Tracking bank/crypto phishing gang(s) using Google Sites, Tawk.to, MS Azure sites, Wordpress, etc

Scam Number: 865-346-8158

Scammer’s Website or Email: Various, see below
Additional information about this scam:

Searching sites.google.com for “login” and “account” yielded me this site:

https://sites.google.com/codeacti.com/capitalonelogin/home,

which links to https://capitttll.co/log/,

which leads to a phishing web chat at

https://capitttll.co/err/#max-widget

LOL the Russians are in my bank account!!!

Update: Steve called me back from the number above. He said that my Capital One account was “open in front of [him]” and “two ip address were in my account.” He wants to connect with the Security Server. His favorite color is green.

5 Likes

Wow, check out the other phishing websites on the same IP address:

(To restate the obvious: do not share any passwords or personal info with these websites!!!)

https://bitrelogi.ink/logi/
https://metmesk.ink/log/
https://coiasse.ink/log/
https://lobitr.ink/log/
https://paasvapps.ink/log/
https://bitrelog.online/log/
https://bitmassp.co/log/
https://cprosis.ink/log/
https://piopp.ink/ios/
https://walcant.ink/log/

https://saitsmask.ink/log/
https://kuccusn.ink/logs/
https://trazz.online/log/re/
https://uniwsw.ink/log/
https://lonoss.online/log/
https://bitgwals.online/log/
https://haxso.ink/
https://exdess.ink/log/
https://swislog.ink/log/
https://phanse.online/logg/

3 Likes

TextNow line

3 Likes

Right, it’s probably a throwaway. Someone would need to bait them more seriously than I did to get more & better numbers.

3 Likes

Text Now, blocked me.

2 Likes

web chat https://capitttll.co/err/ Josh
https : // capitttll . co/err/

2 Likes

All these phishing sites for this gang are built on Wordpress. So you can use the search function to basically get a list of all pages by searching for the letter “e” or something like that, e.g. https://piopp.ink/?s=e.

More advanced Wordpress hackers might be able to use other API features, or unpatched flaws…

3 Likes

New sites for what looks like the same gang:

https://sites.google.com/pypyi.com/paypallogin/home/

links to https://logr.paygetosys.xyz/logr/

fake error page with Tawk.to free web chat: https://logr.paygetosys.xyz/errors/.

3 Likes

Got a callback from 479-879-9948. Says he is working for PayPal security department in “Arkansas” (clearly pronouncing the terminal s). I doubt it.

4 Likes

New callback numbers for this gang, including a toll-free number!

651-661-7645
800-597-9025

Both answered by “Edward from PayPal.”

His favorite color is black.

2 Likes

Oh fun, here’s another active site:

https://sites.google.com/fixuscoins.com/metamaskhelp/blog/metamask-login-with-private-key

leads to

https://metamaskdwes.azurewebsites.net/

Where you can enter your secret recovery phrase in plain text, how convenient.

2 Likes

Another one!

https://sites.google.com/conbaseloin.com/coinbaselogin/home/

links to

https://coinbaseer.azurewebsites.net/

2 Likes

And another!

leads to error page with web chat

https://bitrelog.online/err/

2 Likes

My god these guys are prolific. Here’s another one.

Intelligent of them to focus on crypto, i.e. on people looking to get scammed.

https://sites.google.com/cryptofinances.us/slingshot-finance/home

links to

https://slingshotfinansd.azurewebsites.net/

hmm, this one is like a directory of their phishing sites. Click on “Connect Wallet” on the second (Azure-hosted) link and see for yourself.

2 Likes

Bandwidth.com line, calls answered by “Amp Manufacturing” but goes to the voicemail for “David Rack”

Bandwidth.com line, “Albert” picks up as PayPal.

RingCentral line, “Albert” picked up again.

1 Like

Here’s another one with a similar setup: crypto phishing, google sites redirecting to azure hosting with tawk.to chat…

https://sites.google.com/trzorlogn.com/trezorlogin/home

links to

https://trzirwalog.azurewebsites.net/

Edit: “error” page https://trzirwalog.azurewebsites.net/error.php

and the site also has forms to collect passphrases, phone numbers, etc.

1 Like

And another!

redirects to

https://coin98s.azurewebsites.net/

1 Like

It looks like someone has done an investigation/writeup of this group. It’s been going on for a long time, with apparently little reaction from Google Sites, tawk.to, or Microsoft Azure.

https://pixmsecurity.com/blog/phish/cybercrime-group-expands-cryptocurrency-phishing-operation/

2 Likes

Ok here’s another one.

I’m wondering if the Microsoft Azure hosted ones are owned by the same organization that does the independently hosted ones. Other than that implementation detail the methods seem identical.

So this one is kind of a phishing site directory:

https://walletconnectd.azurewebsites.net/

There’s always an intermediary redirect url, e.g.

https://flesterwisors.com/174611c7-acde-4fdf-93a1-07138f7e664a

or

https://posectsinsive.com/1ad7fe6d-3c92-447e-b357-d166943ad0ae

that sometimes redirects to the legitimate website, and other times redirects to a phishing website

then the final phishing site has a tawk.to widget where the scammers reel in the victim to a phone call, then remote desktop connection, login, and transfer of assets.

Edit: they all seem to have the same tawk.to account id, “659c3f7b8d261e1b5f50daed”

I’ve reported it to tawk.to multiple times but no action seems to have been taken.

2 Likes

LOL check out these Xitter bots
https://twitter.com/justdigitalhelp
https://twitter.com/JosiahKai12
https://twitter.com/Hungry947967367

1 Like