Facebook Scheme

Scamspissmeoff · 2019 年 9 月 8 日午後 9:58

https://v-strongfoundation.cf/srf

Post was in my Facebook group,

its a link to a "video from fox news of a horrific roller coaster crash killing 20"

Scamspissmeoff · 2019 年 9 月 8 日午後 10:08

(stems from https://headlinenews072.wixsite.com/footage4/?v4)

Norm_Harrison · 2019 年 9 月 8 日午後 11:14

[[41],[3,9,25,41]]

define · 2019 年 9 月 19 日午後 7:40

Hosting provider: https://www.hostwinds.com/

Domain registar: http://www.dot.cf/

Phisher is hosted on a VPS.
VPS IP: 142.11.214.188

http://142.11.214.188/ lists the other phishers being hosted on this server.

WHM services;
Cpanel: https://v-strongfoundation.cf:2083/
Webmail: https://v-strongfoundation.cf:2096/

21/tcp open ftp
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open https
465/tcp open smtps
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql

My prediction is that the login information is being stored in a MySQL database. It's unusual the scammer didn't use Cloudflare to hide the server's identity... however, hostwinds accepts Bitcoin payments, so I assume the scammer has paid for the VPS this way to avoid capture. The CF domain name is also a free domain, so no payment on that one.

SecretGodfather · 2019 年 10 月 25 日午後 2:34

Added to avast online security (Deceptive site)