Malicious Morocco Spambot on OVH Canada

User avatar
Fred Nurk
Posts: 11
Joined: Thu May 03, 2018 11:37 pm

Re: counterfeit

Post by Fred Nurk » Fri May 04, 2018 12:04 am

Phishing e-mails - offering Cannabis Oil gummies or advice about heart attack symptoms. Sender domains include:

creeddeskenth.xyz
loyalpermissiondude.xyz
ordercotton.xyz

The link in all e-mails leads to a creeddeskenth.xyz page, which redirects to a site that triggers malware warnings.

All domains are registered via Name.com (who refuse to respond to reports). Registrant e-mail is tennouren@gmail.com. IP addresses are OVH Canada, who also won't acknowledge or respond to reports. IP addresses include:

54.39.41.139
54.39.32.227
54.39.34.233
54.39.41.138
54.39.41.132
54.39.34.246
54.39.34.236

User avatar
nova7
Posts: 262
Joined: Fri Apr 06, 2012 11:32 pm

Re: Malicious Morocco Spambot on OVH Canada

Post by nova7 » Sat May 05, 2018 8:06 pm

ordercotton.xyz:
http://aceinsight.websense.com "Elevated exposure"

loyalpermissiondude.xyz:
http://aceinsight.websense.com "Elevated exposure"
https://hosts-file.net/?s=loyalpermissiondude.xyz

User avatar
Fred Nurk
Posts: 11
Joined: Thu May 03, 2018 11:37 pm

Re: Malicious Morocco Spambot on OVH Canada

Post by Fred Nurk » Sun May 06, 2018 10:59 pm

Another this morning - sent from savemalletpuerto.xyz, IP address 54.38.61.17

User avatar
NotBuyingIt
Posts: 3253
Joined: Fri Mar 11, 2011 6:21 pm

Re: Malicious Morocco Spambot on OVH Canada

Post by NotBuyingIt » Mon May 07, 2018 2:27 pm

All of the above-reported domains are currently using a virtually identical template for their websites, and the same webpages are also being served directly by the above-reported IP addresses. The same webpages are served directly from the IP addresses in the domains A records which currently include
-
  • 54.39.41.128 (loyalpermissiondude.xyz)
  • 142.44.213.87 (creeddeskenth.xyz)
  • 144.217.79.135 (ordercotton.xyz)
See the screenshot at hxxp://urlquery.net/report/e05803cc-ffe1-486f-bd76-11f79bd4c2bf
Image

User avatar
NotBuyingIt
Posts: 3253
Joined: Fri Mar 11, 2011 6:21 pm

Re: Malicious Morocco Spambot on OVH Canada

Post by NotBuyingIt » Mon May 07, 2018 3:04 pm

The "dummy" website template used by the above-reported domains is in wide-spread use. It isn't confined to OVH Canada. E.g., it is also used by the server for milancondera.xyz hosted at IP 80.211.129.229 on the Aruba S.p.A. network. Nor is the template confined to .XYZ top-level domains. E.g., it is also used by the server for chanelw.com hosted at IP 200.63.45.49 Panamaserver.com network.

A Google search using as a keyword the phrase "optimization of the campaign is key" will return scores of virtually identical websites. However, I have no information about any malicious aspects of such domains.

User avatar
Fred Nurk
Posts: 11
Joined: Thu May 03, 2018 11:37 pm

Re: Malicious Morocco Spambot on OVH Canada

Post by Fred Nurk » Tue May 08, 2018 12:01 am

Happily, creeddeskenth.xyz is dead for the time being - Name.com have placed it on 'clienthold', and it now doesn't lead anywhere.

Meanwhile, the spammer is now sending directly via IP address 79.137.70.43. The phishing link leads to a waybitz.com page, which redirects to a ifehp.today page which triggers malware / fraudulent page warnings.

Registrant details for the latest batch are:

Registrant e-mail: ijmouan@gmail.com

Name: Omar IJMOUAN

Phone number: (261) 071-1178

Address:
ARD DAOULA N26 Rue 38 , 26
Tangier, Tangier 90000
Morocco

User avatar
nova7
Posts: 262
Joined: Fri Apr 06, 2012 11:32 pm

Re: Malicious Morocco Spambot on OVH Canada

Post by nova7 » Tue May 08, 2018 6:43 pm

ifehp.today is offline presently, still registered. @Fred Nurk the samples seem highly under-reported, I suggest reporting and/or forwarding--as attachments--the emails to blocklists.

User avatar
Fred Nurk
Posts: 11
Joined: Thu May 03, 2018 11:37 pm

Re: Malicious Morocco Spambot on OVH Canada

Post by Fred Nurk » Mon May 14, 2018 5:12 am

the samples seem highly under-reported, I suggest reporting and/or forwarding--as attachments--the emails to blocklists.
I've been reporting them via SpamCop, clearly to no effect - any suggestions on which blocklists I should direct them to would be greatly appreciated...

After a break of a few days, another one this morning, again sent from bogayou.com, still redirecting via waybitz.com, with the sender IP address showing that creeddeskenth.xyz is again active.

User avatar
nova7
Posts: 262
Joined: Fri Apr 06, 2012 11:32 pm

Re: Malicious Morocco Spambot on OVH Canada

Post by nova7 » Tue May 15, 2018 2:17 am

@ Fred Nurk, I posted this for your use today.
https://forum.mywot.com /viewtopic.php?f=3&t=3136&p=263687#p263687 (there's an intentional break-space in the link due to an error in the forum formatting)

There are also malware URL, etc reporting sites and addresses to antivirus venders, that I have in my offline notes, that I haven't used much.

User avatar
Fred Nurk
Posts: 11
Joined: Thu May 03, 2018 11:37 pm

Re: Malicious Morocco Spambot on OVH Canada

Post by Fred Nurk » Wed May 30, 2018 11:00 am

Appears to have started up again - several e-mails in the last few hours, all headed "Home Warranty". All contain a redirection link which leads to
http://zffzz.yzscwdbdxe.oyfhf.site/?sov ... c26be3c49e

Which redirects to an online gaming site - https://www.freelotto.com/register.asp? ... yoneWinsTV

Most recent spamming domain is waaowdeals.com which is registered via Name.com to

IJMOUAN OMAR
Street:63 RUE EL WAHDA , ETAGE 1, APP 9
City:CASABLANCA
State:MAROC / GRANDE CASABLANCA
Postal Code:20130
Country:MA
Phone:+212.648941431

Registrant e-mail is now o.ijmouan@gmail.com

Post Reply

Who is online

Users browsing this forum: No registered users and 3 guests