I found this unfortunate spam link dump
where there are many active and dormant feeder pages for the same scam.
e.g. https://subwalletxtension-hub.webflow.io/
linking to https://subwall.wallnew.xyz/welcome/
with the fake error page https://subwall.wallnew.xyz/error/
tawk.to widget https://tawk.to/chat/63fa3e854247f20fefe29f7f/1gq4o8fd4?pop=1
Another active one, this time targeting Amazon:
https://sites.google.com/view/amazon-com-code-u/ and
https://sites.google.com/codeacti.com/amazoncomcode/
links to https://gtly.to/6SXzyARk3
which redirects to https://ammser.xyz/log
error page https://ammser.xyz/ers
tawk.to chat widget https://tawk.to/chat/65a98d048d261e1b5f550a14/1hkf4tn5t – chat with Jack to restore your account.
Gary’s favorite color is blue: 315-754-4988.
James (TextNow) from Amazon’s favorite color is violet: 510-948-6867.
Paul from Crypto dot com TextNow: 225-438-4573. Won’t tell me his favorite color.
Another one of the gang’s tawk.to accounts: chat with “Paul” at https://tawk.to/chat/65da65888d261e1b5f65061b/1hnehp7or .
Another feeder site, this time in French: https://sites.google.com/cryptowalletc.com/trezor-bridge/home
Advertised by some famous fictional character loved by loser boomer guys: x.com .
New pages, same numbers.
Redirector/URL shortener: URL Shortener, Branded Short Links & Analytics | TinyURL
redirects to https://kelle.solitareworld.com/
error page https://kelle.solitareworld.com/error.html
New tawk.to account for the same gang: https://tawk.to/chat/65da5e078d261e1b5f65032a/1hnefujn6
New websites:
https://sites.google.com/metamaklog.com/metamask-wallet/home links to
https://lablishwainly.com/a1d8d7d5-eb64-482d-bd8c-8c7569bd8e21 , which redirects to
https://metamfaskus.azurewebsites.net/ , with the error page
https://metamfaskus.azurewebsites.net/error.php
and the tawk.to chat widget the same as this coinbase phishing site
Another set of websites:
(Another good web search engine phrase for finding this trash: “Official Website”. Because when a web page screams at you that it is the “official website,” maybe it isn’t.)
https://sites.google.com/metamaklog.com/metamaskbrowser-extension/home links to
https://lablishwainly.com/a1d8d7d5-eb64-482d-bd8c-8c7569bd8e21 , which redirects to
https://metamaseakus.azurewebsites.net/ , with the error page
https://metamaseakus.azurewebsites.net/error.php , and the tawk.to web chat account
https://tawk.to/chat/65ce2bd39131ed19d96d22a9/1hmmlmcl5 , which has been used in other phishing sites reported here:
https://sites.google.com/metamasclog.com/metamask-extension/home links to
https://lablishwainly.com/a1d8d7d5-eb64-482d-bd8c-8c7569bd8e21 which redirects to
https://metamsadkus.azurewebsites.net/ , with the error page
https://metamsadkus.azurewebsites.net/error.php and the same tawk.to web chat as above.
https://sites.google.com/metalogmask.com/metamask-extensionn/ links to
https://mtamskwalogs.azurewebsites.net/ (unusually, this one does not use an intermediate redirector/obfuscator url.)
error page https://mtamskwalogs.azurewebsites.net/error.php
tawk.to chat widget https://tawk.to/chat/65b890c10ff6374032c64ba4/1hlcfatu8 , same as reported here:
Ledger.com/start | Download Ledger Live And Start Now links to
https://ledigrlivlogn.azurewebsites.net/
This one appears to just collect the private key phrase and phone number, then redirect to the legitimate website. No web chat widget or error page detected.
A new subdomain: https://metyazmasknig.azurewebsites.net/error.php
Tawk.to web chat widget https://tawk.to/chat/65ce2bd39131ed19d96d22a9/1hmmlmcl5 , same as reported a few days ago.
Here’s a new one targeting a somewhat wider audience: PayPal.
Recently updated Google Sites feeder page: PayPal Login : My PayPal Account Login | Official Website
links to URL shortener/redirector https://shorturl.at/cgDH0
which redirects to https://www.peoypal.com/logr/
(this is a Wordpress site, you can get a pretty complete list of pages by abusing the search feature: https://www.peoypal.com/?s=e )
Paypal error page: https://www.peoypal.com/error/
with the Tawk.to chat widget https://tawk.to/chat/65e32c448d261e1b5f679ab8/1hnvm9rio , I’m chatting with “Sam Smith” right now.
Notably, the site also hosts this Amazon TV Activation scam page: https://www.peoypal.com/mytv-enter-code-com/
The following additional domains resolve to the same IPv6 address:
After poking around this site, I got a call from “Marcus from Canon” at 617-545-0933, the same number that’s been used for the Cricut scam.
I thought these were related. Now I’m convinced.
Marcus says his favorite colors are “black, white and pink.”
617-545-0933
Marcus answered. He told me that he born and raised in Miami, Florida.
But he didn’t know what time it was in Florida, he didn’t know who the governor of Florida is and when I asked him for the temperature, after a Google search he gave it to me in C.
I’m beginning to think that he may be lying.
Hey give him a break that’s a Boston MA phone number. The cold air must be freezing his Florida brain.
Marcus is so boring
He’s not a game player. didn’t like when i asked about Florida lol
I think he was raised somewhere near the Taj madisney.
https://sites.google.com/view/cryptocom-loginissues/home links to
https://gtly.to/S86_r7wTJ , which redirects to
https://croypt.online/sel/ , with error page
With a new Tawk.to chat account. Paul is here to steal all your bitcoins! https://tawk.to/chat/65da5c4b9131ed19d9714e1d/1hnefh2oj
https://antivirus.mcakey.com/error-installation/
Tawk.to web chat account: https://tawk.to/chat/6547e6bba84dd54dc488c60e/1hegdqjfq