reporting these and spending the time to investigate this case, also a HUGE thanks to you friend for taking those awesome screenshots for documentation. It is for sure people like you who make our time well spend on maintaining thees blacklists no matter who's project it is.

note to self (@spirillen)

Own note: - https://mypdns.org/my-privacy-dns/matrix/-/issues/4154 - https://mypdns.org/my-privacy-dns/matrix/-/issues/4155 - https://mypdns.org/my-privacy-dns/matrix/-/issues/4156 - https://mypdns.org/my-privacy-dns/matrix/-/issues/4157 - https://mypdns.org/my-privacy-dns/matrix/-/issues/4158

[Trainax]

I would like to add another domain. Yesterday I received a SMS telling me I have left some articles in the shopping cart of an online shop I've never heard before and I think this is also phishing.

Here's the screenshot of the message I received.

Translation:

My name with "OMG" at the end, you have left some articles in the shopping cart! link <3

I think it is phishing because there is <3 at the end of the message and because searching "hellothere shop" on Google doesn't bring that domain up

[iam-py-test]

Probably a phish too:

[spirillen]

Probably a phish too:

Currently the attached code (url) hellothere.shop/a/OUevEKzLtg2P7xAs redirects to the ~Spyware domain google

This that the end destination for above link @iam-py-test ? or is it an entirely new case? (choicemonitor.top - 403 Fobidden, smells like a phishing site)

[iam-py-test]

Yep, dead Maybe they are watching for references??

[spirillen]

Yep, dead

Should I understand this as you can't reproduce choicemonitor.top?

Maybe they are watching for references??

Many of those phishing url only have a few shorts in them to avoid being detected / confirm, that's among the reason why my issue templates requires some proofs, and a screenshot is a powerful on :smirk: :wink:

[iam-py-test]

I can't investigate further right now as I'm busy doing something else

[Trainax]

Happy New Year everyone!

Since we are doing this I would like to also add other domains which were in other SMS I have received.

First SMS

Translation

Second warning: name, we have tried to get in touch with you for your gift of AMAZON-PRIME. To request it follow this link: link

Second SMS

Translation

Shipment from DPDgroup in stock. To manage the redelivery: link

Third SMS

Translation

Dear customer, we have just shipped your order n. Q769767. Track your shipment here: link

Fourth SMS

Translation

My name, your package will be returned! Last chance to confirm: link

Fifth SMS

This SMS pretends to be from a bank

Translation

Bank name Dear customer, there is an anomaly with your bank account, we invite you to verify at the following link: link

Sixth SMS

Translation

Your package has been held at our distribution center. Please follow the instructions here: link

---

As you can see some of these SMS were sent some time ago, so I don't know if the domains are still active. I've added them to my add request for now, but if they have being deactivated in the meantime I will remove them

[spirillen]

Damned, Have been reconsidering a new phone number :open_mouth:

Usually I would say each of these are a new issue (My politic) and I for sure embrace these reports non the less.

• jt2v.com (DEAD)

note to self (@spirillen)

referals: - `aranu.ir` (https://mypdns.org/my-privacy-dns/matrix/-/issues/4167) - `preview-domain.com` (https://mypdns.org/my-privacy-dns/matrix/-/issues/4168) - `ufesif.com` (https://mypdns.org/my-privacy-dns/matrix/-/issues/4169) - `loratech.pe` (https://mypdns.org/my-privacy-dns/matrix/-/issues/4170) - `realestatemashahir.ir` (https://mypdns.org/my-privacy-dns/matrix/-/issues/4171)

[Trainax]

Usually I would say each of these are a new issue (My politic) and I for sure embrace these reports non the less.

I too would consider opening one issue for each domain, however every domain except hellothere.shop, conv-alida-recapiro-com.preview-domain.com, disordsnltros.gifts and maybe jt2v.com are all about a package being held or similar so I thought about grouping them.

Do you think I shoud move those domains to a separate issue?

[iam-py-test]

The second one just returned a 404 for me, but is detected by 3 engines: https://www.virustotal.com/gui/url/b45f9e872da1341bf0675e1d3666177b101e591c5ed5b35845159a01d3e54f4e Third is also a 404 and VT clean Four has been taken down and is detected by MS Five returns a 404 but is detected by 4 engines: https://www.virustotal.com/gui/url/e1742ef8efd269542f57adfc1f81231518c757ffdf94aa3397631ce67786f4f6 Six is online and phishing, though detected by MS and two engines (https://www.virustotal.com/gui/url/7b6b75d77e0734f35b6c5ec4a94b21bb178ed5e6804f895089da848bb07f0531?nocache=1). Other domains include italtrack.checkitemtt.top and choicemonitor.top

[spirillen]

Do you think I should move those domains to a separate issue?

Next time :smile: Now it is done and as far I know, nodoby died

[spirillen]

@iam-py-test

first, second, third etc, could you right the domain/url instead, it become impossible to decode and follow your answer

And what was the real answer to choicemonitor.top is it a independent phishing domain that should be blacklisted as phishing or is it a innocent real payment gateway abused by scammers?

[iam-py-test]

@iam-py-test

first, second, third etc, could you right the domain/url instead, it become impossible to decode and follow your answer

I meant relating to the OP's comment https://github.com/blocklistproject/Lists/issues/600#issuecomment-1003527561

And what was the real answer to choicemonitor.top is it a independent phishing domain that should be blacklisted as phishing or is it a innocent real payment gateway abused by scammers?

No idea. I reached out to the owners, but, due to New Years, I have revived no response.

[spirillen]

Super, putting it on hold to you ping back

[Trainax]

Hello everyone. Two weeks have gone by. Are there any updates on this?

Can we close this issue with a PR?

[iam-py-test]

Hello everyone. Two weeks have gone by. Are there any updates on this?

Can we close this issue with a PR?

It doesn't matter if @cryptogap @blocklistproject doesn't check this repo @fishcharlie maybe you can handle it instead?

[fishcharlie]

I'll look at this later today.

[iam-py-test]

Thanks @fishcharlie