New/updated phishing sites:
https://sites.google.com/conbaseloin.com/coinbaselogin/home/
links to
https://grawableaugespare.com/ebd7155d-c104-4fbd-972e-83aeafabb665 ,
which redirects to
https://coiunbasetlog.azurewebsites.net/
fake error page:
https://coiunbasetlog.azurewebsites.net/error.html
Tawk.to web chat widget:
Called but from a spoofed number… I asked if I could call him right back but he got suspicious and said “I know who you are, I saw you on Youtube.”
(I am not on Youtube!)
Oh well, hopefully others will have better luck.
Another updated phishing site:
links to
which redirects to
error page
Tawk.to chat link:
Another Tawk.to ID:
https://tawk.to/chat/65c3f72f8d261e1b5f5d7ca4/1hm2nr50u
found at https://swislog.ink/err/ .
Another set of phishing sites:
https://sites.google.com/coiinnb.com/coinbase-commerce/home/ and
both link to the URL shortener
which redirects to
error page
Hosted at the gang’s IPv4 address 162.240.240.79 – check out the reverse DNS on this address!
Tawk.to chat widget:
And more, this time using the Azure subdomains.
https://sites.google.com/trzorlogn.com/trezorsignin/home
links to
https://trzeriostrt.azurewebsites.net/
Fake error page
https://trzeriostrt.azurewebsites.net/error.php
https://sites.google.com/walletslogs.com/coinbasewaletextension/
links to
https://cinbselogwalet.azurewebsites.net/
with the fake error page
https://cinbselogwalet.azurewebsites.net/error.php
Tawk.to chat widget:
Another one with some different features.
links to
https://tromwall.equitytrust-logi.com/onboarding/
equitytrust-logi.com is also a phishing site, but seems to be inactive at the moment.
Fake error page:
https://tromwall.equitytrust-logi.com/error/
Tawk.to chat widget:
Another one!
https://sites.google.com/metamaslogi.com/metamaskextension/home
links to
which redirects to
with the fake error page
Tawk.to chat widget:
Another new one – this one seems to be lacking the Tawk.to widget.
https://sites.google.com/phantwallet.com/phantomwalletextensionus/home
links to
with the fake error page
NOTE: phantwa.xyz is allegedly registered to a “Victor Martynow” of Mississippi.
Another one: https://sites.google.com/magic-eden-wallet.com/magicedenwallet/home
links to https://magioedem.xyz/onboarding/
with error page https://magioedem.xyz/error/ .
No tawk.to chat integration detected.
Domain once again registered to a “Victor Martinow” of Mississippi.
And another one on the Azure sites side:
https://sites.google.com/coinlogs.us/kucoin-login/home links to
https://grawableaugespare.com/1c397c25-5445-4907-9865-7511b10ba114 , which redirects to
https://kucoimnes.azurewebsites.net/ , with the error page
https://kucoimnes.azurewebsites.net/error.html .
Includes a tawk.to chat widget, but it’s not live at the moment.
And another one, with a German feeder page here:
Coinbase Download – Ihr Schlüssel zur Welt der Krypto , that links to the intermediate redirect page here
https://grawableaugespare.com/4bdc0bb5-ff23-435a-85ed-4d0699467891 , which redirects to
https://cosinsbewalle.azurewebsites.net/ , with the error page
https://cosinsbewalle.azurewebsites.net/error.html .
Tawk.to chat enabled but not active.
linking to a new domain now, https://metaska.online/log/
registered to a “ram gupta” in Uttar Pradesh.
error page https://metaska.online/err/
and associated chat link https://tawk.to/chat/65c0bf840ff6374032c975b7/1hlseo8dn
But this one: https://magedenwl.online/err/
does have a tawk.to chat: https://tawk.to/chat/65d26bba9131ed19d96e61b2/1hmuv9ko5
A new one. This feeder page has been dormant for months but just got updated to point to an active phishing site. This time for Zelle.
Url-shortener/redirector: URL Shortener, Branded Short Links & Analytics | TinyURL
Phishing site: https://meele.solitareworld.com/
Error page: https://meele.solitareworld.com/error.html
716-393-8020 answers “Thank you for calling Zelle, this is Steve, how may I help you?” Steve won’t tell me his favorite color.
712-335-7107: no answer/invalid number.
Imagine these creeps getting into your medical records. They have a phishing sites for that also, currently dormant: https://sites.google.com/tsplogi.com/kaiserpermanentelogin/home
Another one: “Ledger Wallet” (in German) Ledger Wallet – Hardware Wallet und Cold Wallet
links to the redirection site https://bildherrywation.com/66d4a7b4-b1ea-43e1-af28-132e7c47652d
which redirects to the Azure page https://legdrwalle.azurewebsites.net/
collecting the private key phrase here https://legdrwalle.azurewebsites.net/process/1.html
and the error page here https://legdrwalle.azurewebsites.net/process/error.html
and the tawk.to chat link here: https://tawk.to/chat/65ce25868d261e1b5f60dca0/1hmmk55ev
A new one, Google Sites says it was updated today:
Google sites feeder page: https://sites.google.com/view/coinbasedesk/blog/coinbase-not-working
Redirecting intermediate site: https://grawableaugespare.com/b5262782-6f2d-4b8d-be9b-62a16c70f015
Azure sites phishing site: https://coiasbwalog.azurewebsites.net/
Fake error page: https://coiasbwalog.azurewebsites.net/error.html
Tawk.to chat widget: https://tawk.to/chat/65ce2bd39131ed19d96d22a9/1hmmlmcl5
(The same Tawk.to account as was used on a previous Azure sites fake Coinbase, reported here: Tracking bank/crypto phishing gang(s) using Google Sites, Tawk.to, MS Azure sites, Wordpress, etc - #42 by ElmerFudde2020 )
Another new one today:
Download Phantom Wallet Extension | Official Website links to
https://gtly.to/rC9CVhwki which redirects to
https://phasnr.online/logg/ with the private key phishing page
Domain registered to a “ram gupta” of Uttar Pradesh.
Update: has a tawk.to chat associated, https://tawk.to/chat/65c0bebf0ff6374032c97558/1hlsei7jn
Google site SaitaPro - Ethereum | Polygon | Solana - Official Website links to
https://gtly.to/EznniXE_9 which redirects to
https://ssaitmsk.online/log/ with fake error page
https://ssaitmsk.online/err/ , with tawk.to chat widget
https://tawk.to/chat/65c0bdc80ff6374032c9751b/1hlseam9r .
Paul is waiting to chat with you. This domain is also registered to “ram gupta”
Here’s a blog post from a year and a half ago analyzing the same phishing campaign. It’s still going strong.
LOL these creeps are just like every other con artist in tech – they are into “AI” now. bing-chat-openai (Bing AI | Bing AI chatbot | Bing openai chatbot) · GitHub
Found another one:
links to https://gtly.to/45j9zKBEM
which redirects to https://netcoinis.xyz/log/
with the fake error page https://netcoinis.xyz/err/
with the chat widget at https://tawk.to/chat/65da63fc8d261e1b5f650575/1hnehd52i
“Paul” is live and ready to help with your bitcoins.
Ledger Live login | Download Ledger.com live and start now and
Ledger.com/start | Download Ledger live and start now
link to https://bildherrywation.com/66d4a7b4-b1ea-43e1-af28-132e7c47652d
which is now redirecting to a new subdomain on Azure Sites: https://lledgerwallet.azurewebsites.net/
Same tawk.to account as reported earlier.
links to https://grawableaugespare.com/b5262782-6f2d-4b8d-be9b-62a16c70f015
which redirects to a new Azure page https://couinbaselogin.azurewebsites.net/
with the same tawk.to account as before.
https://sites.google.com/kulogcoin.com/kucoinsignin/home
links to https://kukinxlgin.azurewebsites.net/
with error page https://kukinxlgin.azurewebsites.net/error.php
and the same tawk.to chat widget noted earlier.