Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add subdomains from pages.dev #423

Merged
merged 7 commits into from
Jun 24, 2024
Merged

Add subdomains from pages.dev #423

merged 7 commits into from
Jun 24, 2024

Conversation

g0d33p3rsec
Copy link
Contributor

@g0d33p3rsec g0d33p3rsec commented Jun 24, 2024
edited by spirillen
Loading

Phishing Domain/URL/IP(s):

amarveergroup.com

www.irsusa-tax.net.dogfoodkart.com

abobelnejgbeghrbghkbshgbshkfb.pythonanywhere.com
adobebeiownwkjngrjwkenfjkewnf.pythonanywhere.com
adobepewjgronjgnwkengkjwengrj.pythonanywhere.com
borsbrietjblrenlgbrlenhjt.pythonanywhere.com
iengjwklengkhwebhfceref.pythonanywhere.com
jkrngjkernghernhgtehjnhk.pythonanywhere.com
pesjidgnojensjgerkhvjefdvs.pythonanywhere.com

adobe-jhhkwjrnfjadenfrskbgjlsnfgjdfn.pages.dev
adobeli.pages.dev
borsbrietjblrenlgbrlenhjt.pages.dev
iengjwklengkhwebhfceref.pages.dev
jkrngjkernghernhgtehjnhk.pages.dev
mi-d1m.pages.dev
micro-service-alertc0277sb-dev-err.pages.dev
micro-service-alertc0277sb-erro.pages.dev
micro-soft-failed-error.pages.dev
micro-soft-virus-alert-warning.pages.dev
microsoft-error-pages-check-errors.pages.dev
microsoft-help-and-services.pages.dev
microsoft-sales-hhgdygfg-asd.pages.dev
microsoft-suppor-number.pages.dev
microsoft-support-alrt-altr-fds.pages.dev
microsoft-support-alrt-altr-fds-098.pages.dev
microsoft-support-alrt-altr87785.pages.dev
microsoft-terms-policyalr.pages.dev
sd-74h.pages.dev
ueajflnjejdrwklnvkenrwjgnlvrjldf.pages.dev
win-defender-sec-64csvxxvxxvxx0x665.pages.dev

portalpaxum.cokiwe2297.workers.dev

calm-wave-01c7f9910.5.azurestaticapps.net

the-cartel.shop

tothedigital.shop

Impersonated domain

Describe the issue

While following up on the subdomains mentioned in #422, I discovered additional malicious subdomains that were being primarily hosted at pages[.]dev along with additional related sites with the same signature.

Related external source

https://urlscan.io/result/6ed99081-793b-4191-80ef-b270f99cdcf9/
https://urlscan.io/result/4de1b204-1c9b-4eae-9c1a-9638f8a2bde4/
https://urlscan.io/result/5275ca02-b1dc-4f5e-9f03-e9109910bc55/
https://urlscan.io/result/7913891e-cd50-4e64-9ffa-4665991c16b3/
https://urlscan.io/result/7d79547f-d839-44d8-885d-c75402fa860a/
https://urlscan.io/result/0de4aa0b-db2c-48fe-819f-bb6cb5a66ab0/
https://urlscan.io/result/1f7a3e1f-deab-4432-844c-5efb0fbe7630/
https://urlscan.io/result/1d340793-98ef-4654-b3b4-633b6807bf7d/
https://urlscan.io/result/3bc4b8ae-0070-49df-b8ee-88debbd6ca41/
https://urlscan.io/result/856627f0-c29a-490f-b299-4e6dd81bcb41/
https://urlscan.io/result/c0a186ae-386f-48e9-9099-311f42df1e53/
https://urlscan.io/result/25cf6ad3-228a-4e58-90ca-b06ff54be620/
https://urlscan.io/result/dde8f679-5e06-4bcc-a89f-d524512e00c2/
https://urlscan.io/result/c8a57ad1-d84a-470b-9080-4114359329f3/
https://urlscan.io/result/7f8bd9b2-e452-4499-9abf-865ab55c7f4b/
https://urlscan.io/result/905d0011-c1d7-47cb-84c9-fdd052cd3a17/
https://urlscan.io/result/6b4476f9-feb2-4aad-951f-b34dab19d7a7/
https://urlscan.io/result/c948a76e-840c-4cc9-9664-e0a86c064203/
https://urlscan.io/result/52b6e930-38d5-47d3-b94d-1eeee3e65ba0/
https://urlscan.io/result/3a210df1-f9df-44c2-9232-7c670f153703/
https://urlscan.io/result/67b58061-c831-48ee-b0b0-21e44105452a/
https://urlscan.io/result/de7ec662-e2ca-4e58-997c-14f6e6908f63/
https://urlscan.io/result/1d4c7982-4e8d-45ad-a7b6-8b7c5ef8ab2f/
https://urlscan.io/result/7d75be5d-1b25-4dc3-b42a-e1ef106a13da/
https://urlscan.io/result/4a500c2d-8760-4e26-981e-67e52003b4f4/
https://urlscan.io/result/4c2fc105-5ce3-4ce9-917e-68e85f6c3b7b/
https://urlscan.io/result/c6962fe6-8378-4b24-854d-43ce6a7431b8/

Screenshot

Click to expand

6ed99081-793b-4191-80ef-b270f99cdcf9
4de1b204-1c9b-4eae-9c1a-9638f8a2bde4
5275ca02-b1dc-4f5e-9f03-e9109910bc55
0de4aa0b-db2c-48fe-819f-bb6cb5a66ab0
52b6e930-38d5-47d3-b94d-1eeee3e65ba0
1d4c7982-4e8d-45ad-a7b6-8b7c5ef8ab2f

@g0d33p3rsec
Copy link
Contributor Author

@spirillen my apologies for the mess of commits in this PR. I unintentionally branched from within another branch.

@g0d33p3rsec g0d33p3rsec changed the title Add subdomains from pages dev Add subdomains from pages.dev Jun 24, 2024
@g0d33p3rsec g0d33p3rsec mentioned this pull request Jun 24, 2024
Closed
@spirillen
Copy link
Contributor

@g0d33p3rsec I sorted your lists according to the ccdomains to make it easier to see what belongs to whom

@g0d33p3rsec
Copy link
Contributor Author

Thanks! It was a mess to take in but many of the pythonanywhere[.]com domains redirect to the pages[.]dev sites. The additional domains were found by pivoting on the structure of the pages.

@spirillen spirillen merged commit e75e628 into Phishing-Database:main Jun 24, 2024
spirillen added a commit to mypdns/matrix that referenced this pull request Jun 24, 2024
@spirillen
Phishing
f485e6c 
Ref Phishing-Database/phishing#423
@g0d33p3rsec g0d33p3rsec deleted the add-subdomains-from-pages-dev branch June 25, 2024 13:41
spirillen added a commit to mypdns/matrix that referenced this pull request Jul 12, 2024
@spirillen
pages.dev
66a66f7 
Fix #607

Rel
- Phishing-Database/phishing#442
- Phishing-Database/phishing#423
- Phishing-Database/phishing#448

Credit: @g0d33p3rsec

----

Thanks to jetBrains for sponsoring IntelliJ (Ultimate Edition)
For non-commercial open source.
This helps My Privacy DNS to develop tools and maintain the blacklists.

Signed-off-by: Spirillen <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@g0d33p3rsec @spirillen