Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pages.dev #607

Closed
g0d33p3rsec opened this issue Jun 24, 2024 · 11 comments
Closed

pages.dev #607

g0d33p3rsec opened this issue Jun 24, 2024 · 11 comments
Labels
Malicious Domains used for Malicious software Phishing Phishing is the fraudulent attempt to obtain sensitive information or data, such as usernames, passw

Comments

@g0d33p3rsec
Copy link
Collaborator

g0d33p3rsec commented Jun 24, 2024

Comments

While following up on the subdomains mentioned in Phishing-Database/phishing#422, I discovered additional malicious subdomains that were being primarily hosted at pages[.]dev along with additional related sites with the same signature.

more details are available at Phishing-Database/phishing#423

Wildcard domain records

null

Sub-Domain records

adobe-jhhkwjrnfjadenfrskbgjlsnfgjdfn.pages.dev|phishing
adobeli.pages.dev|phishing
ariamanonux03p.pages.dev|malicious
att-mail.pages.dev|phishing
begincellcdn.pages.dev|phishing
blurverse.pages.dev|phishing
borsbrietjblrenlgbrlenhjt.pages.dev|phishing
cfgxgfxf.pages.dev|phishing
chainsrectify.pages.dev|phishing
claim-pork.pages.dev|phishing
clfpages2.pages.dev|phishing
dappsyncrectify.pages.dev|phishing
debanksdefi.pages.dev|phishing
decentralizedappauth.pages.dev|phishing
decentrausdchartfil.pages.dev|phishing
diamond-hands-halo.pages.dev|phishing
doctored.pages.dev|phishing
dogecoin20-st.web.app|phishing
fq703w52zt.pages.dev|malicious
iengjwklengkhwebhfceref.pages.dev|phishing
ixs.pages.dev|malicious,phishing
ixs.pages.dev|malicious|phishing
jgeb6c8queuspv.pages.dev|phishing
jkrngjkernghernhgtehjnhk.pages.dev|phishing
livedappsrestore.pages.dev|phishing
looksrare-d1x.pages.dev|phishing
lourdesthompsonnf1r6.pages.dev|malicious
mi-d1m.pages.dev|phishing
micro-service-alertc0277sb-dev-err.pages.dev|phishing
micro-service-alertc0277sb-erro.pages.dev|phishing
micro-soft-failed-error.pages.dev|phishing
micro-soft-virus-alert-warning.pages.dev|phishing
microsoft-error-pages-check-errors.pages.dev|phishing
microsoft-help-and-services.pages.dev|phishing
microsoft-sales-hhgdygfg-asd.pages.dev|phishing
microsoft-suppor-number.pages.dev|phishing
microsoft-support-alrt-altr-fds-098.pages.dev|phishing
microsoft-support-alrt-altr-fds.pages.dev|phishing
microsoft-support-alrt-altr87785.pages.dev|phishing
microsoft-terms-policyalr.pages.dev|phishing
mykeruais-assets-cubu45.pages.dev|phishing
newwork-6oy.pages.dev|phishing
nodesappfix-io.pages.dev|phishing
oscarcampbellb1eoi.pages.dev|malicious
pandoraprejeangw6.pages.dev|phishing
paperhander.pages.dev|phishing
paperhands-portfoliotracker-wallet.pages.dev|phishing
pooh-moneydapps.pages.dev|phishing
portal-platform.pages.dev|phishing
proxysync.pages.dev|phishing
pub-fa147a3cddd04e9588b0d0a71d6d87fb.r2.dev|phishing
rpcrecoveryhub.pages.dev|phishing
sd-74h.pages.dev|phishing
sontungmtpmaidinhnhe.pages.dev|phishing
spacexlaunch.pages.dev|phishing
swiftblockresolve.pages.dev|phishing
sync-7xr.pages.dev|phishing
syncblockrectification.pages.dev|phishing
teach-work-onlines2222177.pages.dev|phishing
tesla-2ju.pages.dev|phishing
tl-4-vente-privee-b1j.pages.dev|phishing
ueajflnjejdrwklnvkenrwjgnlvrjldf.pages.dev|phishing
uni-swap-protocols.pages.dev|phishing
verifyandfixdapp.pages.dev|phishing
webaqunarmail.pages.dev|phishing
webmial.pages.dev|phishing
win-defender-sec-64csvxxvxxvxx0x665.pages.dev|phishing
woow-seguro-de-viajes.pages.dev|phishing
1-67c.pages.dev|malicious
2-3a2.pages.dev|malicious
accept-altlayer.pages.dev|malicious
airdropsaltlayer.pages.dev|malicious
allocation-satoshivm.pages.dev|malicious
alpha-satoshvmio.pages.dev|malicious
alt-e7v.pages.dev|malicious
altlayer.pages.dev|malicious
altlayer-ejy.pages.dev|malicious
altltlsadlfasdasdf.pages.dev|malicious
bonus-8u0.pages.dev|malicious
claim-altlayer.pages.dev|malicious
claim-starknet.pages.dev|malicious
claima.pages.dev|malicious
coins-satoshivm.pages.dev|malicious
create-dymensionxyz.pages.dev|malicious
defi-starkne.pages.dev|malicious
discover-manta.pages.dev|malicious
diving-mantanetwork.pages.dev|malicious
dym-ehu.pages.dev|malicious
dymension.pages.dev|malicious
enlist-altlayer.pages.dev|malicious
exploremanta.pages.dev|malicious
frame-6i5.pages.dev|malicious
framecom.pages.dev|malicious
framezap.pages.dev|malicious
getmanta.pages.dev|malicious
governance-mantanetwork.pages.dev|malicious
gratitude-satoshivm.pages.dev|malicious
kri90r23rk2ikr32.pages.dev|malicious
linea-mirrorxyz.pages.dev|malicious
linealxp.pages.dev|malicious
mainnet-lineabuild.pages.dev|malicious
mainnet-satoshivmio.pages.dev|malicious
mainnet-satoshivmio-1cp.pages.dev|malicious
manta-1c8.pages.dev|malicious
manta-network.pages.dev|malicious
mantanetwork-8tn.pages.dev|malicious
mantax.pages.dev|malicious
maxethxyz.pages.dev|malicious
mine-framexyz.pages.dev|malicious
mine-mantanetwork.pages.dev|malicious
new-framexyz.pages.dev|malicious
new-lineabuild.pages.dev|malicious
new-manta.pages.dev|malicious
obtain-manta.pages.dev|malicious
obtainmanta.pages.dev|malicious
qualifymanta.pages.dev|malicious
receive-altlayerio.pages.dev|malicious
registry-linea.pages.dev|malicious
registryzetachain.pages.dev|malicious
satoshi-364.pages.dev|malicious
stake1.pages.dev|malicious
support-manta.pages.dev|malicious
take-satoshivm.pages.dev|malicious
visit-dymension.pages.dev|malicious
visit-lineabuild.pages.dev|malicious
web-fix.pages.dev|malicious
web3-manta.pages.dev|malicious
whitelist-altlayerom.pages.dev|malicious
whitelistalt.pages.dev|malicious
zk-manta-airdrop.pages.dev|malicious

Hosts (RFC:953) specific records, not used by DNS RPZ firewalls

No response

SeafeSearch records

No response

Screenshots

Screenshot

342395546-7ce1647d-a86c-422e-9d3b-7be2068f5226
342395642-ca27178d-e565-4f77-b433-85e79dad9100
342395757-18df36ea-690d-46d3-b409-7efc6e92cafa
342396527-0f7a2ed0-5a33-4d47-844b-3e0574d3be97
342397478-d8752d23-b147-427e-b148-c565c46ea759

Links to external sources

No response

logs from uBlock Origin

N/A

@spirillen spirillen added Phishing Phishing is the fraudulent attempt to obtain sensitive information or data, such as usernames, passw labels Jun 24, 2024
@spirillen
Copy link
Contributor

👍 added in 5316feb

@g0d33p3rsec
Copy link
Collaborator Author

g0d33p3rsec commented Jun 26, 2024

🎁

ariamanonux03p.pages.dev|malicious|phishing
att-mail.pages.dev|phishing
begincellcdn.pages.dev|phishing
blurverse.pages.dev|phishing
cfgxgfxf.pages.dev|phishing
chainsrectify.pages.dev|phishing
claim-pork.pages.dev|phishing
clfpages2.pages.dev|phishing
dappsyncrectify.pages.dev|phishing
debanksdefi.pages.dev|phishing
decentralizedappauth.pages.dev|phishing
decentrausdchartfil.pages.dev|phishing
diamond-hands-halo.pages.dev|phishing
doctored.pages.dev|phishing
dogecoin20-st.web.app|phishing
fq703w52zt.pages.dev|malicious|phishing
ixs.pages.dev|malicious|phishing
jgeb6c8queuspv.pages.dev|phishing
livedappsrestore.pages.dev|phishing
looksrare-d1x.pages.dev|phishing
lourdesthompsonnf1r6.pages.dev|malicious|phishing
mykeruais-assets-cubu45.pages.dev|phishing
newwork-6oy.pages.dev|phishing
nodesappfix-io.pages.dev|phishing
oscarcampbellb1eoi.pages.dev|malicious|phishing
pandoraprejeangw6.pages.dev|phishing
paperhander.pages.dev|phishing
paperhands-portfoliotracker-wallet.pages.dev|phishing
pooh-moneydapps.pages.dev|phishing
portal-platform.pages.dev|phishing
proxysync.pages.dev|phishing
rpcrecoveryhub.pages.dev|phishing
sontungmtpmaidinhnhe.pages.dev|phishing
spacexlaunch.pages.dev|phishing
swiftblockresolve.pages.dev|phishing
sync-7xr.pages.dev|phishing
syncblockrectification.pages.dev|phishing
tesla-2ju.pages.dev|phishing
tl-4-vente-privee-b1j.pages.dev|phishing
uni-swap-protocols.pages.dev|phishing
verifyandfixdapp.pages.dev|phishing
webaqunarmail.pages.dev|phishing
webmial.pages.dev|phishing
woow-seguro-de-viajes.pages.dev|phishing
  • phishing

    • AT&T
    att-mail.pages.dev
    https://urlscan.io/result/d615b2d0-43f1-42a2-a11b-60b8907e7e2b/
    

    image

    • Meta
    mykeruais-assets-cubu45.pages.dev
    https://urlscan.io/result/cb040354-1989-4654-89f4-2e0ae7dbe9be/
    https://www.virustotal.com/gui/url/135686e64c763a7a0eb2205c23cbfc0a19c892dc74d83e330944deb3b7509343
    
    sontungmtpmaidinhnhe.pages.dev
    https://urlscan.io/result/df66aff3-74dd-4371-95eb-42b7469c68c2/
    https://www.virustotal.com/gui/url/ff5ca477e72a054425a5132ac632add81ed0edfa5f544f72b3c49fff00dff8a0
    

    image

    • Tesla
    tesla-2ju.pages.dev
    https://urlscan.io/result/5a4269b8-cd11-4abb-baa1-d1d50225ae00
    https://www.virustotal.com/gui/url/b88fff1fc519aaa55f6009bc2922beeee95b837772cab16ddc838b6b3c176e48
    

    5a4269b8-cd11-4abb-baa1-d1d50225ae00

    • tech support
    jgeb6c8queuspv.pages.dev
    https://urlscan.io/result/2f70736e-7e4a-49e7-8704-11ffd8fc1de4/
    https://www.virustotal.com/gui/url/17b4de4d2c6538870e16a977f67c9d3b2740bea6c3a85aa3c8a6008d982f8066
    

    2f70736e-7e4a-49e7-8704-11ffd8fc1de4

    • generic email
    webmial.pages.dev
    https://urlscan.io/result/2b60f931-7d5e-476f-ba67-12fdb97ff981/
    https://www.virustotal.com/gui/url/e107cea2f0afa4b5ac5dc83472491a36575f704ced22f9da809a07c208e990b6
    
    webaqunarmail.pages.dev
    https://urlscan.io/result/5e4dec72-99ea-4281-b322-6df0d69cd693/
    https://www.virustotal.com/gui/url/0e295bec5ae81c2eef90fb8cd0ead98c74e78968cb7513e7d3b3f3068a81feed
    

    image

    doctored.pages.dev
    https://urlscan.io/result/0229a8aa-4125-4de4-aba0-6e6d4737461c/
    https://www.virustotal.com/gui/url/c402e758cc9d7af5fd3c4f63cfbf5fc4a7834f45329387d7d63224519fea0777
    

    image

    • Woow
    woow-seguro-de-viajes.pages.dev
    https://urlscan.io/result/3ed4662e-0740-4472-b6f3-7de634efe959/
    https://www.virustotal.com/gui/url/0c5b8e119591008089d3839b532ba19ac87c65029abb400074879010b1025f47
    

    3ed4662e-0740-4472-b6f3-7de634efe959

    • uncategorized
    clfpages2.pages.dev
    https://urlscan.io/result/aac74b14-30dd-4005-951e-ac4155daa40e/
    https://www.virustotal.com/gui/url/6bef4eea4690abab3561e1eb558d3aa4ef1f4c1c1cbb6662658ed71320377a94
    

    aac74b14-30dd-4005-951e-ac4155daa40e

    • Crypto related

      • Wallet Connect
      sync-7xr.pages.dev
      https://urlscan.io/result/4d94034d-69a0-4cf1-a1c8-652dcd1f9d4d/
      https://www.virustotal.com/gui/url/256e07e80262b9757e1cfc4da95d8dbf97161ca1812af37f0c5495b3571c1c59
      

      4d94034d-69a0-4cf1-a1c8-652dcd1f9d4d

      • "Decentralized Platform Wallet"
      livedappsrestore.pages.dev
      https://urlscan.io/result/d2217ccb-955e-4248-8deb-7295ca0ba0cf/
      https://www.virustotal.com/gui/url/724643f8e5f502985349da3ef927a9dfb74e44bd3404bc74be96e59bec46a515
      

      d2217ccb-955e-4248-8deb-7295ca0ba0cf

      • "Blockchain Rectification"
      chainsrectify.pages.dev
      https://urlscan.io/result/3ecaee3c-34b4-4ab6-82f4-730d96881def/
      
      
      dappsyncrectify.pages.dev
      https://urlscan.io/result/940e9791-fdef-4818-b632-f676ebce9b10/
      https://www.virustotal.com/gui/url/c5b704b6ca640b4bc736ba88debcc3db5290b9d028bcd64bed4d6746e6dcdd2e
      
      pooh-moneydapps.pages.dev
      https://urlscan.io/result/53eb94fb-941d-49f5-8e96-0834db2fc865/
      https://www.virustotal.com/gui/url/53a50a533e7e9f91c4ca32c63e9cf810f2f361ee966371afe93bf3f150f6e24e
      
      proxysync.pages.dev
      https://urlscan.io/result/63fa3398-b515-4594-9c24-1a96f726653a/
      https://www.virustotal.com/gui/url/8fad3f5416cea32173c2f28f39097cf7e8a0374baaa9e09cb97f54817ca11f5f
      
      syncblockrectification.pages.dev
      https://urlscan.io/result/246a246e-8bbd-436b-96e9-086ef38d5430/
      https://www.virustotal.com/gui/url/b755fbd9848495699a18afda3aae184bbe5a9c3d8786e56f86516f5421128253
      
      swiftblockresolve.pages.dev
      https://urlscan.io/result/806f0491-79d7-4c75-b944-63c20be6dab0/
      https://www.virustotal.com/gui/url/cecd5a08ab4106b490ef950e3e917cff9bfbbd89b49de2aa5b1aa5e8f081d570
      
      verifyandfixdapp.pages.dev
      https://urlscan.io/result/aa624915-3e17-48d9-a0e3-776fda6b554b/
      https://www.virustotal.com/gui/url/a9ba3696b5dcae92465d43724d88f9417cfc8351bd3d5a6288e1346af64ff70e
      

      aa624915-3e17-48d9-a0e3-776fda6b554b

      • DeBank
      debanksdefi.pages.dev
      https://urlscan.io/result/268aa7dd-7d1e-44c2-a6d7-013680a4b60c/
      https://www.virustotal.com/gui/url/210bcca2f1a4536caca4c27064494f5353e1b1bd02cb35dc7853f97d36ee15e1
      

      268aa7dd-7d1e-44c2-a6d7-013680a4b60c

      • Halo Portfolio Tracker
      diamond-hands-halo.pages.dev
      https://urlscan.io/result/275b7f3e-009a-447d-91fc-0f780e9e625b/
      https://www.virustotal.com/gui/url/a0c498002eb088d628919f5757da0792be7d02b4866c14eef4b6921502a85687
      
      paperhander.pages.dev
      https://urlscan.io/result/d15a3efc-5a32-4b6d-b39b-9467b4c1004b/
      https://www.virustotal.com/gui/url/d3f49a8195a9456ce5bf999a2f7d2a7a6200714587d72f4b6f97a2fc3d72a51c
      
      paperhands-portfoliotracker-wallet.pages.dev
      https://urlscan.io/result/5584aac9-4b53-4fe0-96ad-ebebaaf8936a/
      https://www.virustotal.com/gui/url/a99509d9624abe20feebbc1ff8624e9a145e3665118fa40ff4d32a287635e390
      

      d15a3efc-5a32-4b6d-b39b-9467b4c1004b

      • RPC Recovery Hub
      rpcrecoveryhub.pages.dev
      https://urlscan.io/result/d7f7ec59-1d00-4ce1-98da-b81bfa9c13f2/
      https://www.virustotal.com/gui/url/362d253eb83fdfb3a6ed0c80fcc010a8869d34d8ed92cf868574ee94e0601680
      

      d7f7ec59-1d00-4ce1-98da-b81bfa9c13f2

      • LooksRare Token
      looksrare-d1x.pages.dev
      https://urlscan.io/result/9389eab8-d9ac-4543-9d3e-4f79aaf4f19f/
      https://www.virustotal.com/gui/url/4d7bc6d41c4f6800f773c1ae557b6e95b26cb668d4dd5d9b1e292a61b5fac630
      

      9389eab8-d9ac-4543-9d3e-4f79aaf4f19f

      • Decentralized Dapps
      decentrausdchartfil.pages.dev
      https://urlscan.io/result/d0133e91-0a1e-4644-89d1-02642b543ddc/
      https://www.virustotal.com/gui/url/252a81a52ae1578d75b4afc7a4e24e436b24d231adf9aebebf9be52463429521
      

      d0133e91-0a1e-4644-89d1-02642b543ddc

      • dapp
      nodesappfix-io.pages.dev
      https://urlscan.io/result/7a881cb2-049c-4f63-8bc2-5d4b7da00c67/
      https://www.virustotal.com/gui/url/15b5d987901cb96d2f6345a83e73b4b13e3dc4f56fc3fa3711d69658d4ed9506
      

      7a881cb2-049c-4f63-8bc2-5d4b7da00c67

      • portal
      portal-platform.pages.dev
      https://urlscan.io/result/fd5b95a5-f541-4ab7-83db-c25967453253/
      

      fd5b95a5-f541-4ab7-83db-c25967453253

      • Blur
      https://blurverse.pages.dev/
      https://urlscan.io/result/fd5b95a5-f541-4ab7-83db-c25967453253/
      https://www.virustotal.com/gui/url/e26243422920aee3f097299fb2e5f5c07a87bae05b96b7c9631363fda37c9c5e
      

      bb0c1098-a30b-435c-b400-e227af7f7f22

      • Connecting web3
      cfgxgfxf.pages.dev
      https://urlscan.io/result/c6869052-2425-48c3-845b-c28dece7ebaa/
      https://www.virustotal.com/gui/url/5c475e42649d65253541987de3b03b944da79cdb2bac4fbbfafd6d75d8f42c1c
      

      c6869052-2425-48c3-845b-c28dece7ebaa

      • V4 Liquidity Waitlist
      uni-swap-protocols.pages.dev
      https://urlscan.io/result/89763817-d03e-438b-b9fa-b55464ca11e4/
      https://www.virustotal.com/gui/domain/uni-swap-protocols.pages.dev
      

      89763817-d03e-438b-b9fa-b55464ca11e4

      • Elon Musk BTC/ ETH Giveaway
      spacexlaunch.pages.dev
      https://urlscan.io/result/32cbfad7-a7d8-4a1f-a76d-3b43984dd712/
      
      

      32cbfad7-a7d8-4a1f-a76d-3b43984dd712

      • Pork
      claim-pork.pages.dev
      https://urlscan.io/result/cda81e53-0680-4782-84cf-d7055d9923f9/
      https://www.virustotal.com/gui/url/b8864f424430781d4e1063ff29a3ff976a534974c0bd0e52e1006f7b653d2391
      

      cda81e53-0680-4782-84cf-d7055d9923f9

      • Dogecoin20
      dogecoin20-st.web.app
      https://urlscan.io/result/ef91a3af-96d7-43d4-a53e-917252d776d0/
      https://www.virustotal.com/gui/url/21d8cc313edb1d299bec019e224ab9ad74fd995485eac7c65993693765cc33fc
      

      ef91a3af-96d7-43d4-a53e-917252d776d0

      • Kava
      newwork-6oy.pages.dev
      https://urlscan.io/result/ce324404-8548-428e-9df7-d58eaaed4083/
      https://www.virustotal.com/gui/url/692fdfb00a39e9ce3108684858436426dfd2a8bf65c287973501e5df4627467a
      

      ce324404-8548-428e-9df7-d58eaaed4083

      • Connect Wallet
      decentralizedappauth.pages.dev
      https://urlscan.io/result/30abd33c-53df-4e7a-bfad-a70d55cd865a/
      https://www.virustotal.com/gui/url/40ffa1d9a523dd4434f62d43dcc7c4a7c6298ce19c578fc61157dca265c61d77
      

      30abd33c-53df-4e7a-bfad-a70d55cd865a

  • misc infra

begincellcdn.pages.dev
https://urlscan.io/domain/begincellcdn.pages.dev
https://urlscan.io/result/d3c01e77-ce24-434c-acbd-7b7ffcb8ffe3/#transactions
-> https://begincellcdn.pages.dev/ahvtdfid.js
https://urlscan.io/result/197ddcbf-4ac2-4776-b14c-f3b4c2d8c157#transactions
-> https://begincellcdn.pages.dev/ahvtdfid.js
https://urlscan.io/result/0382cbb6-6408-437f-968e-acdf1a0bf4bf/#transactions
-> https://begincellcdn.pages.dev/ahvtdfid.js
https://www.virustotal.com/gui/url/dbbad45bed519c6693bf224cef1f70e69d73636c0993606741d74d89e0a1d2b6

image

  • uncategorized
tl-4-vente-privee-b1j.pages.dev
https://urlscan.io/result/e46144ae-a95d-4321-902b-a6d254932678/#transactions
-> https://www.vouuaon.icu/v1/site/config
-> https://www.bookingn.top/#/R2YZCTMMuRGFCyGVYqT2fRNcu2vYYfv3?n=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmcm9tX3VybCI6Imh0dHBzOlwvXC90bC00LXZlbnRlLXByaXZlZS1iMWoucGFnZXMuZGV2XC8iLCJsaW5rIjoiUjJZWkNUTU11UkdGQ3lHVllxVDJmUk5jdTJ2WVlmdjMifQ.4jLFwzb3a1XxFzF4gd6kIXrMK4wWj0f-Q3eE_FwAw_8
https://www.virustotal.com/gui/url/c2dac3dc9d072445be845ed580a2d8fefca333d7d59d5fae6b2d0f181da8e00a

image

  • malicious

    • Download button with outgoing link to https://horizontallypolluteembroider.com/dzbj2n8zr?key=c65004e591cd7a354c8c27ae0cbe9588
    https://www.virustotal.com/gui/url/b3732da1565f04dba02451fdf413504939871edd989465980df929af499af5fa
    https://www.virustotal.com/gui/ip-address/192.243.59.20
    https://unit42.paloaltonetworks.com/apateweb-scareware-pup-delivery-campaign/
    
    ariamanonux03p.pages.dev
    https://urlscan.io/result/56bc21ff-2b56-4dc0-9530-d615680d7a5e
    
    lourdesthompsonnf1r6.pages.dev
    https://urlscan.io/result/9fc1d4ad-8d37-4bee-8eef-74aca2da1e6c/
    
    oscarcampbellb1eoi.pages.dev
    https://urlscan.io/result/ab852bdd-aa1c-48aa-b773-cf9462c65639
    

    image

    • shortened outgoing link -> https://www.highrevenuenetwork.com/tdifibxpx8?key=e94f51c88aa68f241073c19d95c5cb03
    pandoraprejeangw6.pages.dev
    https://urlscan.io/result/fe12c0e2-aa52-4153-9f80-4eecb7ba88a1
    -> https://urlscan.io/result/679a41db-9c72-48ad-9113-b36448ca6e7b/
    https://www.virustotal.com/gui/url/733032263f31cc7b6e3ceae6ac31b2c96aa927d85287b728201604cb1ec9e84b
    

    fe12c0e2-aa52-4153-9f80-4eecb7ba88a1

    • Immortal
    ixs.pages.dev
    https://urlscan.io/result/706082b2-a6bd-4207-8d98-9c42cf56e8b5/
    https://www.virustotal.com/gui/url/7b1e193e632bdb8df75edc2e9699d97c4da11161a2dbf3adc6b212f06cf6cc3b
    

    image

    • generic
    fq703w52zt.pages.dev
    https://www.virustotal.com/gui/url/b6483c96ef42f6f4fdef6876c0b1de06f88e52c8fc87ac86e682193895d6bedd
    

@spirillen
Copy link
Contributor

This one do not Belong here 😏

pub-fa147a3cddd04e9588b0d0a71d6d87fb.r2.dev|phishing

@g0d33p3rsec g0d33p3rsec mentioned this issue Jul 3, 2024
spirillen added a commit that referenced this issue Jul 4, 2024
@g0d33p3rsec
Copy link
Collaborator Author

additional phishing subdomains

84918e83348-reviewpage.pages.dev|phishing
84913240098-reviewpage.pages.dev|phishing
83910840-reviewpages.pages.dev|phishing
24715454098-reviewpages.pages.dev|phishing
738592845-review-pages.pages.dev|phishing
admin-ery.pages.dev|phishing
adobe-jkwefnewkjnfkjewnfkejwnfkjew.pages.dev|phishing
api-webchainfix.pages.dev|phishing
app-dappfix.pages.dev|phishing
decentralizationserver.pages.dev|phishing
defi-encrypt.pages.dev|phishing
diamondschoolss.pages.dev|phishing
g98765xfghjk654wrt.pages.dev|phishing
harambe-claim.pages.dev|phishing
multichaindexauth.pages.dev|phishing
multichainsolutionsfix.pages.dev|phishing
myid-cubu75674.pages.dev|phishing
onedrive-19e.pages.dev|phishing
page-time0t1frr13.pages.dev|phishing
page-time65463fdhsr.pages.dev|phishing
page-timehfy63535.pages.dev|phishing
page-timereyrgebrg.pages.dev|phishing
resdgsbvcfghgt67uhj89ikjnhgvcxcfghttyu3wsgzfc3bhytfcvvcfhz.pages.dev|phishing
steam-trader-tool.pages.dev|phishing
syncfulldap.pages.dev|phishing
update345.pages.dev|phishing
ww-wellsfargo.pages.dev|phishing

external sources

https://urlscan.io/result/9e52e82d-c324-4468-afe4-3790f93b2967/
https://urlscan.io/result/6a13f579-b7ba-4f56-b762-676359c84fea/
https://www.virustotal.com/gui/url/fda6b313eac6fa58ec064accf2f428a41b48259e27c09191e656afe197ad4915
https://urlscan.io/result/83ea0cdd-bb53-4349-ae2d-0db918605d7c/
https://www.virustotal.com/gui/url/7cdb0aa7b26bec35f94178982f79e04272e58e23e3ce05b829c675ce3689bfe4
https://urlscan.io/result/45a67c49-5ec9-474f-9806-3c0c9a0062a9/
https://www.virustotal.com/gui/url/8e3d6310afd0d21548d66b2e83b1d6225d57b2edad9781c61afa934e45988eca
https://urlscan.io/result/237f9116-c645-42e5-8b02-0430b47e3efc/
https://www.virustotal.com/gui/url/8e620774c6952cac83d9b81655088f7078c22bab75a88b932f4dd2a0c7979ff4
https://urlscan.io/result/90945e9c-35f7-4a40-912f-e39feae0a2ba/
https://www.virustotal.com/gui/url/3f061345e63b46a4d1207b35b5790a56088ebf718e333cc949a6cc824b1aa0a4
https://urlscan.io/result/dd437647-63a3-4417-8a37-1bc80b181f76/
https://www.virustotal.com/gui/url/77304ced249eedfe82f2e227af1e6465fc7b06c7a56f4652edbe605ea40758ec
https://urlscan.io/result/3835eb6c-0e18-44ae-b181-6cfa2058cae3/
https://www.virustotal.com/gui/url/326066aa9960401efbe7d20df557c7e546576ac25ad4bbe4dcb78113619355e8
https://urlscan.io/result/36a03552-6ffe-4399-b852-0fc16d320ab9/
https://urlscan.io/result/299cd0dd-5855-4d96-8247-44ce3ef67e2e/
https://www.virustotal.com/gui/url/2181c5f83d23706b9223b2bb394ceee68de357b4756a02c09eed61c43e3cb944
https://urlscan.io/result/21fbc6ec-9cfc-4049-89e0-96d4a3b13bd7/
https://www.virustotal.com/gui/url/49f9e5b92158a39302f9f763fa6e6f4aa2d4f841194ebcc6fa5495fe5004b858
https://urlscan.io/result/3c7ede2d-f909-4245-b3be-5713758006c9/
https://www.virustotal.com/gui/url/58b0319ee0fb0ae79f4a55b6877d85f57b375daa3cb2b8066700d2de0d44a288
https://urlscan.io/result/e8df736d-225d-45ea-b323-649768989874/
https://www.virustotal.com/gui/url/5ebc9658f4f3c39f94b8c27cae96b9f9cbbfc9e0ee8d0c86a59542e0d36e4d48
https://urlscan.io/result/5edffa13-4846-49c1-bc4d-5e70b74b9a24/
https://www.virustotal.com/gui/url/ddeaf01d4a369fa0300d8b8ea5198b966cf7f0aec29b4e1c3120d784716b66b4
https://urlscan.io/result/2b584eb1-8f44-47e7-936d-8442b12e2178/
https://www.virustotal.com/gui/url/9ed57a6f7c955a52415076cd936e42ff4ebfc8fd1cadc5db709d319cd4692e0f
https://urlscan.io/result/61e4ad2e-89bd-4d8e-ac7c-ce8b4e173fab/
https://www.virustotal.com/gui/url/c61e2aaa5eec746e82747e5d82cad9e27ebf209e0798ed2153a8dd9affc95933
https://urlscan.io/result/c07ec522-d63c-4203-866a-f6918fb2bcf3/
https://www.virustotal.com/gui/url/e0c5a4ccebe42265a22b742b77b4ca1bd432226cfd68fdc452cfb2d9a8da3f12
https://urlscan.io/result/7c94b522-f284-4ad3-9411-c4d974b0e95f/
https://www.virustotal.com/gui/url/3783e297ad4fb43af77a1e422c43cc20399fa6fdebc097a31c0b1094f143d19a
https://urlscan.io/result/b1baa499-dbe4-4d99-a185-6704ea8b9edc/
https://www.virustotal.com/gui/url/465418d7cca9235217deffeec33629d7262b68668ad22e38ffcc75c8942cf5b5
https://urlscan.io/result/d092fe81-71eb-40b6-b5b1-d378e3940146/
https://www.virustotal.com/gui/url/1b51f305b5952ec2bf2cc103e7f04a037f8e93ab5db14ae0710d60c5940e74cd
https://urlscan.io/result/51f1da20-7c5c-4b0c-9b33-a6cab4d8b6b2/
https://www.virustotal.com/gui/url/4a583a3d24915c29c4ccdf1b0bb5588afb903423444dd43716c263af4b3b2c3d
https://urlscan.io/result/bbe0c172-e7e8-40da-9503-21bf1a61c729/
https://www.virustotal.com/gui/url/71907f83dca9b4f379f58c9042349075f40d62473f49e7fed2af68a8b9aa257f
https://urlscan.io/result/5fbe6560-c476-4756-911b-1cc02158e863/
https://urlscan.io/result/649576ac-178e-4dcc-bd36-361476eb0696/
https://www.virustotal.com/gui/url/b0b791d5741b3cee3d9cf4d873f4952ab4857420b2531a436c1145fbd85d8417
https://urlscan.io/result/0c571018-98a9-4af8-97d4-aa701c568e08/
https://www.virustotal.com/gui/url/8752165cba3af5133d349f97f4661eb17b4e2671ac8173ab1908543f924838c2
https://urlscan.io/result/7dee5822-6e5b-4ea6-b054-60c2a28ce4ac/
https://www.virustotal.com/gui/url/ea089b08151d8be8a2808b3a24c8a0141a1f39057285890e4bc4e764f4dd4dd1
https://urlscan.io/result/2193e742-d9bd-4ddc-819c-1d9b69178cb0/
https://www.virustotal.com/gui/url/7d6a08e4828868ab57fa9a7f7347726d7e7d8b6aef07036b3c35575e3b45c5a5

Screenshots

Click to expand

346211862-b42ef5ac-d266-4bf5-9690-ec9b772608e6
346216166-a561bfee-c27b-4f11-8a71-59592ad572d9
346216298-09d69ec0-6731-4bd6-8a22-e9fd81b6c76c
346216377-907369fe-cc40-4944-bd5f-8ed5fe3e383c
346216595-44c59305-3739-4540-977f-7da2bea80040
346216784-ea58c41c-182f-44d8-b60f-3ce3054eb426
346217065-21ca89b0-bcd3-4fec-a1c0-9bf736ece316
346217265-517eeb59-030a-40cd-9674-3e13e9089b03
346217429-47d84742-afb6-4d82-bf9e-c2f1a2938c3a
346217464-fa25c142-b81f-4f12-af49-2eb66428ea0f
346217620-98d7dcb4-757d-49db-8296-3c7e49fc900e
346218482-f859fc88-7a8d-4af0-be36-c1cabf44f45e
346218635-68fe04e7-51ee-4fac-a8b0-ac01f104fff7
346218842-c481cac7-3127-4706-b341-52546e50d23c
346218916-4c0a8da3-7256-4231-9bb7-4fb0d8a4db1a
346220550-9dbb3d0f-15be-410c-bf03-7fcf60600361
346221179-a5ddc5e6-bade-420d-a9d6-37804931c5a2
346221235-46e2de80-9bd8-4746-a8e1-a898a4e48e18
346221389-77a0a6c6-2492-4425-a83c-d3e7ee21f4c0
346221661-6a1d3ae4-c6f7-447d-bbca-aed172fff100

See also: Phishing-Database/phishing#442

@g0d33p3rsec g0d33p3rsec reopened this Jul 5, 2024
@spirillen
Copy link
Contributor

Any particular reason for why we haven't called for Mjølner yet?

image

@g0d33p3rsec

This comment was marked as off-topic.

@spirillen

This comment was marked as off-topic.

@g0d33p3rsec
Copy link
Collaborator Author

See also: Phishing-Database/phishing#448

1-67c.pages.dev|malicious
2-3a2.pages.dev|malicious
accept-altlayer.pages.dev|malicious
airdropsaltlayer.pages.dev|malicious
allocation-satoshivm.pages.dev|malicious
alpha-satoshvmio.pages.dev|malicious
alt-e7v.pages.dev|malicious
altlayer.pages.dev|malicious
altlayer-ejy.pages.dev|malicious
altltlsadlfasdasdf.pages.dev|malicious
bonus-8u0.pages.dev|malicious
claim-altlayer.pages.dev|malicious
claim-starknet.pages.dev|malicious
claima.pages.dev|malicious
coins-satoshivm.pages.dev|malicious
create-dymensionxyz.pages.dev|malicious
defi-starkne.pages.dev|malicious
discover-manta.pages.dev|malicious
diving-mantanetwork.pages.dev|malicious
dym-ehu.pages.dev|malicious
dymension.pages.dev|malicious
enlist-altlayer.pages.dev|malicious
exploremanta.pages.dev|malicious
frame-6i5.pages.dev|malicious
framecom.pages.dev|malicious
framezap.pages.dev|malicious
getmanta.pages.dev|malicious
governance-mantanetwork.pages.dev|malicious
gratitude-satoshivm.pages.dev|malicious
kri90r23rk2ikr32.pages.dev|malicious
linea-mirrorxyz.pages.dev|malicious
linealxp.pages.dev|malicious
mainnet-lineabuild.pages.dev|malicious
mainnet-satoshivmio.pages.dev|malicious
mainnet-satoshivmio-1cp.pages.dev|malicious
manta-1c8.pages.dev|malicious
manta-network.pages.dev|malicious
mantanetwork-8tn.pages.dev|malicious
mantax.pages.dev|malicious
maxethxyz.pages.dev|malicious
mine-framexyz.pages.dev|malicious
mine-mantanetwork.pages.dev|malicious
new-framexyz.pages.dev|malicious
new-lineabuild.pages.dev|malicious
new-manta.pages.dev|malicious
obtain-manta.pages.dev|malicious
obtainmanta.pages.dev|malicious
qualifymanta.pages.dev|malicious
receive-altlayerio.pages.dev|malicious
registry-linea.pages.dev|malicious
registryzetachain.pages.dev|malicious
satoshi-364.pages.dev|malicious
stake1.pages.dev|malicious
support-manta.pages.dev|malicious
take-satoshivm.pages.dev|malicious
visit-dymension.pages.dev|malicious
visit-lineabuild.pages.dev|malicious
web-fix.pages.dev|malicious
web3-manta.pages.dev|malicious
whitelist-altlayerom.pages.dev|malicious
whitelistalt.pages.dev|malicious
zk-manta-airdrop.pages.dev|malicious

Fixing some stale IOCs from Cisco's reporting.

This morning, Cisco's Talos Intelligence Group released a report How do cryptocurrency drainer phishing scams work? which included a list of Indicators of Compromise (IOCs). Unfortunately, most of the IOCs listed are no longer active and of little tactical value. Fortunately, searching for the indicators on URLscan.io and then viewing the "similar" results yields many related active sites.

Listed IOCs that are still active

  • hxxps://visit-dymension[.]pages[.]dev/

    Screenshot

    Click to expand

    347156861-55a32821-705d-44d9-be4e-0f265b782848

    https://urlscan.io/result/3bec9fea-aac7-4a01-8608-7283040d2838/
    
    • related active domains

    1-67c.pages.dev
    https://urlscan.io/result/a1a348ed-1d36-41b2-b02e-f8e15a4187b9/
    dymension.pages.dev
    https://urlscan.io/result/39a986a1-e5e0-4277-9a49-22ddc30b86ea/
    dym-ehu.pages.dev
    https://urlscan.io/result/c3d386e2-fe1b-49e8-8806-97ba4799de67/
    
  • hxxps://governance-mantanetwork[.]pages[.]dev/

    Screenshot

    Click to expand

    347157303-09e25088-ab6b-47de-85f0-78786296f9cc

    https://urlscan.io/result/7ff0d4e0-2b7b-4bb2-a61a-cdbc5b450c84/
    
    discover-manta.pages.dev
    https://urlscan.io/result/cc666a9e-f5bf-415b-ae36-9c5711114d26/
    exploremanta.pages.dev
    https://urlscan.io/result/60799b1c-7149-4c9e-9d45-cccfb254ca5a/
    getmanta.pages.dev
    https://urlscan.io/result/9e3cfd66-7344-4cc0-9faa-e2e8e14c0da3/
    manta-network.pages.dev
    https://urlscan.io/result/a725c80c-47af-4b29-a968-d8b628574d00/
    mantanetwork-8tn.pages.dev
    https://urlscan.io/result/12c869e2-9f72-4ee4-92b5-245c7f321c83/
    manta-1c8.pages.dev
    https://urlscan.io/result/a9e1fa6c-1465-495b-8e33-f4f24b991924/
    mantax.pages.dev
    https://urlscan.io/result/bfd243b6-e87f-45cb-8af1-60a5ff9ba4dc/
    mine-mantanetwork.pages.dev
    https://urlscan.io/result/9c2e2b46-06e1-44b7-8e6b-da9ccce717d6/
    new-manta.pages.dev
    https://urlscan.io/result/412f93a0-a105-414a-af9b-30ed433686f4/
    obtain-manta.pages.dev
    https://urlscan.io/result/44277f0d-0f77-4d66-ab45-8a439cb77a99/
    obtainmanta.pages.dev
    https://urlscan.io/result/fe0acfe8-d592-49ba-905d-1e755b381149/
    qualifymanta.pages.dev
    https://urlscan.io/result/8d685e95-2b76-4d8b-ac2d-933627f419c4/
    support-manta.pages.dev
    https://urlscan.io/result/d9eb17ae-3080-4849-b23e-5a102b35d42f/
    web3-manta.pages.dev
    https://urlscan.io/result/3728679b-669b-4b69-afe0-c71412f572ed/
    zk-manta-airdrop.pages.dev
    https://urlscan.io/result/6d6720f7-f97e-4428-982a-0daa132c5cec/
    
  • hxxps://receive-altlayerio[.]pages[.]dev/

    Screenshot

    Click to expand

    347157692-d191e2f1-1b25-4566-8d2c-93bd95b9b447

    https://urlscan.io/result/5a034939-7762-4b97-8e58-5375b4e2d3e1/
    
    • related active domains

      accept-altlayer.pages.dev
      https://urlscan.io/result/65d73b73-155c-4739-9335-c392fea0c5c7/
      airdropsaltlayer.pages.dev
      https://urlscan.io/result/9827d668-7f54-4298-82cd-87d329f00106/
      alt-e7v.pages.dev
      https://urlscan.io/result/3d9d9344-94e1-4365-9633-1e6088d74293/
      altlayer.pages.dev
      https://urlscan.io/result/2c00d70d-cd86-4f22-8199-d212da600a77/
      altltlsadlfasdasdf.pages.dev
      https://urlscan.io/result/a2ecf5b6-8b77-4871-a584-8c9037969d6d/
      claim-altlayer.pages.dev
      https://urlscan.io/result/f05a43d9-b3aa-4a72-bdb3-bf8c9a2b380c/
      claima.pages.dev
      https://urlscan.io/result/02a86881-cd75-4c32-93fc-253d7b88cdf3/
      enlist-altlayer.pages.dev
      https://urlscan.io/result/aa4f3507-78df-453d-a342-ad4a62a94198/
      kri90r23rk2ikr32.pages.dev
      https://urlscan.io/result/d79bb04a-36c0-48c4-8108-a91d42f6389d/
      reg-altlayerio.pages.dev
      https://urlscan.io/result/00f7453b-ca0c-44eb-8701-d448d9c514f6/
      stake1.pages.dev
      https://urlscan.io/result/73ea756f-5fc0-435d-aa61-7fe4d6750483/
      whitelist-altlayerom.pages.dev
      https://urlscan.io/result/6edc57a1-8ce1-4e13-934e-37084fe0aa4a/
      whitelistalt.pages.dev
      https://urlscan.io/result/3fb10703-9b23-47a4-89ab-89748347b5ea/
      
  • hxxps://bonus-8u0[.]pages[.]dev/

    Screenshot

    Click to expand

    347158137-6ce1f13d-6859-4f39-9b82-8c184917645c

    https://urlscan.io/result/e8866235-81f9-424c-ad45-ce667f51254c/
    
  • hxxps://visit-lineabuild[.]pages[.]dev/

    Screenshot

    Click to expand

    347163068-34cb5751-92df-4ef6-aaae-067065bb4136

    • related active domains

    mainnet-lineabuild.pages.dev
    https://urlscan.io/result/33cf87e9-e69a-4d2a-bcc5-d3585675d553/
    new-lineabuild.pages.dev
    https://urlscan.io/result/fdc1f1b0-9d0d-4d71-932c-57d26b97e38e/
    registry-linea.pages.dev
    https://urlscan.io/result/3a9235ec-83d5-4db8-980c-4391361c6dfa/
    
  • hxxps://registryzetachain[.]pages[.]dev/

    Screenshot

    Click to expand

    347164724-3ec916c4-9035-419e-a382-8694a1c9f53b

    https://urlscan.io/result/d690f927-4394-409b-9fb6-4e820fe74b20/
    
  • hxxps://gratitude-satoshivm[.]pages[.]dev/

    Screenshot

    Click to expand

    347159114-c427e227-f459-4c89-bff4-fa9d9de6bf05

    alpha-satoshvmio.pages.dev
    https://urlscan.io/result/305deb6f-bae6-4522-95d1-46d0081d24e1/
    allocation-satoshivm.pages.dev
    https://urlscan.io/result/7c774a6a-92df-44d9-9d1f-e2a8790e9d38/
    coins-satoshivm.pages.dev
    https://urlscan.io/result/c9835312-8d08-49ac-8e8b-d93259ab95de/
    mainnet-satoshivmio.pages.dev
    https://urlscan.io/result/42b3652d-c02e-44c6-b940-d248633bcefc/
    mainnet-satoshivmio-1cp.pages.dev
    https://urlscan.io/result/5ce25376-a841-4819-b33d-f6482fe5bc97/
    
  • related inactive IOCs

  • Inactive Listed IOCs

    Screenshot

    Click to expand

    347169600-e113950b-81a2-4b55-8ec0-6227e2069beb

    • related domains that are currently active
    claim-starknet.pages.dev
    https://urlscan.io/result/51365a56-c64a-4e7b-a383-3f7749f8c8e8/
    defi-starkne.pages.dev
    https://urlscan.io/result/a42cbe92-ac1f-4856-b802-d6c67162d11a/
    

    Screenshot

    Click to expand

    347160115-61c45716-4722-4841-989b-ddc6b7c06ac6

    • related domains that are currently active
    frame-6i5.pages.dev
    https://urlscan.io/result/49139c4b-1766-42bc-addc-3af63eec513b/
    mine-framexyz.pages.dev
    https://urlscan.io/result/6a7a017a-698f-4b01-b982-dace8c83510b/
    new-framexyz.pages.dev
    https://urlscan.io/result/43a577cf-9dc0-4036-86e1-69931beda212/
    
  • hxxps://farcana123[.]pages[.]dev/ -> last confirmed active January 23, 2024

    Screenshot

    Click to expand

    347160541-d3950f97-c141-4493-943a-51409333d726

    • related active domains
    2-3a2.pages.dev
    https://urlscan.io/result/77f59c2d-afe1-4fc0-81ba-212ae718fe6c/
    
  • hxxps://enlist-jup[.]app/ -> last confirmed active January 22, 2024

  • hxxps://whitelist-woo[.]pages[.]dev/ -> last confirmed active January 27, 2024

  • hxxps://join-jupapp[.]pages[.]dev/ -> last confirmed active January 27, 2024

Related external source

https://blog.talosintelligence.com/how-do-cryptocurrency-drainer-phishing-scams-work/

@g0d33p3rsec g0d33p3rsec reopened this Jul 9, 2024
@spirillen
Copy link
Contributor

This is insane... they seems to do nothing like in nada, zip, zero, null to protect the domain, this makes it a risky to keep it open to my POV, would you like to reconsider the hammer?

@g0d33p3rsec
Copy link
Collaborator Author

This is insane... they seems to do nothing like in nada, zip, zero, null to protect the domain, this makes it a risky to keep it open to my POV, would you like to reconsider the hammer?

It is getting to that point. I hate to slam a site that offers free hosting but at this point the threat outweighs any benefit. On the other hand, they seem to police their platform better than Cloudfare.

@spirillen
Copy link
Contributor

ok, but next time I believe this is going to be changed into a wildcard blocking, as CF are well known to hosts and protect scam/spam/phishing/malicious/POP and so on. So if you find something on worker.dev... add them as wildcard. anything else would requires automatisation code, which we do not have for know.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Malicious Domains used for Malicious software Phishing Phishing is the fraudulent attempt to obtain sensitive information or data, such as usernames, passw
Development

No branches or pull requests

2 participants