Tracking bank/crypto phishing gang(s) using Google Sites, Tawk.to, MS Azure sites, Wordpress, etc

Scams
, , ,
1

Scam Number: 865-346-8158

Scammer’s Website or Email: Various, see below
Additional information about this scam:

Searching sites.google.com for “login” and “account” yielded me this site:

https://sites.google.com/codeacti.com/capitalonelogin/home,

which links to https://capitttll.co/log/,

which leads to a phishing web chat at

https://capitttll.co/err/#max-widget

Screenshot from 2024-01-15 15-22-09
Screenshot from 2024-01-15 15-22-091916×1005 76.9 KB

LOL the Russians are in my bank account!!!

Update: Steve called me back from the number above. He said that my Capital One account was “open in front of [him]” and “two ip address were in my account.” He wants to connect with the Security Server. His favorite color is green.

5 Likes
2

Wow, check out the other phishing websites on the same IP address:

(To restate the obvious: do not share any passwords or personal info with these websites!!!)

https://bitrelogi.ink/logi/
https://metmesk.ink/log/
https://coiasse.ink/log/
https://lobitr.ink/log/
https://paasvapps.ink/log/
https://bitrelog.online/log/
https://bitmassp.co/log/
https://cprosis.ink/log/
https://piopp.ink/ios/
https://walcant.ink/log/

https://saitsmask.ink/log/
https://kuccusn.ink/logs/
https://trazz.online/log/re/
https://uniwsw.ink/log/
https://lonoss.online/log/
https://bitgwals.online/log/
https://haxso.ink/
https://exdess.ink/log/
https://swislog.ink/log/
https://phanse.online/logg/

3 Likes
3

TextNow line

3 Likes
4

Right, it’s probably a throwaway. Someone would need to bait them more seriously than I did to get more & better numbers.

3 Likes
5

Text Now, blocked me.

2 Likes
6

web chat https://capitttll.co/err/ Josh
https : // capitttll . co/err/

2 Likes
7

All these phishing sites for this gang are built on Wordpress. So you can use the search function to basically get a list of all pages by searching for the letter “e” or something like that, e.g. https://piopp.ink/?s=e.

More advanced Wordpress hackers might be able to use other API features, or unpatched flaws…

3 Likes
8

New sites for what looks like the same gang:

https://sites.google.com/pypyi.com/paypallogin/home/

links to https://logr.paygetosys.xyz/logr/

fake error page with Tawk.to free web chat: https://logr.paygetosys.xyz/errors/.

3 Likes
9

Got a callback from 479-879-9948. Says he is working for PayPal security department in “Arkansas” (clearly pronouncing the terminal s). I doubt it.

4 Likes
10

New callback numbers for this gang, including a toll-free number!

651-661-7645
800-597-9025

Both answered by “Edward from PayPal.”

His favorite color is black.

2 Likes
11

Oh fun, here’s another active site:

https://sites.google.com/fixuscoins.com/metamaskhelp/blog/metamask-login-with-private-key

leads to

https://metamaskdwes.azurewebsites.net/

Where you can enter your secret recovery phrase in plain text, how convenient.

2 Likes
12

Another one!

https://sites.google.com/conbaseloin.com/coinbaselogin/home/

links to

https://coinbaseer.azurewebsites.net/

2 Likes
13

And another!

leads to error page with web chat

https://bitrelog.online/err/

2 Likes
14

My god these guys are prolific. Here’s another one.

Intelligent of them to focus on crypto, i.e. on people looking to get scammed.

https://sites.google.com/cryptofinances.us/slingshot-finance/home

links to

https://slingshotfinansd.azurewebsites.net/

hmm, this one is like a directory of their phishing sites. Click on “Connect Wallet” on the second (Azure-hosted) link and see for yourself.

2 Likes
15

Bandwidth.com line, calls answered by “Amp Manufacturing” but goes to the voicemail for “David Rack”

Bandwidth.com line, “Albert” picks up as PayPal.

RingCentral line, “Albert” picked up again.

1 Like
16

Here’s another one with a similar setup: crypto phishing, google sites redirecting to azure hosting with tawk.to chat…

https://sites.google.com/trzorlogn.com/trezorlogin/home

links to

https://trzirwalog.azurewebsites.net/

Edit: “error” page https://trzirwalog.azurewebsites.net/error.php

and the site also has forms to collect passphrases, phone numbers, etc.

Screenshot from 2024-01-16 13-45-07
Screenshot from 2024-01-16 13-45-07366×543 23.2 KB

1 Like
17

And another!

redirects to

https://coin98s.azurewebsites.net/

1 Like
18

It looks like someone has done an investigation/writeup of this group. It’s been going on for a long time, with apparently little reaction from Google Sites, tawk.to, or Microsoft Azure.

https://pixmsecurity.com/blog/phish/cybercrime-group-expands-cryptocurrency-phishing-operation/

2 Likes
19

Ok here’s another one.

I’m wondering if the Microsoft Azure hosted ones are owned by the same organization that does the independently hosted ones. Other than that implementation detail the methods seem identical.

So this one is kind of a phishing site directory:

https://walletconnectd.azurewebsites.net/

There’s always an intermediary redirect url, e.g.

https://flesterwisors.com/174611c7-acde-4fdf-93a1-07138f7e664a

or

https://posectsinsive.com/1ad7fe6d-3c92-447e-b357-d166943ad0ae

that sometimes redirects to the legitimate website, and other times redirects to a phishing website

then the final phishing site has a tawk.to widget where the scammers reel in the victim to a phone call, then remote desktop connection, login, and transfer of assets.

Edit: they all seem to have the same tawk.to account id, “659c3f7b8d261e1b5f50daed”

I’ve reported it to tawk.to multiple times but no action seems to have been taken.

2 Likes
20

LOL check out these Xitter bots
https://twitter.com/justdigitalhelp
https://twitter.com/JosiahKai12
https://twitter.com/Hungry947967367

1 Like