Popup 1 - 无标题文档 (gcbups.com)
Registered in Kuala Lampur, Malaysia via Alibaba Singapore on June 15, 2023 - Whois gcbups.com
Popup 2 - usps-verify.top
Registered in tsrhhrh, Åland Islands via Gname.com on June 14, 2023 - Whois usps-verify.top
Popup 3 - USPS.com® - USPS Tracking® Results (u-sps.me)
Registered via PorkBun on June 13, 2023 - Whois u-sps.me
Associated Phone Numbers:
(534) 423-4354
+91 455-234-35423
+81 534-634-54
+238.0903310119832
[email protected]
[email protected]
[email protected]
[email protected]
Associated Email Addresses:
[email protected]
[email protected]
[email protected]
[email protected]
Popup; will claim the shipment of your package was “suspended due to invalid recipient address,” prompting you to “update your address” by providing your
- Email Address
- Home Address
- Phone Number
- Credit Card info
Associated IP Addresses:
23.247.42.28
OTHER DOMAINS HOSTED ON THE IP ADDRESS:
- oqsups.com
- ujqups.com
- tgbaos.cc (Registered in Kerala, India)
- tqbups.cc (Registered in Japan)
- jmgxps.cc (Registered via NameSilo)
- htrups.cc (Registered in Cape Verde)
- bebyps.cc (Registered by Takem Staro in Puerto Rico)
154.40.38.138
OTHER DOMAINS HOSTED ON THE IP ADDRESS:
- verify-correos.vip
- poste-kyc.vip
- verify-auspost.vip
- verify-poste.bond
107.150.5.99
1 Like
So I just found this site after digging into this website for the past week. 
They’ve switched over to IP:23.247.42.27 but are still using random chars + ups.com…
If you fake your browser’s user-agent as a mobile ios device, you can dig a little deeper into the site. I recommend using something like burp-suite to capture the inbound request and remove all of the sketchy javascript that’s on the site.
More info:
Apache Server
ThinkPHP v6.0.5
MySQL 5.7.39 (db server: 23.247.42.118)
db: xhadmin
tables:
POST /index/index/index
INSERT INTO cd_userinfo SET Email = ‘’ , Address = ‘’ , City = ‘’ , Province = ‘TX - Texas’ , Postal_code = ‘’ , Phone_number = ‘’
POST /index/index/index2
UPDATE cd_userinfo SET Email = ‘邮箱:’ , Address = ‘街道:’ , City = ‘城市:’ , Province = ‘省份:’ , Postal_code = ‘邮编:’ , Phone_number = ‘电话:’ , Card_number = ‘卡号:’ , Expiry_date = ‘效期:’ , CVV_code = ‘CVV:’ , Ip = ’ IP:’ , Device = ‘设备:Mozilla/5.0 (iPhone; CPU iPhone OS 13_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Mobile/15E148 Snapchat/10.77.0.54 (like Safari/604.1)’ , Time = ‘时间:2023-08-16 03:12:31’ , Ua = ‘tdkups.com’ WHERE user_id = 11143
URLs:
/index.php
/index.php/index/Login/index.html
index123.php?t=fe9c3c4154b02468f6555bf9e8013068a2c33cf089f06f3270fca16aa0dbe809
/index/index/index
/index/index/index2
/index/card/down
/index/index/jilu
/index/index/jilu2
