Page 1 of 2

Re: counterfeit

Posted: Fri May 04, 2018 12:04 am
by Fred Nurk
Phishing e-mails - offering Cannabis Oil gummies or advice about heart attack symptoms. Sender domains include:

creeddeskenth.xyz
loyalpermissiondude.xyz
ordercotton.xyz

The link in all e-mails leads to a creeddeskenth.xyz page, which redirects to a site that triggers malware warnings.

All domains are registered via Name.com (who refuse to respond to reports). Registrant e-mail is tennouren@gmail.com. IP addresses are OVH Canada, who also won't acknowledge or respond to reports. IP addresses include:

54.39.41.139
54.39.32.227
54.39.34.233
54.39.41.138
54.39.41.132
54.39.34.246
54.39.34.236

Re: Malicious Morocco Spambot on OVH Canada

Posted: Sat May 05, 2018 8:06 pm
by nova7
ordercotton.xyz:
http://aceinsight.websense.com "Elevated exposure"

loyalpermissiondude.xyz:
http://aceinsight.websense.com "Elevated exposure"
https://hosts-file.net/?s=loyalpermissiondude.xyz

Re: Malicious Morocco Spambot on OVH Canada

Posted: Sun May 06, 2018 10:59 pm
by Fred Nurk
Another this morning - sent from savemalletpuerto.xyz, IP address 54.38.61.17

Re: Malicious Morocco Spambot on OVH Canada

Posted: Mon May 07, 2018 2:27 pm
by NotBuyingIt
All of the above-reported domains are currently using a virtually identical template for their websites, and the same webpages are also being served directly by the above-reported IP addresses. The same webpages are served directly from the IP addresses in the domains A records which currently include
-
  • 54.39.41.128 (loyalpermissiondude.xyz)
  • 142.44.213.87 (creeddeskenth.xyz)
  • 144.217.79.135 (ordercotton.xyz)
See the screenshot at hxxp://urlquery.net/report/e05803cc-ffe1-486f-bd76-11f79bd4c2bf
Image

Re: Malicious Morocco Spambot on OVH Canada

Posted: Mon May 07, 2018 3:04 pm
by NotBuyingIt
The "dummy" website template used by the above-reported domains is in wide-spread use. It isn't confined to OVH Canada. E.g., it is also used by the server for milancondera.xyz hosted at IP 80.211.129.229 on the Aruba S.p.A. network. Nor is the template confined to .XYZ top-level domains. E.g., it is also used by the server for chanelw.com hosted at IP 200.63.45.49 Panamaserver.com network.

A Google search using as a keyword the phrase "optimization of the campaign is key" will return scores of virtually identical websites. However, I have no information about any malicious aspects of such domains.

Re: Malicious Morocco Spambot on OVH Canada

Posted: Tue May 08, 2018 12:01 am
by Fred Nurk
Happily, creeddeskenth.xyz is dead for the time being - Name.com have placed it on 'clienthold', and it now doesn't lead anywhere.

Meanwhile, the spammer is now sending directly via IP address 79.137.70.43. The phishing link leads to a waybitz.com page, which redirects to a ifehp.today page which triggers malware / fraudulent page warnings.

Registrant details for the latest batch are:

Registrant e-mail: ijmouan@gmail.com

Name: Omar IJMOUAN

Phone number: (261) 071-1178

Address:
ARD DAOULA N26 Rue 38 , 26
Tangier, Tangier 90000
Morocco

Re: Malicious Morocco Spambot on OVH Canada

Posted: Tue May 08, 2018 6:43 pm
by nova7
ifehp.today is offline presently, still registered. @Fred Nurk the samples seem highly under-reported, I suggest reporting and/or forwarding--as attachments--the emails to blocklists.

Re: Malicious Morocco Spambot on OVH Canada

Posted: Mon May 14, 2018 5:12 am
by Fred Nurk
the samples seem highly under-reported, I suggest reporting and/or forwarding--as attachments--the emails to blocklists.
I've been reporting them via SpamCop, clearly to no effect - any suggestions on which blocklists I should direct them to would be greatly appreciated...

After a break of a few days, another one this morning, again sent from bogayou.com, still redirecting via waybitz.com, with the sender IP address showing that creeddeskenth.xyz is again active.

Re: Malicious Morocco Spambot on OVH Canada

Posted: Tue May 15, 2018 2:17 am
by nova7
@ Fred Nurk, I posted this for your use today.
https://forum.mywot.com /viewtopic.php?f=3&t=3136&p=263687#p263687 (there's an intentional break-space in the link due to an error in the forum formatting)

There are also malware URL, etc reporting sites and addresses to antivirus venders, that I have in my offline notes, that I haven't used much.

Re: Malicious Morocco Spambot on OVH Canada

Posted: Wed May 30, 2018 11:00 am
by Fred Nurk
Appears to have started up again - several e-mails in the last few hours, all headed "Home Warranty". All contain a redirection link which leads to
http://zffzz.yzscwdbdxe.oyfhf.site/?sov ... c26be3c49e

Which redirects to an online gaming site - https://www.freelotto.com/register.asp? ... yoneWinsTV

Most recent spamming domain is waaowdeals.com which is registered via Name.com to

IJMOUAN OMAR
Street:63 RUE EL WAHDA , ETAGE 1, APP 9
City:CASABLANCA
State:MAROC / GRANDE CASABLANCA
Postal Code:20130
Country:MA
Phone:+212.648941431

Registrant e-mail is now o.ijmouan@gmail.com