Popup - http://vbucks-fortnite.icu/#Htfdhvd
Associated TikTok account - https://vm.tiktok.com/ZMexxDbLw/
Account will follow random accounts to promote a fake VBucks generator. Human verification is required in the form of surveys.
Found another popup from https://vm.tiktok.com/ZMexxGjNu/
Popup - http://vbucks-fortnite.casa/#gyf6fdh
>
@OfclyGoodenough#189241 http://vbucks-fortnite.icu/#Htfdhvd
redirects to https://vbucks.red/pages/b88c9fd#Htfdhvd
>
@OfclyGoodenough#189242 http://vbucks-fortnite.casa/#gyf6fdh
redirects to https://vbucks.red/pages/b88c9fd#gyf6fdh
found their other tiktok: @mews_vbucks2
URL: http://vbucks.gq
@mews__vbucks
URL: http://v-bucks.space
Have fun!!
Reported to Google Safe Browsing, Namecheap (the domain registrar), and CloudFront (which was used for loading some resources).
Interestingly, some of the loaded JavaScript contained the line
```javascript
// this.domain = 'cldoffers.net';
```It appears that `cldoffers.net` is another phishing page, with the same survey rewards pop-up. I've reported it to Google Safe Browsing and Amazon Route53 (their domain registrar). They both used the same resource loads from AWS CloudFront, but the vbucks one was registered with namecheap and `cldoffers.net` was registered with Route53.
Should I open a seperate post for `cldoffers.net`?
@rinxlen#189253 thanks for the new URLs, I did some digging (get it?) and here’s what I found:
</s>vbucks.gq<e> (freenom) -> </s>dwnlds.co<e> (ccireg)
</s>v-bucks.space<e> (hostinger, cloudflare) -> </s>cpbldi.com<e> (AWS/Route53)
They use the same CloudFront resource loads, which will hopefully be taken down by AWS soon. I've reported this to all of the registrars involved (freenom, ccireg, hostinger, and AWS) as well as Cloudflare.
I’ll try get these idiots
Server IP: 192.64.118.16
Domain reg: NameCheap
State: Capital Region
Country: IS
Domain: server284-2.web-hosting.com
ISP: NAMECHEAP-NET
ASN:: 22612
WhoIS: https://www.whois.com/whois/vbucks.red
DNS Info: https://viewdns.info/reverseip/?host=vbucks.red&t=1
More Info: https://www.infobyip.com/ip-192.64.118.16.html
WhoIS2: https://www.infobyip.com/ipwhois-192.64.118.16.html
dns: https://www.infobyip.com/dnslookup-192.64.118.16.html
There are 124 domains hosted on this server.
@HereIronman7746#189273 I’ve reported </s>cldoffers.net<e>, </s>vbucks.red<e>, </s>v-bucks.space<e>, </s>vbucks.gq<e>, </s>dwnlds.co<e>, </s>cpbldi.net<e> </s>vbucks-fortnite.casa<e>, and </s>vbucks-fortinite.icu<e> to their domain registrars and Google Safe Browsing, as well as </s>v-bucks.space<e> to Cloudflare.
`cldoffers.net` was a completely different site (download code.txt???) with the same survey rewards pop-up, that they mentioned in a comment in some of the JavaScript.
All of their sites (including `cldoffers.net`) relied on resources hosted on AWS CloudFront, so I've reported those too and hopefully that will take all of their endeavors using this survey popup down.
Update: Cloudflare and AWS CloudFront found “no evidence of phishing”, although the fake rewards surveys require you to give away a bunch of personal information (phone #, where you live, etc.). Then they make you select one of their “deals” and either download a particular browser extension or sign up for some streaming service.
The dictionary says phishing is "a scam by which an Internet user is duped (as by a deceptive email message) into revealing personal or confidential information", so I think this counts. It looks just like a fake hax website so they probaby didn't see the whole rewards survey shenanigans. I'm responding now, and they usually take very rapid action, so `v-bucks.space` will hopefully go down soon.
I've also gotten a response from AWS Route53, who have "identitified the customer" and are working on it.
`vbucks-fortnite.casa` and `vbucks.gq` are now down, but `vbucks-fortnite.icu`, `v-bucks.space`, and the seemingly unrelated `cldoffers.net` that uses the same reward survey pop-up is still up.
Update: </s>vbucks-fortnite.casa<e> is back up, but </s>v-bucks.space<e> is now down. I’ve finally got in touch with AWS and hopefully the CloudFront resources (which all of their domains depend on) will be taken offline soon.
Summary of the conversation so far:
Me: This is part of a scam
Amazon: We have identified the AWS customer who is responsible for this content.
Amazon: It's just a JS file.
Me: Yes, it is a JS file being used for scamming.
Amazon: We need evidence
Me : Truckload of evidence that this was created specifically for these scams.
[Amazon has yet to respond]
New domain (Credit to @Notnoobjustdude): https://cpbild.co/4d48476
This isn't the same as the `cpbldi.com` one, this is `cpbild.co`
Update:
vbucks-fortnite.casa is down
@__fn_reality#189691 here’s what I got on them: https://domainbigdata.com/cpbild.co
https://sitereport.netcraft.com/?url=https%3A%2F%2Fcpbild.co%2F4d48476
@__fn_reality#189734 Got one site taken down by Netcraft. Report Phishing, Malware and Suspicious URLs