amazonaiy.co

[g0d33p3rsec]

Phishing Domain/URL/IP(s):

https://amazonaiy.co/?hui=xdPNDLBFNj

Impersonated domain

amazon.com

Describe the issue

I received a sms lure with a shortened link that resolved to this domain. The message was:

[AMAZ0N] The item you purchased has encountered an issue and has been adjusted by the seller. Please check for details. hxxps://t[.]ly/ps3bw?hui=xdPNDLBFNj

Related external source

https://urlscan.io/result/33471298-3cd4-4591-ad5e-6d07f9c876f3/
https://urlscan.io/result/3603afa0-d630-4771-a2ce-4d91a4cbd1ed/

Screenshot

Click to expand

[spirillen]

That particular link are no longer available

The domain it self can't find it's index file either, so putting this one on hold

https://kb.mypdns.org/issue/MTX-1188/amazonaiy.co#focus=Comments-4-252.0-0

[spirillen]

@g0d33p3rsec Do you have any active links? otherwise I'm going to close this as fixed by the webhoster

[spirillen]

Closing as inactive

[g0d33p3rsec]

I don't have any additional links, just the sms lure that isn't resolving. My apologies for the delayed response, I've been on the road.

[spirillen]

I've been on the road.

isn't the sidewalk a safer playground 😉

[g0d33p3rsec]

isn't the sidewalk a safer playground 😉

Perhaps, but safety is overrated. For what its worth, I just received another lure using the same format, for a different domain, that was also dead on arrival.

Notice how the lure always starts with [AMAZ0N]. The domain is still resolving to an IP address, but the link 404's.

https://urlscan.io/result/a1d066e8-9ad9-4766-aebf-ed61a88ced47/

amazonoduts.co - urlscan.io

urlscan.io - Website scanner for suspicious and malicious URLs

[spirillen]

Both domains are hosted at DataWagon... should we be so lucky that they actually scan new domains for badware?

PS: this is one of many reasons to blacklists t.ly, t.me and other url_shorteners

[g0d33p3rsec]

Both domains are hosted at DataWagon... should we be so lucky that they actually scan new domains for badware?

PS: this is one of many reasons to blacklists t.ly, t.me and other url_shorteners

It is starting to look like there may be something else going on. I have since received two more lures of the same format that were both also dead on arrival.

Click to expand

The first redirected to 1b2v[.]co at 172.81.132.103 https://urlscan.io/result/79b139b8-bba6-4dbb-b4fb-ef8d4793fbd8/
Related domains at the same IP: https://urlscan.io/search/#page.ip:%22172.81.132.103%22

The second redirected to amazonmaz[.]com at 104.219.236.136 https://urlscan.io/result/336c9146-c791-4a13-8b92-4cb3a8c44b02/
Related domains at that IP: https://urlscan.io/search/#page.ip:%22104.219.236.136%22

I'm still not quite sure what to make of the behavior but find it unlikely that an actor would continue to use domains in lures that have already been killed by the provider.

1b2v.co - urlscan.io

urlscan.io - Website scanner for suspicious and malicious URLs

Search - urlscan.io

urlscan.io - Website scanner for suspicious and malicious URLs

amazonmaz.com - urlscan.io

urlscan.io - Website scanner for suspicious and malicious URLs

Search - urlscan.io

urlscan.io - Website scanner for suspicious and malicious URLs

[spirillen]

Wow, your right, it wont make seance to keep using a dead domain.. but I know why... they moved to the most well knows phishing network

Drilling for amazonaiy.co

amazonaiy.co.   3600    IN      NS      reza.ns.cloudflare.com.
amazonaiy.co.   3600    IN      NS      ezra.ns.cloudflare.com.
amazonaiy.co.   300     IN      A       104.192.1.23