Update: Steve called me back from the number above. He said that my Capital One account was “open in front of [him]” and “two ip address were in my account.” He wants to connect with the Security Server. His favorite color is green.
All these phishing sites for this gang are built on Wordpress. So you can use the search function to basically get a list of all pages by searching for the letter “e” or something like that, e.g. https://piopp.ink/?s=e.
More advanced Wordpress hackers might be able to use other API features, or unpatched flaws…
It looks like someone has done an investigation/writeup of this group. It’s been going on for a long time, with apparently little reaction from Google Sites, tawk.to, or Microsoft Azure.
I’m wondering if the Microsoft Azure hosted ones are owned by the same organization that does the independently hosted ones. Other than that implementation detail the methods seem identical.
that sometimes redirects to the legitimate website, and other times redirects to a phishing website
then the final phishing site has a tawk.to widget where the scammers reel in the victim to a phone call, then remote desktop connection, login, and transfer of assets.
Edit: they all seem to have the same tawk.to account id, “659c3f7b8d261e1b5f50daed”
I’ve reported it to tawk.to multiple times but no action seems to have been taken.