Ducks https://infosec.press/ducks/ Sat, 30 May 2026 18:02:33 +0000 3nf3vi.com https://infosec.press/ducks/3nf3vi-com <![CDATA[3nf3vi.com Mostly note to self: Summer 2025 a crypto mining scam setup was made. dlmining.com, dlmining.net and dldefi.com Probably advertised through a kind of affiliate network. This network apparently paid websites for promoting the scam. Many apparently legal websites. The setup seems to have disappeared around early march 2026. dldefi.com seems to have used a chat support at 3nf3vi.com. Which now can be found at 34.49.197.197 (googleusercontent.com) together with a buttload of "6 chars" domains. Have not checked further so I don't know if this are domains used solely for scams or they are domains used by a "legitimate" support .services 3nf3vi.com 5beixs.com 64p7r3.com 832tfj.com a8av4j.com arx8q6.com b3xcab.com c7n2w8.com cch4s3.com dqwh7c.com e8ndtg.com egu8wh.com f5guu4.com g3zu5v.com g5wpcg.com hdfy7i.com i4z3by.com imxtm3.com ix3hj4.com j4ky5m.com jffute.com k9tnjg.com kj2r6m.com ngkymv.com pzgfpd.com qp8k3p.com rkc2ph.com sb26uv.com sz2att.com th5at3.com ticp6s.com u3kitd.com ua7tm8.com v4ru2c.com vbyr5j.com x7t5ct.com xsxeg4.com xwuu4r.com y3qdgq.com yrmdfz.com z9pv3v.com b ]]> 3nf3vi.com

Mostly note to self: Summer 2025 a crypto mining scam setup was made. dlmining.com, dlmining.net and dldefi.com Probably advertised through a kind of affiliate network. This network apparently paid websites for promoting the scam. Many apparently legal websites. The setup seems to have disappeared around early march 2026.

dldefi.com seems to have used a chat support at 3nf3vi.com. Which now can be found at 34.49.197.197 (googleusercontent.com) together with a buttload of “6 chars” domains. Have not checked further so I don't know if this are domains used solely for scams or they are domains used by a “legitimate” support .services

3nf3vi.com 5beixs.com 64p7r3.com 832tfj.com a8av4j.com arx8q6.com b3xcab.com c7n2w8.com cch4s3.com dqwh7c.com e8ndtg.com egu8wh.com f5guu4.com g3zu5v.com g5wpcg.com hdfy7i.com i4z3by.com imxtm3.com ix3hj4.com j4ky5m.com jffute.com k9tnjg.com kj2r6m.com ngkymv.com pzgfpd.com qp8k3p.com rkc2ph.com sb26uv.com sz2att.com th5at3.com ticp6s.com u3kitd.com ua7tm8.com v4ru2c.com vbyr5j.com x7t5ct.com xsxeg4.com xwuu4r.com y3qdgq.com yrmdfz.com z9pv3v.com

b

]]> https://infosec.press/ducks/3nf3vi-com Wed, 25 Mar 2026 22:40:28 +0000 The enablers https://infosec.press/ducks/the-enablers <![CDATA[The hosts. And the templates for the cryptoscammers, the "cargospammers", the fake bank scammers etc are being made by someone(s). You name it. Have given up on the hosts. Seems we have to settle with "name and shame". And then we have the brokers. And the spammers, the "affiliate" networks. We sometimes stumble over all kinds of these, should start to make a list. gogowebsites.store https://www.gogowebsites.store/ Creation Date: 2025-03-24 (namecheap) hosted at 198.251.88.162 (Frantech/Ponynet) ]]> The hosts. And the templates for the cryptoscammers, the “cargospammers”, the fake bank scammers etc are being made by someone(s). You name it. Have given up on the hosts. Seems we have to settle with “name and shame”. And then we have the brokers. And the spammers, the “affiliate” networks. We sometimes stumble over all kinds of these, should start to make a list.

gogowebsites.store

https://www.gogowebsites.store/ Creation Date: 2025-03-24 (namecheap) hosted at 198.251.88.162 (Frantech/Ponynet)

]]> https://infosec.press/ducks/the-enablers Sun, 09 Nov 2025 03:14:00 +0000 From 49.12.82.250 to 195.201.173.222 https://infosec.press/ducks/from-49-12-82-250-to-195-201-173-222 <![CDATA[From 49.12.82.250 to 195.201.173.222 Lots of domains moved , both ips in Hetzner space. Many of the domains are fake crypto investing sites #cryptoscam. And other scam sites.]]> From 49.12.82.250 to 195.201.173.222 Lots of domains moved , both ips in Hetzner space. Many of the domains are fake crypto investing sites #cryptoscam. And other scam sites.

]]> https://infosec.press/ducks/from-49-12-82-250-to-195-201-173-222 Tue, 03 Dec 2024 18:39:42 +0000 Crypto refund scams https://infosec.press/ducks/crypto-refund-scams-fnyh <![CDATA[More and more sites popping up. Some results from urlscan.io as of today (8. nov. 2024): advokatiks.info advokats.blog advokats.info canada-pol.best canada-pol.biz canada-pol.site cyber-payback.pro cyber-police.site cyberfundreturn.pics cyberfundreturn.pro cyberreturnfund.digital cyberpl.info digital-recover.cyou digital-recovery.autos digital-recover.best digital-recovery.best digital-recovery.blog digital-recovery.bond digital-recovery.site digital-recovery.xyz digitalrecovery.autos digitalrecovery.cam digitalrecovery.site digitalrefund.apicil.group euro-pol.art euro-polc.blog euro-polc.site europol-eu.com europol-police.pro europol-refund.info europolonline.net germam-pol.xyz german-police.blog germanic-pol.auction gretcomp-invest.com gretcomp-invest.com interfundreturned.digital internet-cyberpolice.network queenscreekcapital.com refunds-money.site secureinvestments.cfd uk-advokats.site uk-pol.site Some of those are probably gone when you read this. If you are registered at urlscan.io, here is a list with "dynamic" results based on one common file : https://urlscan.io/search/#filename:%22bg-important2.png%22 There are some duplicates and maybe a few not related. And there is probably better ways to find more related domains. One example of whois info. Somehow we mistrust the registrant info, one may wonder about globaldomaingroup.com and its resellers. They seem to be involved in several of these domains. This domain was registered on Sept. 24 this year and is still alive as of Nov. 8 (2024): whois advokatiks.info (some info skipped for readability) organisation: Identity Digital Limited (included in administrative contact info) contact: administrative name: Vice President, Engineering organisation: Identity Digital Limited address: 10500 NE 8th Street, Suite 750 address: Bellevue WA 98004 address: United States of America (the) phone: +1.425.298.2200 fax-no: +1.425.671.0020 e-mail: tldadmin@identity.digital contact: technical (included in administrative contact info) nserver: A0.INFO.AFILIAS-NST.INFO 199.254.31.1 2001:500:19:0:0:0:0:1 nserver: A2.INFO.AFILIAS-NST.INFO 199.249.113.1 2001:500:41:0:0:0:0:1 nserver: B0.INFO.AFILIAS-NST.ORG 199.254.48.1 2001:500:1a:0:0:0:0:1 nserver: B2.INFO.AFILIAS-NST.ORG 199.249.121.1 2001:500:49:0:0:0:0:1 nserver: C0.INFO.AFILIAS-NST.INFO 199.254.49.1 2001:500:1b:0:0:0:0:1 nserver: D0.INFO.AFILIAS-NST.ORG 199.254.50.1 2001:500:1c:0:0:0:0:1 ds-rdata: 5104 8 2 1af7548a8d3e2950c20303757df9390c26cfa39e26c8b6a8f6c8b1e72dd8f744 whois: whois.nic.info whois.globaldomaingroup.com Domain Name: ADVOKATIKS.INFO Registry Domain ID: 977211288a584007a5ea216ae869c497-DONUTS Registrar WHOIS Server: whois.globaldomaingroup.com Registrar URL: http://www.globaldomaingroup.com Updated Date: 2024-09-25T09:24:07.0Z Creation Date: 2024-09-24T15:36:20.0Z Registrar Registration Expiration Date: 2025-09-24T15:36:20.0Z Registrar: Global Domain Group LLC Registrar IANA ID: 3956 Registrar Abuse Contact Email: abuse@globaldomaingroup.com Registrar Abuse Contact Phone: +1.8053943992 Reseller: Andro Givan Registry Registrant ID: C-1408273 Registrant Name: Anya Cruk Registrant Street: Сумы Registrant City: Суми Registrant State/Province: Сумська область Registrant Postal Code: 01001 Registrant Country: UA Registrant Phone: +380.508445774 Registrant Email: hasladus@gmail.com Registry Admin ID: C-1408275 (admin/tech info same as Registrant info) Name Server: daniella.ns.cloudflare.com Name Server: milan.ns.cloudflare.com DNSSEC: unsigned Last update of WHOIS database: 2024-09-25 02:24:07 -0700 <<< And one may also wonder a bit about Cloudflare: ~ % dig advokatiks.info ;; ANSWER SECTION: advokatiks.info. 300 IN A 172.67.170.22 advokatiks.info. 300 IN A 104.21.39.85 ;; WHEN: Fri Nov 08 2024 ]]> More and more sites popping up. Some results from urlscan.io as of today (8. nov. 2024): advokatiks.info advokats.blog advokats.info canada-pol.best canada-pol.biz canada-pol.site cyber-payback.pro cyber-police.site cyberfundreturn.pics cyberfundreturn.pro cyberreturnfund.digital cyberpl.info digital-recover.cyou digital-recovery.autos digital-recover.best digital-recovery.best digital-recovery.blog digital-recovery.bond digital-recovery.site digital-recovery.xyz digitalrecovery.autos digitalrecovery.cam digitalrecovery.site digitalrefund.apicil.group euro-pol.art euro-polc.blog euro-polc.site europol-eu.com europol-police.pro europol-refund.info europolonline.net germam-pol.xyz german-police.blog germanic-pol.auction gretcomp-invest.com gretcomp-invest.com interfundreturned.digital internet-cyberpolice.network queenscreekcapital.com refunds-money.site secureinvestments.cfd uk-advokats.site uk-pol.site Some of those are probably gone when you read this.

If you are registered at urlscan.io, here is a list with “dynamic” results based on one common file : https://urlscan.io/search/#filename:%22bg-important2.png%22 There are some duplicates and maybe a few not related. And there is probably better ways to find more related domains.

One example of whois info. Somehow we mistrust the registrant info, one may wonder about globaldomaingroup.com and its resellers. They seem to be involved in several of these domains. This domain was registered on Sept. 24 this year and is still alive as of Nov. 8 (2024): whois advokatiks.info (some info skipped for readability) organisation: Identity Digital Limited (included in administrative contact info) contact: administrative name: Vice President, Engineering organisation: Identity Digital Limited address: 10500 NE 8th Street, Suite 750 address: Bellevue WA 98004 address: United States of America (the) phone: +1.425.298.2200 fax-no: +1.425.671.0020 e-mail: tldadmin@identity.digital contact: technical (included in administrative contact info) nserver: A0.INFO.AFILIAS-NST.INFO 199.254.31.1 2001:500:19:0:0:0:0:1 nserver: A2.INFO.AFILIAS-NST.INFO 199.249.113.1 2001:500:41:0:0:0:0:1 nserver: B0.INFO.AFILIAS-NST.ORG 199.254.48.1 2001:500:1a:0:0:0:0:1 nserver: B2.INFO.AFILIAS-NST.ORG 199.249.121.1 2001:500:49:0:0:0:0:1 nserver: C0.INFO.AFILIAS-NST.INFO 199.254.49.1 2001:500:1b:0:0:0:0:1 nserver: D0.INFO.AFILIAS-NST.ORG 199.254.50.1 2001:500:1c:0:0:0:0:1 ds-rdata: 5104 8 2 1af7548a8d3e2950c20303757df9390c26cfa39e26c8b6a8f6c8b1e72dd8f744 whois: whois.nic.info whois.globaldomaingroup.com Domain Name: ADVOKATIKS.INFO Registry Domain ID: 977211288a584007a5ea216ae869c497-DONUTS Registrar WHOIS Server: whois.globaldomaingroup.com Registrar URL: http://www.globaldomaingroup.com Updated Date: 2024-09-25T09:24:07.0Z Creation Date: 2024-09-24T15:36:20.0Z Registrar Registration Expiration Date: 2025-09-24T15:36:20.0Z Registrar: Global Domain Group LLC Registrar IANA ID: 3956 Registrar Abuse Contact Email: abuse@globaldomaingroup.com Registrar Abuse Contact Phone: +1.8053943992 Reseller: Andro Givan Registry Registrant ID: C-1408273 Registrant Name: Anya Cruk Registrant Street: Сумы Registrant City: Суми Registrant State/Province: Сумська область Registrant Postal Code: 01001 Registrant Country: UA Registrant Phone: +380.508445774 Registrant Email: hasladus@gmail.com Registry Admin ID: C-1408275

(admin/tech info same as Registrant info)

Name Server: daniella.ns.cloudflare.com Name Server: milan.ns.cloudflare.com DNSSEC: unsigned >>> Last update of WHOIS database: 2024-09-25 02:24:07 -0700 <<<

And one may also wonder a bit about Cloudflare: ~ % dig advokatiks.info ;; ANSWER SECTION: advokatiks.info. 300 IN A 172.67.170.22 advokatiks.info. 300 IN A 104.21.39.85 ;; WHEN: Fri Nov 08 2024

]]> https://infosec.press/ducks/crypto-refund-scams-fnyh Fri, 08 Nov 2024 20:38:21 +0000 Fraud sites on the move https://infosec.press/ducks/many-fraud-sites-moved-from-94-23-253-103-to-84-247-184-65 <![CDATA[Fraud sites on the move Many fraud sites has been moved from 94.23.253.103 to 84.247.184.65. Still many left at 94.23.253.103. Related: prime.seodns.one server.multivpshost.com (Creation Date: 2024-09-24) okonjohn133.gmail.com ciscopet2021.gmail.com https://whoisdatacenter.com/email/ciscopet2021@gmail.com/ https://bgp.he.net/ip/94.23.253.103#dnsrecords https://bgp.he.net/ip/84.247.184.65#dnsrecords OVH Centrihost.com Anitahost.com]]> Fraud sites on the move

Many fraud sites has been moved from 94.23.253.103 to 84.247.184.65. Still many left at 94.23.253.103. Related: prime.seodns.one server.multivpshost.com (Creation Date: 2024-09-24) okonjohn133.gmail.com ciscopet2021.gmail.com https://whoisdatacenter.com/email/ciscopet2021@gmail.com/ https://bgp.he.net/ip/94.23.253.103#_dnsrecords https://bgp.he.net/ip/84.247.184.65#_dnsrecords OVH Centrihost.com Anitahost.com

]]> https://infosec.press/ducks/many-fraud-sites-moved-from-94-23-253-103-to-84-247-184-65 Fri, 08 Nov 2024 00:29:47 +0000 The "olux" and/or "oxo" or whatever guys https://infosec.press/ducks/the-olux-and-or-oxo-or-whatever-guys <![CDATA[Their telegram account: hxxps://t.me/oluxshopsite/ 2 336 subscribers Olux Buy Tools, Shells, web shell, RDP, SSH, cPanel, Mailer, SMTP, Leads, Webmail, Cards, Account, Pages, olux, Olux SHOP, olux store hxxps://t.me/oluxshopsite/729: quoteTutorial Video Cpanel & shell & Smtps & Mailler 1$-10$ Rdps & Office logs & Leads & Numbers 1$-20$ Accounts & webmails & Pages & Methods 1$-500$ you can top up your account instantly few seconds with bitcoin Send the exactly number of Bitcoin or more don't close the payment page. u can refresh page Any Problem with the order:Submit report to seller Seller didn't fix problem within 5 hours.We will refund Buyer. Buyer didn't reply within 24 hours after seller.We will Close report. Note:avoid multi reply. hxxps://olux.li hxxps://oluxshop.li t.me/oluxshopsite/729 edited Sep 28 at 07:43 /quote cdn4.cdn-telegram.org/file/cff2fa7546.mp4 -- not able to catch that one. IP-address 162.55.238.94 I first stumbled across a cryptofraud site on that IP. But I also found sites on the same IP with hidden content. One or more lines with the following content on one or more pages on the same domain, first example: view-source:hxxps://www.bitwealthasset.com/ : hxxps://www.oxo.si/' Buy Spamming Tools, Shells, web shell, RDP, SSH, cPanel. I don't know the value of this, some kind of "seo" maybe? Other domains with the same or variations of the code: bluerichfoods.com bxplorer.online tocpharmaceuticals.com euphoriaeventplace.com (24 rows with the code) abbasheartinternationalministries.com abdanielstradomedhospital.com caishencharteredtrust.com capitalgrowinvest.com capitecfin.com cattyinvest.com cheeckstox.com educurrency.top citricosartaca.com is apparently a blank page, but contains almost 40 lines, but with additional domains and keywords in the code. Contains links to the following domains: oxo.vc (gone), oxo.si (127.0.0.1) and oxo.is (which celebrates christmas). "Buy Leads"and "SMTP" has sneaked in some places in what "services" they seem to provide. clarity-options-trade.com climaxpaytrading.com coinswalletsapp.com commercial-trading.com conexriseltd.com crescent-funds.com crownenergy-investment.com cryptohive.online cryptohubmine.com cryptoinxhange.com cryptotradinggai.com bettercryptoinvestment.net climatefitsolutions.com educurrency.top (redirectet from chuksblog.top) clarity-options-trade.com climaxpaytrading.com cloudminingcity.com coinstitude.com combdb.com commercial-trading.com corporateuniontrustbank.com couttss.com cryptnetverse.com cryptoevolution.info cryptohubmine.com cryptoinxhange.com cryptoref.info cryptospotpro.online daily-gt.com dashtradefx.com debulad.com decentralisedincome.com deroyaleservices.com doubleyielders.com empablockmarket.live eqtycdf.com euphoriaeventplace.com expertminer.online firstcornerstoneb.com firstmidwsb.com firstspringcu.online flaretrustline.app ftxdailyincome.com fx-primetradhub.com fxnetworktrading.com getmypins.com/manage/ ggemfx.com glimcoinfx.com globalbestcutbutchers.com (in total 190 lines of code) globalbinarycpro.com globalprimefinance.com globalsignalexpertmarkets.com globewritershub.com glockamory.com gnbancorp.com godfelhrconsultancy.com goldenmovicltd.com grandoption.org grantbakingonline.com greencoastonline.org greenpathtb.com greenpathtrust.com gricunashr.com hakkbully.com hakkdomain.com hakknocrat.com haloinvestpro.com hashmarketfx.com heritagecapitalfx.com heritagecf.net heritagepvltd.com hfplatform.live hoardblockexplorer.info hoardfx.com hoperbookings.online horizonjury.com icbcsbnk.com iconiccanna.com trades.idealtradesignal.com instaplug01.com intconib.com intertrustbk.com itechglobehack.com jkcostant.online kathleencahillmariconda.com kryptofxcore.com legacycrf.com legcreditf.com liamfinancing.com liteinterext.online luminerybank.com lumineryfb.com luxorrtech.com masterfxtrade.live mauricugointernational.com mectomfx.com megafxoptions.com midascryptotrade.com milesassetltd.com digitechcompany.cloud/en/public/ (redirects from minecoins.online) moleystonescapitals.com mycrypai.com mypnconline.com myviasupport.com nationalcreditunion.online niketradeprime.com northcelly.com northernsb.com omegafinanceleasing.com optimoser.com optimuminternationalmarkets.com ordezenterprise.com peakhash.com pinb.online premier-option.com primeglobalinvestments.live/home/ profxcrypto.com prohakks.com propertiesloans.com prudcrb.comstockstradersfx.com standardcorpb.com stuartfellstaffordshirebullterriers.com successfulfx.online suisepay.com surfhakks.com swisslitebank.online syngenresources.com tcloudusdt.com tescoinv.com titantrustb.com (site copied from cnl.com, which was registered in 1995 and seems "legit") tnbancorp.com tocpharmaceuticals.com (on a buttload of links on this domain) tokssphere.com tonensiadiamonds.com top-m.online topromedics.com torchcart.com trippydelics.store tsbcadvisor.com ualliancecrdu.com ultimafxoption.com ultimaterealistic.com ultimatexplorer.info ultrafxoption.com A bit interesting is that the code did not exist on ultrafxoption.com on November 30th 2022 according to urlscan.io. But shows up in a scan in December 2023. Did all sites got this code injected in this timeframe? Can only speculate. Or use a lot of time trying to find out. uniqueglobaloptions.com vacationdepts.info vertextradings.com vitalityplc.online waxiprofit.com wcouservice.biz web-gmd.com westagefinance.com According to urlscan this domain contained the code also on December 4th 2023 winnersviewoptioninvestment.org wisgodynamic.com wmovelogistics.com wolf-trademarket.cfd world-miners.com wourld-cour.com xiloans.com xpressct.com xtrafcb.com xtrainterextcorp.com xtrainterextfb.com xtrainterextfcb.com xtratreasury.com ysmbundle.com ziraatinternationalcorporation.com * According to urlscan this domain contained the code also on September 11th 2023 citricosartaca.com is apparently a blank page, but contains almost 40 lines, but with different additional domains and keywords in the code. Contains links to the following domains: oxo.vc (gone), oxo.si (127.0.0.1) and oxo.is which celebrates christmas. "Buy Leads"and "SMTP" has sneaked in some places in what "services" they provide. Various search engines gives hits to other sites on the same IP, but the hidden stuff is now gone: fujowillbusiness.com/sample-page/ wmtips.com/tools/info/sh3elltools.to hxxps://www.hotelfontana.de/magazin/tag/ayurvedische-reinigungskur/ hxxps://albertfinni.com/gva_template/crowdfunding-single-template/ Some sites appear in searches, but are now gone: lufix.pro, lufix.to, oluxshop.to Domains, variatons of oluxshop.[tld] oluxshop.to (127.0.0.1) Domains, variatons of olux.[tld] olux.to ICQ: hxxps://icq.im/oluxshop A now apparent dead facebook account: hxxps://www.facebook.com/groups/buywebshell/ sh3elltools.to seems somwehat related. ]]> Their telegram account: hxxps://t.me/oluxshopsite/ 2 336 subscribers Olux Buy Tools, Shells, web shell, RDP, SSH, cPanel, Mailer, SMTP, Leads, Webmail, Cards, Account, Pages, olux, Olux SHOP, olux store

hxxps://t.me/oluxshopsite/729: Tutorial Video Cpanel & shell & Smtps & Mailler 1$-10$ Rdps & Office logs & Leads & Numbers 1$-20$ Accounts & webmails & Pages & Methods 1$-500$

you can top up your account instantly few seconds with bitcoin Send the exactly number of Bitcoin or more don't close the payment page. u can refresh page

Any Problem with the order:Submit report to seller Seller didn't fix problem within 5 hours.We will refund Buyer. Buyer didn't reply within 24 hours after seller.We will Close report. Note:avoid multi reply. hxxps://olux.li hxxps://oluxshop.li t.me/oluxshopsite/729 edited Sep 28 at 07:43

cdn4.cdn-telegram.org/file/cff2fa7546.mp4 —> not able to catch that one.

IP-address 162.55.238.94

I first stumbled across a cryptofraud site on that IP. But I also found sites on the same IP with hidden content. One or more lines with the following content on one or more pages on the same domain, first example: view-source:hxxps://www.bitwealthasset.com/ : hxxps://www.oxo.si/'>Buy Spamming Tools, Shells, web shell, RDP, SSH, cPanel. I don't know the value of this, some kind of “seo” maybe? Other domains with the same or variations of the code:

bluerichfoods.com bxplorer.online tocpharmaceuticals.com euphoriaeventplace.com (24 rows with the code) abbasheartinternationalministries.com abdanielstradomedhospital.com caishencharteredtrust.com capitalgrowinvest.com capitecfin.com cattyinvest.com cheeckstox.com educurrency.top

citricosartaca.com is apparently a blank page, but contains almost 40 lines, but with additional domains and keywords in the code. Contains links to the following domains: oxo.vc (gone), oxo.si (127.0.0.1) and oxo.is (which celebrates christmas). “Buy Leads”and “SMTP” has sneaked in some places in what “services” they seem to provide.

clarity-options-trade.com climaxpaytrading.com coinswalletsapp.com commercial-trading.com conexriseltd.com crescent-funds.com crownenergy-investment.com cryptohive.online cryptohubmine.com cryptoinxhange.com cryptotradinggai.com bettercryptoinvestment.net climatefitsolutions.com educurrency.top (redirectet from chuksblog.top) clarity-options-trade.com climaxpaytrading.com cloudminingcity.com coinstitude.com combdb.com commercial-trading.com corporateuniontrustbank.com couttss.com cryptnetverse.com cryptoevolution.info cryptohubmine.com cryptoinxhange.com cryptoref.info cryptospotpro.online daily-gt.com dashtradefx.com debulad.com decentralisedincome.com deroyaleservices.com doubleyielders.com empablockmarket.live eqtycdf.com euphoriaeventplace.com expertminer.online firstcornerstoneb.com firstmidwsb.com firstspringcu.online flaretrustline.app ftxdailyincome.com fx-primetradhub.com fxnetworktrading.com getmypins.com/manage/ ggemfx.com glimcoinfx.com globalbestcutbutchers.com (in total 190 lines of code) globalbinarycpro.com globalprimefinance.com globalsignalexpertmarkets.com globewritershub.com glockamory.com gnbancorp.com godfelhrconsultancy.com goldenmovicltd.com grandoption.org grantbakingonline.com greencoastonline.org greenpathtb.com greenpathtrust.com gricunashr.com hakkbully.com hakkdomain.com hakknocrat.com haloinvestpro.com hashmarketfx.com heritagecapitalfx.com heritagecf.net heritagepvltd.com hfplatform.live hoardblockexplorer.info hoardfx.com hoperbookings.online horizonjury.com icbcsbnk.com iconiccanna.com trades.idealtradesignal.com instaplug01.com intconib.com intertrustbk.com itechglobehack.com jkcostant.online kathleencahillmariconda.com kryptofxcore.com legacycrf.com legcreditf.com liamfinancing.com liteinterext.online luminerybank.com lumineryfb.com luxorrtech.com masterfxtrade.live mauricugointernational.com mectomfx.com megafxoptions.com midascryptotrade.com milesassetltd.com digitechcompany.cloud/en/public/ (redirects from minecoins.online) moleystonescapitals.com mycrypai.com mypnconline.com myviasupport.com nationalcreditunion.online niketradeprime.com northcelly.com northernsb.com omegafinanceleasing.com optimoser.com optimuminternationalmarkets.com ordezenterprise.com peakhash.com pinb.online premier-option.com primeglobalinvestments.live/home/ profxcrypto.com prohakks.com propertiesloans.com prudcrb.comstockstradersfx.com standardcorpb.com stuartfellstaffordshirebullterriers.com successfulfx.online suisepay.com surfhakks.com swisslitebank.online syngenresources.com tcloudusdt.com tescoinv.com titantrustb.com (site copied from cnl.com, which was registered in 1995 and seems “legit”) tnbancorp.com tocpharmaceuticals.com (on a buttload of links on this domain) tokssphere.com tonensiadiamonds.com top-m.online topromedics.com torchcart.com trippydelics.store tsbcadvisor.com ualliancecrdu.com ultimafxoption.com ultimaterealistic.com ultimatexplorer.info

ultrafxoption.com * A bit interesting is that the code did not exist on ultrafxoption.com on November 30th 2022 according to urlscan.io. But shows up in a scan in December 2023. Did all sites got this code injected in this timeframe? Can only speculate. Or use a lot of time trying to find out.

uniqueglobaloptions.com vacationdepts.info vertextradings.com vitalityplc.online waxiprofit.com wcouservice.biz web-gmd.com westagefinance.com * According to urlscan this domain contained the code also on December 4th 2023 winnersviewoptioninvestment.org wisgodynamic.com wmovelogistics.com wolf-trademarket.cfd world-miners.com wourld-cour.com xiloans.com xpressct.com xtrafcb.com xtrainterextcorp.com xtrainterextfb.com xtrainterextfcb.com xtratreasury.com ysmbundle.com ziraatinternationalcorporation.com * According to urlscan this domain contained the code also on September 11th 2023

citricosartaca.com is apparently a blank page, but contains almost 40 lines, but with different additional domains and keywords in the code. Contains links to the following domains: oxo.vc (gone), oxo.si (127.0.0.1) and oxo.is which celebrates christmas. “Buy Leads”and “SMTP” has sneaked in some places in what “services” they provide.

Various search engines gives hits to other sites on the same IP, but the hidden stuff is now gone: fujowillbusiness.com/sample-page/ wmtips.com/tools/info/sh3elltools.to hxxps://www.hotelfontana.de/magazin/tag/ayurvedische-reinigungskur/ hxxps://albertfinni.com/gva_template/crowdfunding-single-template/

Some sites appear in searches, but are now gone: lufix.pro, lufix.to, oluxshop.to

Domains, variatons of oluxshop.[tld] oluxshop.to (127.0.0.1)

Domains, variatons of olux.[tld] olux.to

ICQ: hxxps://icq.im/oluxshop

A now apparent dead facebook account: hxxps://www.facebook.com/groups/buywebshell/ sh3elltools.to seems somwehat related.

]]> https://infosec.press/ducks/the-olux-and-or-oxo-or-whatever-guys Fri, 22 Dec 2023 19:35:07 +0000 Some day https://infosec.press/ducks/some-day <![CDATA[We've thought about using WriteFreely for a blog some day. Hosting/installing it myself is way out of our league. So it was a pleasant surprise when we discovered that infosec had this possibility. But have always been slow and in addition age is now showing. Working on a couple of drafts, perhaps they will be finished. Some day. Introduction (kind of) We prefer not to write too much here, maybe some day. ]]> We've thought about using WriteFreely for a blog some day. Hosting/installing it myself is way out of our league. So it was a pleasant surprise when we discovered that infosec had this possibility.

But have always been slow and in addition age is now showing. Working on a couple of drafts, perhaps they will be finished. Some day.

Introduction (kind of)

We prefer not to write too much here, maybe some day.

]]> https://infosec.press/ducks/some-day Sun, 12 Mar 2023 18:32:03 +0000