Tracking bank/crypto phishing gang(s) using Google Sites, Tawk.to, MS Azure sites, Wordpress, etc

Scam Number: 865-346-8158

Scammer’s Website or Email: Various, see below
Additional information about this scam:

Searching sites.google.com for “login” and “account” yielded me this site:

https://sites.google.com/codeacti.com/capitalonelogin/home,

which links to https://capitttll.co/log/,

which leads to a phishing web chat at

https://capitttll.co/err/#max-widget

Screenshot from 2024-01-15 15-22-091916×1005 76.9 KB

LOL the Russians are in my bank account!!!

Update: Steve called me back from the number above. He said that my Capital One account was “open in front of [him]” and “two ip address were in my account.” He wants to connect with the Security Server. His favorite color is green.

Wow, check out the other phishing websites on the same IP address:

(To restate the obvious: do not share any passwords or personal info with these websites!!!)

https://haxso.ink/

TextNow line

Right, it’s probably a throwaway. Someone would need to bait them more seriously than I did to get more & better numbers.

Text Now, blocked me.

web chat Error! Josh
https : // capitttll . co/err/

All these phishing sites for this gang are built on Wordpress. So you can use the search function to basically get a list of all pages by searching for the letter “e” or something like that, e.g. https://piopp.ink/?s=e.

More advanced Wordpress hackers might be able to use other API features, or unpatched flaws…

New sites for what looks like the same gang:

https://sites.google.com/pypyi.com/paypallogin/home/

links to https://logr.paygetosys.xyz/logr/

fake error page with Tawk.to free web chat: https://logr.paygetosys.xyz/errors/.

Got a callback from 479-879-9948. Says he is working for PayPal security department in “Arkansas” (clearly pronouncing the terminal s). I doubt it.

New callback numbers for this gang, including a toll-free number!

651-661-7645
800-597-9025

Both answered by “Edward from PayPal.”

His favorite color is black.

Oh fun, here’s another active site:

https://sites.google.com/fixuscoins.com/metamaskhelp/blog/metamask-login-with-private-key

leads to

https://metamaskdwes.azurewebsites.net/

Where you can enter your secret recovery phrase in plain text, how convenient.

Another one!

links to

https://coinbaseer.azurewebsites.net/

And another!

leads to error page with web chat

My god these guys are prolific. Here’s another one.

Intelligent of them to focus on crypto, i.e. on people looking to get scammed.

links to

https://slingshotfinansd.azurewebsites.net/

hmm, this one is like a directory of their phishing sites. Click on “Connect Wallet” on the second (Azure-hosted) link and see for yourself.

Bandwidth.com line, calls answered by “Amp Manufacturing” but goes to the voicemail for “David Rack”

Bandwidth.com line, “Albert” picks up as PayPal.

RingCentral line, “Albert” picked up again.

Here’s another one with a similar setup: crypto phishing, google sites redirecting to azure hosting with tawk.to chat…

links to

https://trzirwalog.azurewebsites.net/

Edit: “error” page Trezor Suite | error

and the site also has forms to collect passphrases, phone numbers, etc.

And another!

redirects to

https://coin98s.azurewebsites.net/

It looks like someone has done an investigation/writeup of this group. It’s been going on for a long time, with apparently little reaction from Google Sites, tawk.to, or Microsoft Azure.

Ok here’s another one.

I’m wondering if the Microsoft Azure hosted ones are owned by the same organization that does the independently hosted ones. Other than that implementation detail the methods seem identical.

So this one is kind of a phishing site directory:

https://walletconnectd.azurewebsites.net/

There’s always an intermediary redirect url, e.g.

https://flesterwisors.com/174611c7-acde-4fdf-93a1-07138f7e664a

or

https://posectsinsive.com/1ad7fe6d-3c92-447e-b357-d166943ad0ae

that sometimes redirects to the legitimate website, and other times redirects to a phishing website

then the final phishing site has a tawk.to widget where the scammers reel in the victim to a phone call, then remote desktop connection, login, and transfer of assets.

Edit: they all seem to have the same tawk.to account id, “659c3f7b8d261e1b5f50daed”

I’ve reported it to tawk.to multiple times but no action seems to have been taken.

LOL check out these Xitter bots
https://twitter.com/justdigitalhelp
https://twitter.com/JosiahKai12
https://twitter.com/Hungry947967367