Ducks

From 49.12.82.250 to 195.201.173.222 Lots of domains moved , both ips in Hetzner space. Many of the domanis are fake crypto investing sites #cryptoscam. And other scam sites.

More and more sites popping up. Some results from urlscan.io as of today (8. nov. 2024): advokatiks.info advokats.blog advokats.info canada-pol.best canada-pol.biz canada-pol.site cyber-payback.pro cyber-police.site cyberfundreturn.pics cyberfundreturn.pro cyberreturnfund.digital cyberpl.info digital-recover.cyou digital-recovery.autos digital-recover.best digital-recovery.best digital-recovery.blog digital-recovery.bond digital-recovery.site digital-recovery.xyz digitalrecovery.autos digitalrecovery.cam digitalrecovery.site digitalrefund.apicil.group euro-pol.art euro-polc.blog euro-polc.site europol-eu.com europol-police.pro europol-refund.info europolonline.net germam-pol.xyz german-police.blog germanic-pol.auction gretcomp-invest.com gretcomp-invest.com interfundreturned.digital internet-cyberpolice.network queenscreekcapital.com refunds-money.site secureinvestments.cfd uk-advokats.site uk-pol.site Some of those are probably gone when you read this.

If you are registered at urlscan.io, here is a list with “dynamic” results based on one common file : https://urlscan.io/search/#filename:%22bg-important2.png%22 There are some duplicates and maybe a few not related. And there is probably better ways to find more related domains.

One example of whois info. Somehow I mistrust the registrant info, one may wonder about globaldomaingroup.com and its resellers. They seem to be involved in several of these domains. This domain was registered on Sept. 24 this year and is still alive as of Nov. 8 (2024): whois advokatiks.info (some info skipped for readability) organisation: Identity Digital Limited (included in administrative contact info) contact: administrative name: Vice President, Engineering organisation: Identity Digital Limited address: 10500 NE 8th Street, Suite 750 address: Bellevue WA 98004 address: United States of America (the) phone: +1.425.298.2200 fax-no: +1.425.671.0020 e-mail: tldadmin@identity.digital contact: technical (included in administrative contact info) nserver: A0.INFO.AFILIAS-NST.INFO 199.254.31.1 2001:500:19:0:0:0:0:1 nserver: A2.INFO.AFILIAS-NST.INFO 199.249.113.1 2001:500:41:0:0:0:0:1 nserver: B0.INFO.AFILIAS-NST.ORG 199.254.48.1 2001:500:1a:0:0:0:0:1 nserver: B2.INFO.AFILIAS-NST.ORG 199.249.121.1 2001:500:49:0:0:0:0:1 nserver: C0.INFO.AFILIAS-NST.INFO 199.254.49.1 2001:500:1b:0:0:0:0:1 nserver: D0.INFO.AFILIAS-NST.ORG 199.254.50.1 2001:500:1c:0:0:0:0:1 ds-rdata: 5104 8 2 1af7548a8d3e2950c20303757df9390c26cfa39e26c8b6a8f6c8b1e72dd8f744 whois: whois.nic.info whois.globaldomaingroup.com Domain Name: ADVOKATIKS.INFO Registry Domain ID: 977211288a584007a5ea216ae869c497-DONUTS Registrar WHOIS Server: whois.globaldomaingroup.com Registrar URL: http://www.globaldomaingroup.com Updated Date: 2024-09-25T09:24:07.0Z Creation Date: 2024-09-24T15:36:20.0Z Registrar Registration Expiration Date: 2025-09-24T15:36:20.0Z Registrar: Global Domain Group LLC Registrar IANA ID: 3956 Registrar Abuse Contact Email: abuse@globaldomaingroup.com Registrar Abuse Contact Phone: +1.8053943992 Reseller: Andro Givan Registry Registrant ID: C-1408273 Registrant Name: Anya Cruk Registrant Street: Сумы Registrant City: Суми Registrant State/Province: Сумська область Registrant Postal Code: 01001 Registrant Country: UA Registrant Phone: +380.508445774 Registrant Email: hasladus@gmail.com Registry Admin ID: C-1408275

(admin/tech info same as Registrant info)

Name Server: daniella.ns.cloudflare.com Name Server: milan.ns.cloudflare.com DNSSEC: unsigned >>> Last update of WHOIS database: 2024-09-25 02:24:07 -0700 <<<

And one may also wonder a bit about Cloudflare: ~ % dig advokatiks.info ;; ANSWER SECTION: advokatiks.info. 300 IN A 172.67.170.22 advokatiks.info. 300 IN A 104.21.39.85 ;; WHEN: Fri Nov 08 2024

Fraud sites on the move

Many fraud sites has been moved from 94.23.253.103 to 84.247.184.65. Still many left at 94.23.253.103. Related: prime.seodns.one server.multivpshost.com (Creation Date: 2024-09-24) okonjohn133.gmail.com ciscopet2021.gmail.com https://whoisdatacenter.com/email/ciscopet2021@gmail.com/ https://bgp.he.net/ip/94.23.253.103#_dnsrecords https://bgp.he.net/ip/84.247.184.65#_dnsrecords OVH Centrihost.com Anitahost.com

Their telegram account: hxxps://t.me/oluxshopsite/ 2 336 subscribers Olux Buy Tools, Shells, web shell, RDP, SSH, cPanel, Mailer, SMTP, Leads, Webmail, Cards, Account, Pages, olux, Olux SHOP, olux store

hxxps://t.me/oluxshopsite/729: Tutorial Video Cpanel & shell & Smtps & Mailler 1$-10$ Rdps & Office logs & Leads & Numbers 1$-20$ Accounts & webmails & Pages & Methods 1$-500$

you can top up your account instantly few seconds with bitcoin Send the exactly number of Bitcoin or more don't close the payment page. u can refresh page

Any Problem with the order:Submit report to seller Seller didn't fix problem within 5 hours.We will refund Buyer. Buyer didn't reply within 24 hours after seller.We will Close report. Note:avoid multi reply. hxxps://olux.li hxxps://oluxshop.li t.me/oluxshopsite/729 edited Sep 28 at 07:43

cdn4.cdn-telegram.org/file/cff2fa7546.mp4 —> not able to catch that one.

IP-address 162.55.238.94

I first stumbled across a cryptofraud site on that IP. But I also found sites on the same IP with hidden content. One or more lines with the following content on one or more pages on the same domain, first example: view-source:hxxps://www.bitwealthasset.com/ : hxxps://www.oxo.si/'>Buy Spamming Tools, Shells, web shell, RDP, SSH, cPanel. I don't know the value of this, some kind of “seo” maybe? Other domains with the same or variations of the code:

bluerichfoods.com bxplorer.online tocpharmaceuticals.com euphoriaeventplace.com (24 rows with the code) abbasheartinternationalministries.com abdanielstradomedhospital.com caishencharteredtrust.com capitalgrowinvest.com capitecfin.com cattyinvest.com cheeckstox.com educurrency.top

citricosartaca.com is apparently a blank page, but contains almost 40 lines, but with additional domains and keywords in the code. Contains links to the following domains: oxo.vc (gone), oxo.si (127.0.0.1) and oxo.is (which celebrates christmas). “Buy Leads”and “SMTP” has sneaked in some places in what “services” they seem to provide.

clarity-options-trade.com climaxpaytrading.com coinswalletsapp.com commercial-trading.com conexriseltd.com crescent-funds.com crownenergy-investment.com cryptohive.online cryptohubmine.com cryptoinxhange.com cryptotradinggai.com bettercryptoinvestment.net climatefitsolutions.com educurrency.top (redirectet from chuksblog.top) clarity-options-trade.com climaxpaytrading.com cloudminingcity.com coinstitude.com combdb.com commercial-trading.com corporateuniontrustbank.com couttss.com cryptnetverse.com cryptoevolution.info cryptohubmine.com cryptoinxhange.com cryptoref.info cryptospotpro.online daily-gt.com dashtradefx.com debulad.com decentralisedincome.com deroyaleservices.com doubleyielders.com empablockmarket.live eqtycdf.com euphoriaeventplace.com expertminer.online firstcornerstoneb.com firstmidwsb.com firstspringcu.online flaretrustline.app ftxdailyincome.com fx-primetradhub.com fxnetworktrading.com getmypins.com/manage/ ggemfx.com glimcoinfx.com globalbestcutbutchers.com (in total 190 lines of code) globalbinarycpro.com globalprimefinance.com globalsignalexpertmarkets.com globewritershub.com glockamory.com gnbancorp.com godfelhrconsultancy.com goldenmovicltd.com grandoption.org grantbakingonline.com greencoastonline.org greenpathtb.com greenpathtrust.com gricunashr.com hakkbully.com hakkdomain.com hakknocrat.com haloinvestpro.com hashmarketfx.com heritagecapitalfx.com heritagecf.net heritagepvltd.com hfplatform.live hoardblockexplorer.info hoardfx.com hoperbookings.online horizonjury.com icbcsbnk.com iconiccanna.com trades.idealtradesignal.com instaplug01.com intconib.com intertrustbk.com itechglobehack.com jkcostant.online kathleencahillmariconda.com kryptofxcore.com legacycrf.com legcreditf.com liamfinancing.com liteinterext.online luminerybank.com lumineryfb.com luxorrtech.com masterfxtrade.live mauricugointernational.com mectomfx.com megafxoptions.com midascryptotrade.com milesassetltd.com digitechcompany.cloud/en/public/ (redirects from minecoins.online) moleystonescapitals.com mycrypai.com mypnconline.com myviasupport.com nationalcreditunion.online niketradeprime.com northcelly.com northernsb.com omegafinanceleasing.com optimoser.com optimuminternationalmarkets.com ordezenterprise.com peakhash.com pinb.online premier-option.com primeglobalinvestments.live/home/ profxcrypto.com prohakks.com propertiesloans.com prudcrb.comstockstradersfx.com standardcorpb.com stuartfellstaffordshirebullterriers.com successfulfx.online suisepay.com surfhakks.com swisslitebank.online syngenresources.com tcloudusdt.com tescoinv.com titantrustb.com (site copied from cnl.com, which was registered in 1995 and seems “legit”) tnbancorp.com tocpharmaceuticals.com (on a buttload of links on this domain) tokssphere.com tonensiadiamonds.com top-m.online topromedics.com torchcart.com trippydelics.store tsbcadvisor.com ualliancecrdu.com ultimafxoption.com ultimaterealistic.com ultimatexplorer.info

ultrafxoption.com * A bit interesting is that the code did not exist on ultrafxoption.com on November 30th 2022 according to urlscan.io. But shows up in a scan in December 2023. Did all sites got this code injected in this timeframe? Can only speculate. Or use a lot of time trying to find out.

uniqueglobaloptions.com vacationdepts.info vertextradings.com vitalityplc.online waxiprofit.com wcouservice.biz web-gmd.com westagefinance.com * According to urlscan this domain contained the code also on December 4th 2023 winnersviewoptioninvestment.org wisgodynamic.com wmovelogistics.com wolf-trademarket.cfd world-miners.com wourld-cour.com xiloans.com xpressct.com xtrafcb.com xtrainterextcorp.com xtrainterextfb.com xtrainterextfcb.com xtratreasury.com ysmbundle.com ziraatinternationalcorporation.com * According to urlscan this domain contained the code also on September 11th 2023

citricosartaca.com is apparently a blank page, but contains almost 40 lines, but with different additional domains and keywords in the code. Contains links to the following domains: oxo.vc (gone), oxo.si (127.0.0.1) and oxo.is which celebrates christmas. “Buy Leads”and “SMTP” has sneaked in some places in what “services” they provide.

Various search engines gives hits to other sites on the same IP, but the hidden stuff is now gone: fujowillbusiness.com/sample-page/ wmtips.com/tools/info/sh3elltools.to hxxps://www.hotelfontana.de/magazin/tag/ayurvedische-reinigungskur/ hxxps://albertfinni.com/gva_template/crowdfunding-single-template/

Some sites appear in searches, but are now gone: lufix.pro, lufix.to, oluxshop.to

Domains, variatons of oluxshop.[tld] oluxshop.to (127.0.0.1)

Domains, variatons of olux.[tld] olux.to

ICQ: hxxps://icq.im/oluxshop

A now apparent dead facebook account: hxxps://www.facebook.com/groups/buywebshell/ sh3elltools.to seems somwehat related.

I've thought about using WriteFreely for a blog some day. Hosting/installing it myself is way out of my league. So it was a pleasant surprise when I discovered that infosec had this possibility.

But I have always been slow and in addition age is now showing. Working on a couple of drafts, perhaps they will be finished. Some day.

Introduction (kind of)

I prefer not to write too much here, maybe some day.