Tracking bank/crypto phishing gang(s) using Google Sites, Tawk.to, MS Azure sites, Wordpress, etc

New/updated phishing sites:

https://sites.google.com/conbaseloin.com/coinbaselogin/home/

links to

https://grawableaugespare.com/ebd7155d-c104-4fbd-972e-83aeafabb665 ,

which redirects to

https://coiunbasetlog.azurewebsites.net/

fake error page:

https://coiunbasetlog.azurewebsites.net/error.html

Tawk.to web chat widget:

https://tawk.to/chat/65ce2bd39131ed19d96d22a9/1hmmlmcl5

Called but from a spoofed number… I asked if I could call him right back but he got suspicious and said “I know who you are, I saw you on Youtube.”

(I am not on Youtube!)

Oh well, hopefully others will have better luck.

2 Likes

Another updated phishing site:

links to

https://gtly.to/PoHi9gmS5

which redirects to

https://bitmassp.shop/logg/

error page

https://bitmassp.shop/errs/

Tawk.to chat link:

https://tawk.to/chat/65c0c3d58d261e1b5f5c7af0/1hlsfpurd

Another Tawk.to ID:

https://tawk.to/chat/65c3f72f8d261e1b5f5d7ca4/1hm2nr50u

found at https://swislog.ink/err/ .

1 Like

Another set of phishing sites:

https://sites.google.com/coiinnb.com/coinbase-commerce/home/ and

both link to the URL shortener

https://gtly.to/ebUWemew5

which redirects to

https://coisso.xyz/wal/

error page

https://coisso.xyz/er/

Hosted at the gang’s IPv4 address 162.240.240.79 – check out the reverse DNS on this address!

Tawk.to chat widget:

https://tawk.to/chat/65c0c0978d261e1b5f5c7a0c/1hlsf0kvp

1 Like

And more, this time using the Azure subdomains.

https://sites.google.com/trzorlogn.com/trezorsignin/home

links to

https://trzeriostrt.azurewebsites.net/

Fake error page

https://trzeriostrt.azurewebsites.net/error.php


https://sites.google.com/walletslogs.com/coinbasewaletextension/

links to

https://cinbselogwalet.azurewebsites.net/

with the fake error page

https://cinbselogwalet.azurewebsites.net/error.php

Tawk.to chat widget:

https://tawk.to/chat/65b890c10ff6374032c64ba4/1hlcfatu8

Another one with some different features.

links to

https://tromwall.equitytrust-logi.com/onboarding/

equitytrust-logi.com is also a phishing site, but seems to be inactive at the moment.

Fake error page:

https://tromwall.equitytrust-logi.com/error/

Tawk.to chat widget:

https://tawk.to/chat/63fa3e854247f20fefe29f7f/1gq4o8fd4

1 Like

Another one!

links to

https://gtly.to/WoMVyXBOI

which redirects to

https://mmetam.ink/log

with the fake error page

https://mmetam.ink/err

Tawk.to chat widget:

https://tawk.to/chat/65c0bf840ff6374032c975b7/1hlseo8dn

Another new one – this one seems to be lacking the Tawk.to widget.

https://sites.google.com/phantwallet.com/phantomwalletextensionus/home

links to

https://phantwa.xyz/logi/

with the fake error page

https://phantwa.xyz/error/

NOTE: phantwa.xyz is allegedly registered to a “Victor Martynow” of Mississippi.

Another one: https://sites.google.com/magic-eden-wallet.com/magicedenwallet/home

links to https://magioedem.xyz/onboarding/

with error page https://magioedem.xyz/error/ .

No tawk.to chat integration detected.

Domain once again registered to a “Victor Martinow” of Mississippi.


And another one on the Azure sites side:

https://sites.google.com/coinlogs.us/kucoin-login/home links to

https://grawableaugespare.com/1c397c25-5445-4907-9865-7511b10ba114 , which redirects to

https://kucoimnes.azurewebsites.net/ , with the error page

https://kucoimnes.azurewebsites.net/error.html .

Includes a tawk.to chat widget, but it’s not live at the moment.


And another one, with a German feeder page here:

Coinbase Download – Ihr Schlüssel zur Welt der Krypto , that links to the intermediate redirect page here

https://grawableaugespare.com/4bdc0bb5-ff23-435a-85ed-4d0699467891 , which redirects to

https://cosinsbewalle.azurewebsites.net/ , with the error page

https://cosinsbewalle.azurewebsites.net/error.html .

Tawk.to chat enabled but not active.

linking to a new domain now, https://metaska.online/log/

registered to a “ram gupta” in Uttar Pradesh.

error page https://metaska.online/err/

and associated chat link https://tawk.to/chat/65c0bf840ff6374032c975b7/1hlseo8dn

But this one: https://magedenwl.online/err/

does have a tawk.to chat: https://tawk.to/chat/65d26bba9131ed19d96e61b2/1hmuv9ko5

A new one. This feeder page has been dormant for months but just got updated to point to an active phishing site. This time for Zelle.

Url-shortener/redirector: URL Shortener, Branded Short Links & Analytics | TinyURL

Phishing site: https://meele.solitareworld.com/

Error page: https://meele.solitareworld.com/error.html

716-393-8020 answers “Thank you for calling Zelle, this is Steve, how may I help you?” Steve won’t tell me his favorite color.

712-335-7107: no answer/invalid number.

1 Like

Imagine these creeps getting into your medical records. They have a phishing sites for that also, currently dormant: https://sites.google.com/tsplogi.com/kaiserpermanentelogin/home

1 Like

Another one: “Ledger Wallet” (in German) Ledger Wallet – Hardware Wallet und Cold Wallet

links to the redirection site https://bildherrywation.com/66d4a7b4-b1ea-43e1-af28-132e7c47652d

which redirects to the Azure page https://legdrwalle.azurewebsites.net/

collecting the private key phrase here https://legdrwalle.azurewebsites.net/process/1.html

and the error page here https://legdrwalle.azurewebsites.net/process/error.html

and the tawk.to chat link here: https://tawk.to/chat/65ce25868d261e1b5f60dca0/1hmmk55ev

1 Like

A new one, Google Sites says it was updated today:

Google sites feeder page: https://sites.google.com/view/coinbasedesk/blog/coinbase-not-working

Redirecting intermediate site: https://grawableaugespare.com/b5262782-6f2d-4b8d-be9b-62a16c70f015

Azure sites phishing site: https://coiasbwalog.azurewebsites.net/

Fake error page: https://coiasbwalog.azurewebsites.net/error.html

Tawk.to chat widget: https://tawk.to/chat/65ce2bd39131ed19d96d22a9/1hmmlmcl5

(The same Tawk.to account as was used on a previous Azure sites fake Coinbase, reported here: Tracking bank/crypto phishing gang(s) using Google Sites, Tawk.to, MS Azure sites, Wordpress, etc - #42 by ElmerFudde2020 )


Another new one today:

Download Phantom Wallet Extension | Official Website links to

https://gtly.to/rC9CVhwki which redirects to

https://phasnr.online/logg/ with the private key phishing page

https://phasnr.online/enter/

Domain registered to a “ram gupta” of Uttar Pradesh.

Update: has a tawk.to chat associated, https://tawk.to/chat/65c0bebf0ff6374032c97558/1hlsei7jn


Google site SaitaPro - Ethereum | Polygon | Solana - Official Website links to

https://gtly.to/EznniXE_9 which redirects to

https://ssaitmsk.online/log/ with fake error page

Error! , with tawk.to chat widget

https://tawk.to/chat/65c0bdc80ff6374032c9751b/1hlseam9r .

Paul is waiting to chat with you. This domain is also registered to “ram gupta”

1 Like

Here’s a blog post from a year and a half ago analyzing the same phishing campaign. It’s still going strong.

1 Like

LOL these creeps are just like every other con artist in tech – they are into “AI” now. bing-chat-openai (Bing AI | Bing AI chatbot | Bing openai chatbot) · GitHub

Found another one:

links to https://gtly.to/45j9zKBEM

which redirects to https://netcoinis.xyz/log/

with the fake error page https://netcoinis.xyz/err/

with the chat widget at https://tawk.to/chat/65da63fc8d261e1b5f650575/1hnehd52i

“Paul” is live and ready to help with your bitcoins.


Ledger Live login | Download Ledger.com live and start now and
Ledger.com/start | Download Ledger live and start now

link to https://bildherrywation.com/66d4a7b4-b1ea-43e1-af28-132e7c47652d

which is now redirecting to a new subdomain on Azure Sites: https://lledgerwallet.azurewebsites.net/

Same tawk.to account as reported earlier.


links to https://grawableaugespare.com/b5262782-6f2d-4b8d-be9b-62a16c70f015

which redirects to a new Azure page https://couinbaselogin.azurewebsites.net/

with the same tawk.to account as before.


https://sites.google.com/kulogcoin.com/kucoinsignin/home

links to https://kukinxlgin.azurewebsites.net/

with error page https://kukinxlgin.azurewebsites.net/error.php

and the same tawk.to chat widget noted earlier.

1 Like