Tracking bank/crypto phishing gang(s) using Google Sites, Tawk.to, MS Azure sites, Wordpress, etc

ElmerFudde2020 · 23 Octubre, 2024 02:04

Another Metamask phishing site from this campaign:

ElmerFudde2020 · 26 Octubre, 2024 20:08

https://paylogss.com/errs/
The number on the website, goes to voicemail. But then I got a call back from Adam Parker of PayPal at 747-800-6962 who says his favorite color is “your mother’s vagina.”

ElmerFudde2020 · 5 Noviembre, 2024 00:57

Here’s another one:

RDAP info for the domain:

Jack Morris
New Jersey
08854
US

[email protected]

251-292-4943

ElmerFudde2020 · 16 Noviembre, 2024 22:55

Another PayPal registered to the “Jack Morris” of “New Jersey”:

Associated Tawk.to chat account:

https://tawk.to/chat/670803dbaf33b684b75058bc/1i9rku4mm – “Jack” is active and wants my Date of Birth for Verification.

ElmerFudde2020 · 17 Noviembre, 2024 01:02

Another couple:

and

Both domains are registered to a “Manoj Jangid” of “Rajsthan.”

ElmerFudde2020 · 18 Noviembre, 2024 01:37

Another one, this domain registered to a “Victor Martynow” of Mississippi:

ElmerFudde2020 · 27 Noviembre, 2024 17:30

Here’s an interesting website that links to and from a bunch of the fake Google Sites PayPal phishing pages:

ElmerFudde2020 · 29 Noviembre, 2024 16:31

Here’s a new PayPal phishing page:

PayPal Login : My PayPal Account Login | Official Website links to https://rebrand.ly/paypllog , which redirects to Log In , with the error page Error! .

This error page has a toll-free number, 844-533-4797. Google search seems to think that the number used to be advertised on some defunct streaming-tv-activation scam sites. When I call, I get a one-ring hangup.

Update: the error page has a tawk.to chat widget, https://tawk.to/chat/670803dbaf33b684b75058bc/1i9rku4mm . I got rebrand.ly to deactivate the URL shortener.

Update 2: New toll-free number on the error page, 844-365-0151. I am unable to reach anyone at the number.

ElmerFudde2020 · 5 Diciembre, 2024 03:24

Another one: Netcoins Login Error

tawk.to account: https://tawk.to/chat/63fa3e854247f20fefe29f7f/1gq4o8fd4 .

The same tawk.to account has been active since at least February:

ElmerFudde2020 · 9 Diciembre, 2024 00:50

The same Tawk.to chat account is now attached to a new phishing page Error! on the same old IP address 162.241.85.93.

ElmerFudde2020 · 11 Diciembre, 2024 05:14

Here’s another one: Ledger.com/start - Download Ledger Live | Official Site® links to https://leidgeierwalitese.azurewebsites.net/ , with phishing pages

https://leidgeierwalitese.azurewebsites.net/verify.php

and

https://leidgeierwalitese.azurewebsites.net/phoneVerify.php

and Tawk.to account https://tawk.to/chat/675489894304e3196aee6aea/1ieh3iha3

Update: new Tawk.to account

https://tawk.to/chat/668d871cc3fb85929e3d5828/1i2cdfi86

ElmerFudde2020 · 1 Enero, 2025 22:54

Here’s another one on the good ol’ 162.241.85.93

ElmerFudde2020 · 1 Enero, 2025 23:01

New Azure phishing site, same tawk.to chat account:

https://treazeoakeek-wallets.azurewebsites.net/

ElmerFudde2020 · 3 Enero, 2025 18:47

Here’s a new PayPal scam site on the MS Azure system:

PayPal Login : My PayPal Account Login | Official Website (Google Sites feeder page) links to

(archived at Error! )

Associated Tawk.to chat widget: https://tawk.to/chat/67603a0c49e2fd8dfef8e23f/1if7u5giu

ElmerFudde2020 · 3 Enero, 2025 19:02

And another fresh new fake PayPal today!

Google Sites feeder page PayPal Login : My PayPal Account Login Sign In links to

Logr – logr with error page

https://wvip.safesupervision.online/errors/

(archived at Errors – logr )

Associated tawk.to account https://tawk.to/chat/64d53366cc26a871b02e86ed/1h7gd1j2a

The parent domain https://safesupervision.online/ also seems to be a Wordpress-based fake PayPal site, with active tawk.to account https://tawk.to/chat/6774d6c649e2fd8dfe0145c5/1igg6dumf .

ElmerFudde2020 · 5 Enero, 2025 18:57

Here’s another one

https://ledidgerwalitewse.azurewebsites.net/verify.php

archived copy: Ledger Live

ElmerFudde2020 · 9 Enero, 2025 00:36

New payload page:

https://ioz.papyi.com/error/

tawk.to account: https://tawk.to/chat/67767d5049e2fd8dfe01a1a1/1igjdj132

ElmerFudde2020 · 9 Enero, 2025 02:53

As of today, all the domains are defunct except for https://printersetupshop.com/ , which is your typical fake Canon printer driver scam website, and https://allsmartprinter.com , which currently redirects to the fake PayPal domain in the previous post:

ElmerFudde2020 · 20 Enero, 2025 21:41

A few new ones:

Error , no associated tawk.to account

Error! , associated tawk.to account https://tawk.to/chat/674ef0d52480f5b4f5a71741/1ie65ph7j , hosted on the good old 162.241.85.93 .

Phantom Wallet , no tawk.to, 162.241.85.93 again.

Error! , tawk.to account https://tawk.to/chat/66d2fda750c10f7a00a26f82/1i6k2tlls (active!) , 162.241.85.93 again.

ElmerFudde2020 · 27 Febrero, 2025 03:55

Here’s a new one, hosted on Amazon AWS this time.

Trezor.io/start - The #1 Hardware Crypto Wallet (Official) links to

https://tzor26liv.s3.eu-north-1.amazonaws.com/index.html

Associated tawk.to account: https://tawk.to/chat/67ace00f825083258e143a8c/1ijtkmg4d

Update: a new Google Site Trezor Suite | Starting Up Your Device | Trezor®

links to a new AWS page Trézor Suite

with the same tawk.to account, still active (on a Sunday).