Malicious Morocco Spambot on OVH Canada

[Fred Nurk]

Phishing e-mails - offering Cannabis Oil gummies or advice about heart attack symptoms. Sender domains include:

creeddeskenth.xyz
loyalpermissiondude.xyz
ordercotton.xyz

The link in all e-mails leads to a creeddeskenth.xyz page, which redirects to a site that triggers malware warnings.

All domains are registered via Name.com (who refuse to respond to reports). Registrant e-mail is tennouren@gmail.com. IP addresses are OVH Canada, who also won't acknowledge or respond to reports. IP addresses include:

54.39.41.139
54.39.32.227
54.39.34.233
54.39.41.138
54.39.41.132
54.39.34.246
54.39.34.236

[nova7]

ordercotton.xyz:
http://aceinsight.websense.com "Elevated exposure"

loyalpermissiondude.xyz:
http://aceinsight.websense.com "Elevated exposure"
https://hosts-file.net/?s=loyalpermissiondude.xyz

[Fred Nurk]

Another this morning - sent from savemalletpuerto.xyz, IP address 54.38.61.17

[NotBuyingIt]

All of the above-reported domains are currently using a virtually identical template for their websites, and the same webpages are also being served directly by the above-reported IP addresses. The same webpages are served directly from the IP addresses in the domains A records which currently include
-

• 54.39.41.128 (loyalpermissiondude.xyz)

• 142.44.213.87 (creeddeskenth.xyz)

• 144.217.79.135 (ordercotton.xyz)

See the screenshot at hxxp://urlquery.net/report/e05803cc-ffe1-486f-bd76-11f79bd4c2bf

[NotBuyingIt]

The "dummy" website template used by the above-reported domains is in wide-spread use. It isn't confined to OVH Canada. E.g., it is also used by the server for milancondera.xyz hosted at IP 80.211.129.229 on the Aruba S.p.A. network. Nor is the template confined to .XYZ top-level domains. E.g., it is also used by the server for chanelw.com hosted at IP 200.63.45.49 Panamaserver.com network.

A Google search using as a keyword the phrase "optimization of the campaign is key" will return scores of virtually identical websites. However, I have no information about any malicious aspects of such domains.

[Fred Nurk]

Happily, creeddeskenth.xyz is dead for the time being - Name.com have placed it on 'clienthold', and it now doesn't lead anywhere.

Meanwhile, the spammer is now sending directly via IP address 79.137.70.43. The phishing link leads to a waybitz.com page, which redirects to a ifehp.today page which triggers malware / fraudulent page warnings.

Registrant details for the latest batch are:

Registrant e-mail: ijmouan@gmail.com

Name: Omar IJMOUAN

Phone number: (261) 071-1178

Address:
ARD DAOULA N26 Rue 38 , 26
Tangier, Tangier 90000
Morocco

[nova7]

ifehp.today is offline presently, still registered. @Fred Nurk the samples seem highly under-reported, I suggest reporting and/or forwarding--as attachments--the emails to blocklists.

[Fred Nurk]

the samples seem highly under-reported, I suggest reporting and/or forwarding--as attachments--the emails to blocklists.

I've been reporting them via SpamCop, clearly to no effect - any suggestions on which blocklists I should direct them to would be greatly appreciated...

After a break of a few days, another one this morning, again sent from bogayou.com, still redirecting via waybitz.com, with the sender IP address showing that creeddeskenth.xyz is again active.

[nova7]

@ Fred Nurk, I posted this for your use today.
https://forum.mywot.com /viewtopic.php?f=3&t=3136&p=263687#p263687 (there's an intentional break-space in the link due to an error in the forum formatting)

There are also malware URL, etc reporting sites and addresses to antivirus venders, that I have in my offline notes, that I haven't used much.

[Fred Nurk]

Appears to have started up again - several e-mails in the last few hours, all headed "Home Warranty". All contain a redirection link which leads to
http://zffzz.yzscwdbdxe.oyfhf.site/?sov ... c26be3c49e

Which redirects to an online gaming site - https://www.freelotto.com/register.asp? ... yoneWinsTV

Most recent spamming domain is waaowdeals.com which is registered via Name.com to

IJMOUAN OMAR
Street:63 RUE EL WAHDA , ETAGE 1, APP 9
City:CASABLANCA
State:MAROC / GRANDE CASABLANCA
Postal Code:20130
Country:MA
Phone:+212.648941431

Registrant e-mail is now o.ijmouan@gmail.com