Whatsapp spreading spam “IDN” links (offr.rocks / milolead.com)

Today I delved into a bit of Whatsapp spam doing the rounds in the UK.

Screenshot_20180105-224821

This junk spreads using a Whatsapp message the same or similar to:

“Hey ! Waitrose celebrates its 113th anniversary and giving away FREE gift voucher worth of £250 to everyone ! click here to get yours : http://www.waıtrose.com/voucher  Enjoy .”

The domain involved is an “IDN” (International Domain Name)..  a domain name that can have more than just a-z and 0-9 as letters. They can have international symbols which look very much like normal alphabet letters.
(when these were launched people voiced their concerns about attacks like this.. and here they are).

In this instance the i in waitrose has been replaced with a different international letter.

The domain name that people are actually visiting (but is hidden behind the IDN system) is www.xn--watrose-sfb.com . The domain is registered via a whois privacy service but there are still some clues as to who is running the spam site.

The website is served from an Amazon AWS host and the DNS infrastructure doesn’t give any clues away.

However the source of the spam site has one unique bit of information: a Google Analytics / Tag Manager code of “UA-96118136-18”. The first part of this code (“UA-96118136”) is used to identify a specific Google Analytics account. The number at the end identifies the website under that account.
This code leads onto several other similar scam domain names!

waitrose-2018.life – Another Waitrose domain.
freedelta.world – (Delta airlines?) Seen using UA-96118136-23
http://www.xn--lid-xbb.com – Which translates to lidǀ.com (another EU supermarket) seen using UA-96118136-6 (“Lidl célèbre son 42 anniversaire et offre gratuit des chèques-cadeaux d’une valeur de €250 chacun!, Je viens de recevoir le mien, cliquez ici pour obtenir le vôtre : http://www.lidǀ.com/Bon Merci plus tard .”)
http://www.xn--ea-gpa2a.com – Which translates to www.ıĸea.com seen using UA-96118136-31
http://www.xn--costc-yob.com – Which translates to www.costcơ.com (International wholesale supermarket) seen using UA-96118136-46
http://www.southwest-pass.com – (Southwest airlines?) Seen using UA-96118136-38
http://www.xn--asa-wqa.com – Which translates to www.asđa.com (a UK supermarket) seen using UA-96118136-20

The website owner is also quite keen to prevent desktop users from seeing the page. There is some basic javascript to forward any screen resolution above 1000 pixels wide to a 404 page.

When you are using a mobile page you are given a series of supposedly survey questions – none of these question responses are stored anywhere or sent anywhere.

It then asks you to share the page with whatsapp friends – Once you’ve done this 15 times it forwards you to another page. (they don’t verify, just click the button 15 times and back out of sending the message! or (like in my case) don’t have Whatsapp installed so it can’t even attempt to send).

var c = 0;
$(document).ready(function() {
    $("#b1").on('click', function() {
        ++c;
        if (c > 15) {
            $(this).attr({
                href: "http://www.xn--watrose-sfb.com/final.html",
                target: "_self"
            });
        }
    });
    $("#b2").on('click', function() {
        if (c > 15) window.location = "http://www.xn--watrose-sfb.com/final.html";
        else window.alert("Share it with friends on WHATSAPP on our anniversary promotion!\n\n You must share to proceed " + c);
    });
});

http://www.xn--watrose-sfb.com/final.html is a simple single line page that forwards the user to:

http://track.voltrrk.com/d856c087-0ae9-4cd0-ada6-3c4c50f00857

The above is a host with an instant referral (CNAME) to “bxg1w.voluumtrk2.com” – a statistics tracking service.
This tracking service then redirects visitors to
http://offr.rocks/?a=2149&c=10512&s2=zDTEDITEDEDITEDEDITEDC

The above domain / page is probably the last of the “scammy” pages. The visitor is then redirected to what seems to be a “genuine” “Ocean Cloud” survey and competition:

http://milolead.com/page?country=uk&pub=2&cam=174&r=1XX4-1EDITED73&a=2149

Screenshot_20180105-232651

After bombarding you with demands for your name, date of birth, postal address and then telephone number it asks you tens of questions. Within a few minutes of filling in the survey it sends at least 5 e-mails and one text message with all sorts of spam. The emails have been for casinos and bitcoin.

The text message read

“Congrats NAMEEDITEDOUT,
You’ve Won a 
Free Bitcoin System
Claim it NOW here:
2018deal.com/l/cryptoa8Hp”

Eventually ends by redirecting you back to (I believe) the scammers controlled page.. whilst also sharing the telephone number with them too:

http://offr.rocks/?a=2511&c=8472&msisdn=07EDITED063&s2=XUJEDITED2BT

Who in turn then redirect you to yet another “offer”:

http://app.trk12.com/campaign/bc65e43d235d6b61464e9f8bc0859e45d90e5ac9?transaction_id=X3X9-15EDITED34&aff_id=2511&msisdn=07EDITED063

Screenshot_20180105-233258On this page “A brand of SB7 Mobile Ltd.” the terms and conditions hidden at the bottom note that you are signing up to a £4.50 a week SMS service. The page already has your number filled in (from the previous spam survey you just completed).

I presume the scammers get paid an affiliate fee each time they refer someone and their method to generate leads and referral fees is to trick people into sending spam Whatsapp messages.

Thoroughly scammy.

On a side note.. the service shown in the last screenshot is called “pinchecker.com”.. This company seem to handle the sign up process to the premium rate reverse charge SMS spam.
They seem to handle sign-ups for the following companies (some are all showing the same postal address):
PrizeHook.com – “SPTwo Ltd” / sptwo.com
PrizeAlerts.co.uk, JuicyWin.com, MintedMobi.com – “SB7 Mobile Ltd” / sb7mobile.com aka “Alerts 4 U”
PrizeNut.com, StarMystics.com – “KPMobTech Ltd” / kpmobtech.com

Associated domains on the pinchecker servers include “tiiny.uk”.. a website that leaks customer telephone numbers! Something that they can be fined for heavily once the EU GDPR comes in to effect.

Update: After just over a week of completing the above I then also got a text:

From: +60441
Free msg: Hi , thanks for completing the telephone survey, now text back YES to confirm your number. vivalavoucher.co.uk Help 03447451791

Part of the same organisation? Or someone they sold their list to who now want me to opt in?

Also
From: +447860064308 / 07860064308
We are contacting you as you could be owed up to £2,442 if you were miss-sold PPI. Reply POST to receive your FREE check or STOP to opt-out, H&H

From: DavidShow
Hi
This new system is
The same one like the one
I’m using:
http://tapl.gq/3bwi

About a month later I get the following “reminder” sms which reveals another domain name associated with it:

From +88222
FreeMsg: Reminder: U are a member of Alerts4U.co.uk for £1.50 per alert (max £4.50 per week) until you send STOP to 88222. Help? 03301340181

From +447520660227
We have been trying to contact you re your PPI Claim. We now have details of how much you are due. Reply POST for your pack or END to OptOut

From Maria
Thats the system u ask me about few times:
http://tapz.ml/19nS

Another bit of crap to the honeypot number only given to them:

From +447418340104
If you have had a 3 hour+ delay for a flight in the last 6 years reply YES to claim compensation of up to £520 per person or?reply?STOP to opt-out,?Airfair?

Email on 7th Feb at 11:27pm which mentions bitcoin and “acmvip.com” and “earnwithbitcoin.co”
Followed by an SMS (grr, that late at night!?) at 11:28pm saying:
From Account Dep
Dear ,
Your Bitcoin account has been activated.
Your current balance is: 10,090.18 Pounds.
Claim your Funds Now:
http://www.acmvip.com/f/

With this latest spam I’ve finally got the name of a person! deani.henderson@gmail.com

Who is also associated with 85 other domains, most of which look suspicious:
acrvip.com
actdep.com
australiawinners.com
iebay.org
wealth2017.com
makemoremoneythisyear.org
itsyourluckyday.net
hotpromotionsforyou.net
bigpromotionsforyou.net
singlemommakesmoney.net
makemoremoneythisyear.net
44waystomakemoremoney.net
tradeongold.net
earningmoney2015.net
makemoremoney2015.net
secondaryjobs2015.net
bestworkathomejobs2015.net
itsyourluckyday.info
hotpromotionsforyou.info
bigpromotionsforyou.info
moneyonline2015.info
bestworkathomejobs.info
yourbonusishere.com
hotpromotionsforyou.com
bigpromotionsforyou.com
boredyo.com
concept-local.com
44waystomakemoremoney.com
additionalincomefromhome.com
tradeongold.com
earningmoney2015.com
makemoremoney2015.com
secondaryjobs2015.com
bestworkathomejobs2015.com
itsyourluckyday.biz
workathome2015.net
moneyonline2015.net
theprintingbee.com
beerpillar.info
bigideafunds.info
born-racing.info
cwsby.info
extrawonderful.info
sarigard.info
bakewithpepper.info
beginster.info
radiotracklistings.com
speedf.info
ulopi.com
nanmoya.com
verogon.com
samrazor.com
ibookselearning.com
photo-monstr.info
pandorartbox.com
loveurway.info
idolgifts.info
smoodze.com
cartuningni.com
modelnora.com
glooub.com
stikabox.com
plactec.com
lockclad.com
mmemode.com
sertele.com
anampara.com
belvantes.com
bestfriendrio.com
hellopicpic.com
shavrea.com
roolty.com
nandoknows.com
ftutti.com
fotopyaart.com
sguiglygames.com
mindkolt.com
rareamateurvideos.com
googclips.com
mistressnui.com
azerofashion.com
utubevideosongs.com
stridelovesrockband.com
hartleyhonda.com
komipontaers.com

I’ve also had calls to my honeypot number from
020 8077 8840 – These people have called 7 times!
01792 272252 – 4 calls
01473 371629 – 3 calls.

1st March 2018 – Another SMS with another domain:
SMS from “Mark C”
Hi
I need you to be my beta tester.
Test my system and get it free:
http://lp.Special2018.com

7th March 2018 – Another SMS with another new domain, registered on 5th March:

SMS from “Robert”
Hi
This system change the world
test it and get it free:
http://tapl.ws/1yZS

10th March 2018 – This time a bit of spam that uses www.myoffers.co.uk as the landing page.

SMS from “FreeCompare”
TestersKeepers needs you to review and KEEP an £18K Audi A3 for FREE – apply by 31/03/18

http://www.gvme.uk/WNAb4Wsx/
*T&Cs

Stop? END to 07860020187

12th March 2018 – Another new domain.

SMS from “Danny”
Hi
Dear VIP member:
enjoy my new system:
http://tapy.ws/5Kfs

16th March 2018 – another new domain “tapv.ws”

22nd March 2018 – another new bit of spam, this time using a google URL shortened service.. hah, google have disabled the url! No sign in any of these text messages on unsubscribe procedures! (Pretty sure that is against sms spam rules).

SMS from Amanda
Hi
IM giving you my new free system.
test it and keep th eprofits:
https://goo.gl/LkFhuA

27th March 2018 12:11am:

SMS from Emma
Hi,
Where have you been? this is your final chance to beta test my amazing software…. Try now:
http://coinsbanc.org/

27th March 2018 13:48am:

SMS from Chris
Hi,
here is that new deal we mentioned last week http://www.r5.ms/s/2joeoo/py

Forwards to http://crypto-unlocked.xyz

28th March 2018:

SMS from David W
Hi
The new upgrade is ready you can have it free now:
http://lp.todaykit.com

29th March 2018:

SMS from Support
Hi
Only 2 spots left for this amazing VIP package…. Collect it now http://coinsbanc.org/

and

SMS from +447491163257
We are contacting you as you could be owed up to £2,442 if you were miss-sold PPI. Reply POST to receive your FREE check or STOP to opt-out, Hall & Hanley

30th March 2018:

SMS from Terence
Hi
I’m going to give you 500$
To test my new system:
http://cryptounlockedpro.com

2nd April 2018:

SMS from Account82
Dear , your scheduled payout needs confirmation. Please verify your account – http://bit.do/account82

SMS from Denis
Hi

your upgrade is ready.
you can start use it now to make profits:
http://www.r5.ms/s/2joeoo/sf

3rd April 2018:

SMS from Stevan
Hi Yes thats the same system im using to make profits daily: http://tapz.ws/8Qv6

5th April 2018:

SMS from Steven
, This is your LAST CHANCE!!! Only 1 Seat left… Collect Here: http://tapf.ws/7DSR

6th April 2018:

SMS from Gorge
Hi
it’s your lucky Easter
you win Free system
http://www.r5.ms/s/2joeoo/vn

9th April 2018:

SMS from Nikos
{“name”:”REDACTED”},
This is your LAST CHANCE!!! Only 1 Seat left… Collect Here:
http://tapz.ws/dSSy

11th April 2018:

SMS from Support
Hi
The upgrade for your system is ready.
Its valid for the next 24hr:
http://www.r5.ms/s/2joeoo/10q
Also associated URL: http://vl.ltfr.xyz/

12th April 2018:

SMS from Jasson
Hi
Its your time to change your life.
Extra 1000¿ income :
http://www.r5.ms/s/2pb1if/11f

13th April 2018:

SMS from Support
Hi {“name”:””}
This is the system I told u about.
I’m making over 500$ every day:
http://tapv.ws/hFuy

17th April 2018:

SMS from Emma
Hi
its your lucky day.
you win my new system:
http://www.r5.ms/s/2pb1if/12n
Associated URLS: http://vl.ltfr.xyz/ and http://peralking-tement.com and cryptounlockedpro.xyz

25th April 2018:

SMS from StevanT
Hi <REDACTED>
This is your lucky day
sign here and get free 1000¿
http://voli.cf/24Qo
Associated URLS http://lp.mymore.info/WfiiZ/ , track.myonlinepayday.co and www.thecryptogenisus.com

14th May 2018:

SMS from VIP CLUB
Are you ready to make over $2500 in the next 24 hours! Click here to learn more: bit.ly/crVIPclub | Opt out: end1.me
Associated URL end1.me doesn’t lead anywhere. Hosted on what looks like shared hosting at Amazon and the domain is registered using a privacy service. This is the first message to contain unsubscribe instructions!

26th May 2018:

SMS from BIG150
Hi
We need you to be a product tester. Review & KEEP for FREE a Samsung 55″ 4K TV
Visit
http://www.gvme.uk/B9rr8GIY/
*T&Cs
Stop? Text ZAP to 07860020187
Above url forwards onto http://www.myoffers.co.uk

30th May 2018:

SMS from PAYOUT
You still have 2.49 Bitcoins (£14.300) in your trading account).  SIGN UP IMMEDIATELY TO RELEASE YOUR BITCOINS: http://www.r5.ms/s/2rbuzn/1t8
Above url forwards onto reveravel-annewcase.com, aptrk11.com and then to bitcoin-wealth-tech.cc

8th June 2018:

SMS from PAYOUT
You still have 2.49 Bitcoins (£14.300) in your trading account).  SIGN UP IMMEDIATELY TO TRADE YOUR BITCOINS: http://www.r5.ms/s/2rbuzn/1×4
Other IP related to the above:  http://149.28.172.167/BIN/BIT4/

19th June 2018:

SMS from LAST NOTICE
<REDACTED>, You still have 4.49 Bitcoins (£43.300) in your trading account).  SIGN UP IMMEDIATELY TO TRADE YOUR BITCOINS: http://www.r5.ms/s/2rbuzn/22s
Still using 149.28.172.167

5th July 2018:

SMS from Steve
This performs good so I’m using this one mostly tried different others, not so good http://5qi.org/3L6ke
Domains relating to the above comenges-alling.com (52.31.24.150) and clickmoneysystems.com

10th July 2018:

SMS from PENDING
LAST NOTICE — You have 41.39 BTC (97,349.93) in your account. VERIFY WITHIN 24H FOR BlTCOlN PAYOUT: http://www.t6.ms/s/2rbuzn/2jh
reveravel-annewcase.com and 149.28.170.132 are used in this spam. Still contains no opt out information!

29th July 2018:

SMS from BIG150
Hi

Product reviewers wanted to test & KEEP a Samsung 55″ 4K Ultra-HD TV

Visit:
http://www.gvme.uk/DHoAStFf/
*T&Cs

Stop? Text ZAP to 07860020187
http://www.myoffers.co.uk is the domain the gvme.uk domain forwards to.

6th September 2018:

SMS from Emma
Your funds (7899.43 GBP) will be removed unless you access your account within 24 hours: http://url27.pw/eU0

27th September 2018:
A sudden resurgence of these SMS messages along with spam emails!

SMS from +52391
Cash Out Over £2500 By The End Of The Day With This System! Claim Your Spot: http://j60.ltd/3uYw5d
Also related are the domains bx.nuj5qy.xyz and cfdrcm.com. No STOP information contained within the message.

SMS from Amanda
Your current balance is 8367 GBP. LOGIN IMMEDIATELY TO RELEASE THEM: http://j60.ltd/3u5xoI

Also associated and came in within a day or so to the unique e-mail address I used:
“Market insights every morning” from “BlueVolt <info@bluevoltmarketing.co.uk>”
and
“Karox has sent you a private message!” from “Karox <noreply@flirtbodor.com>”

3rd October 2018:

SMS from +77113
You have WON the premium access to the WINNER system. Log in to claim your spot: http://p97.ltd/3uW2Nu

The website appeared to be down when I tried to visit it.

13th November 2018:

SMS from +52595
Your funds (7689.43 GBP) will be removed unless you access your account within 24 hours: http://6sg.me/3HqIEq

Once again, no STOP instructions. Also related is bx3.nuj5qy.xyz – All related domains:

6sg.me
1ya.org
m3z.me
xd4.org
8ec.me
z8f.me
qpo.me
q4t.me
q99.me
gy1.org
b5o.org
b3q.org
5gq.org
jf1.org
4xa.org
k8p.org
z7r.org
jq5.org
85i.org
7c3.me
9a9.ltd
as4.ltd
6kx.org
00q.me
4tw.org
rq3.org
p0e.org
05d.org
8h8.org
hp4.ltd
6lh.org
5ku.org
5h0.org
74z.org
9nb.org
9ql.org
zd2.org
9hw.org
8×7.ltd
0og.org
fp8.ltd
d7p.ltd
oc3.ltd
k79.ltd
r9g.ltd
i61.ltd
kl3.ltd
hb1.ltd
yv3.ltd
w62.ltd
us8.ltd
w6c.ltd
z3o.ltd
y98.ltd
8t6.ltd
4at.ltd
7vn.ltd
7in.ltd
5sk.ltd
ey2.ltd
2k1.ltd
2zw.ltd
1s0.ltd
23w.ltd
3e3.ltd
l9y.ltd
8qd.ltd
a4e.ltd
7yq.ltd
uh8.one
h4w.ltd
e9u.ltd
do0.ltd
uh8.ltd
h39.ltd
f6c.ltd
j60.ltd
e5k.ltd
i31.ltd
ws3.ltd
d3c.ltd
d3c.one
6na.ltd
50n.org
y41.ltd
u71.ltd
b2q.ltd
sl7.ltd
pp6.ltd
p97.ltd
1pu.ltd
12f.ltd
8ae.ltd
c2t.ltd
7jh.ltd
1fh.ltd
3zv.ltd
0oe.org
l14.org
9wz.org
46l.org
b7e.org
g5y.org
y7s.org
56d.org
5g2.org
2lk.org
1i5.org
74p.org
9y4.org
pq9.org
nl2.org
gm7.org
5ue.org
y5m.org
zm4.org
1v8.org
7hy.org
5o0.org
0hb.org
tm6.org
1jq.org
9g6.org
7lr.org
k5u.org
48i.org
jm0.org

13th December 2018:

SMS from “Kelly”
Your funds (7689.43 GBP) will be removed unless you access your account within 24 hours: http://do148.com/1CR

Once again, no STOP instructions. All related domains:

do148.com
lnk196.com
ln144.com
do112.com
hrf73.com
hrf79.com
lnk75.com
hrf72.com
rdr9.com
href7.net
do144.com
jump43.com
do107.com
lnkmy.com
do142.com
do140.com
ln149.com
ln112.com
addr7.com
do106.com
do190.com
do149.com
msg16.pw
jump82.com
hrf195.com
lnk59.pro
do197.com
43fclk.com
ln159.com
url17.pro
hrf0.pro
lnk7.pro
lnk66.pro
bitlnk.pro
lnk76.pro
lnk80.pro
msg18.pro
lnk43.pro
clk8.pro
lnk3.pro
msg0.pro
url14.pro
hrf64.pro
hrf15.pro
lnk47.pro
hrf79.pro
msg1.pro
link12.pro
hrf6.pro
hrf45.pro
goto20.pro
hrf76.pro
link10.pro
hrf24.pro
ilnk.pro
url10.pro
hrf71.pro
msg10.pro
hrf52.pro
link19.pro
opn9.pro
lnk46.pro
hrf59.pro
opn16.pro
href13.pro
tolnk.pro
lnk67.pro
hrf80.pro
msg15.pro
msg7.pro
rndm.pro
lnk73.pro
lnk10.pro
url13.pro
opn10.pro
goto16.pro
msg9.pro
hrf57.pro
hrf21.pro
lnk95.pro
url6.pro
opn3.pro
lnk22.pro
hrf19.pro
clk10.pro
opn14.pro
hrf5.pro
lnk19.pro
href20.pro
hrf62.pro
clk0.pro
clk12.pro
goto9.pro
lnk57.pro
href10.pro
href7.pro
href16.pro
opn7.pro
hrf29.pro
lnk26.pro
url7.pro
goto4.pro
hrf54.pro
msgr.pro
url8.pro
lnk15.pro
lnk20.pro
clk3.pro
clk14.pro
href19.pro
lnk12.pro
lnk92.pro
myclk.pro
lnk29.pro
hrf1.pro
lnk64.pro
hrf30.pro
link16.pro
lnk54.pro
hrf60.pro
clk16.pro
hrf49.pro
goto15.pro
hrf94.pro
url15.pro
hrf74.pro
lnk72.pro
hrf12.pro
lnk71.pro
msg13.pro
hrf43.pro
hrf46.pro
lnk53.pro
hrf47.pro
clk9.pro
clk17.pro
clkz.pro
goto2.pro
clkme.pro
lnk17.pro
hrf67.pro
lnk56.pro
clk13.pro
opn5.pro
href3.pro
lnk23.pro
goto18.pro
hrf26.pro
url5.pro
hrf3.pro
msg5.pro
clk1.pro
hrf75.pro
link13.pro
link15.pro
link5.pro
hrf9.pro
href2.pro
msg17.pro
hrf70.pro
link3.pro
msg3.pro
msg12.pro
ln197.com
goto29.pro
hrf92.pro
link18.pro
msg14.pro
hrf58.pro
lnk60.pro
lnk6.pro
lnk4.pro
hrf7.pro
hrf53.pro
goto21.pro
href6.pro
hrf56.pro
lnk51.pro
url2.pro
lnk77.pro
clk5.pro
clknow.pro
goto14.pro
opn8.pro
opn15.pro
lnk93.pro
lnk5.pro
href11.pro
opn13.pro
lnkmy.pro
lnk21.pro
lnk49.pro
href4.pro
msg6.pro
lnk44.pro
lnk75.pro
clk2.pro
lnk94.pro
goto0.pro
href29.pro
lnk24.pro
golnk.pro
hrf93.pro
href28.pro
goto17.pro
hrf17.pro
lnk81.pro
hrf8.pro
lnk97.pro
rdrct.pro
msg11.pro
lnk25.pro
clk18.pro
lnk52.pro
opn11.pro
hrf42.pro
lnks.pro
opn1.pro
lnk27.pro
bstlnk.pro
link17.pro
opn2.pro
url16.pro
lnk78.pro
clk15.pro
hrf44.pro
lnk61.pro
opn6.pro
msg4.pro
link20.pro
hrf66.pro
lnk79.pro
msg16.pro
lnk30.pro
url11.pro
lnk99.pro
link6.pro
opn18.pro
clk44.com
ln104.com
clk32.com
go197.com
open82.com
open83.com
jump31.com
jump36.com
lnk9.com
jump38.com
jump34.com
open38.com
open36.com
open37.com
open41.com
jump80.com
jump84.com
ln196.com
clk28.com
opn0.com
nclk5.com
http://www.jump84.com
http://www.jump80.com
http://www.open83.com
http://www.jump82.com
http://www.open82.com
clk73.com
60fclk.com
jmp29.com
clk72.com
jmp70.com
jmp72.com
jmp73.com
ln190.com
do187.com
ln192.com
clk95.com
ln184.com
do185.com
go164.com
ln140.com
go142.com
go140.com
do137.com
opn33.com
opn29.com
opn98.com
opn97.com
lnkz.men
lnkz.bid
lnks.bid
lnks.men
lnk53.com
lnk19.com
lnk82.com
lnk22.com
lnk85.com
lnk12.com
myclk5.com
opn74.com
zsite8.com
zsite7.com
opnlnk.com
ln105.com
hrf75.com
lnk74.com
opn7.com
jmp75.com
opn8.com
http://www.clkz.pro
opn53.com
clk49.com
opn34.pw
opn72.com
jmp43.com
opn43.com
opn40.com
opn42.com
clk39.com
opn38.com
jmp52.com
clk81.com
opn71.com
jmp79.com
opn49.com
jmp53.com
do194.com
hrf24.com
hrf28.com
hrf25.com
clk53.com
zlink1.com
do109.com
ln115.com
ln107.com
http://www.open41.com
http://www.open38.com
http://www.open36.com
http://www.jump43.com
http://www.lnk9.com
http://www.jump31.com
http://www.jump38.com
http://www.jump36.com
http://www.open37.com
http://www.jump34.com
clkz.bid
clk29.com
clk27.com
jmp50.com
jmp51.com
jmp49.com
hrf13.pro
opn27.pw
mynotifiers.com
33fclk.com
goto12.com
href11.com
goto13.com
href16.com
href50.com
href15.com
goto48.com
href23.com
goto50.com
href10.com
href21.com
yclk23.com
yclk15.com
yclk44.com
jmp39.com
wopn8.com
opn39.com
opn41.com
opn44.com
opn4.com
opn12.com
opn11.com
href78.com
href76.com
href67.com
goto74.com
href66.com
href72.com
goto71.com
href68.com
tlnk7.com
http://www.clk73.com
http://www.opn72.com
http://www.opn74.com
http://www.jmp70.com
http://www.clk72.com
http://www.jmp73.com
http://www.jmp72.com
http://www.opn71.com
urlz.men
href.men
ilnk.men
addr.men
urls.men
msgs.men
clkz.men
clks.men
msgs.bid
clks.bid
clk97.com
bstclick.com
clk96.com
open95.com
href12.com
clk34.com
opn31.com
lnk27.com
adr.pw
http://www.opn53.com
http://www.jmp51.com
http://www.clk53.com
http://www.opn49.com
http://www.jmp53.com
http://www.clk49.com
http://www.jmp50.com
http://www.jmp49.com
http://www.jmp52.com
hrf86.com
msgs.icu
nclk7.com
http://www.open95.com
http://www.opn98.com
http://www.opn97.com
http://www.clk97.com
http://www.clk96.com
tlink5.com
http://www.clk95.com
nclk1.com
http://www.jmp75.com
tlink7.com
hrf57.com
hrf49.com
hrf80.com
hrf16.com
hrf20.com
href9.com
href6.com
http://www.opn40.com
http://www.opn39.com
http://www.opn43.com
http://www.clk44.com
http://www.opn42.com
http://www.opn41.com
http://www.clk39.com
http://www.jmp43.com
http://www.jmp39.com
http://www.opn44.com
flink7.com
flink1.com
lnk94.com
goto77.com
opn777.com
msg25.pw
zlink7.com
http://www.clk27.com
http://www.clk29.com
http://www.jmp29.com
http://www.clk34.com
http://www.opn29.com
http://www.opn33.com
http://www.opn31.com
clk777.com
wlink7.com
zlink8.com
lnk81.com
href7.com
lnk57.com
urlz.bid
urlz.icu
wlink5.com
hrf95.com
lnk18.com
hrf91.com
lnk91.com
yclk31.com
hrf93.com
101clk.com
hrf94.com
hrf12.com
hrf89.com
77clk.com
hrf9.com
hrf92.com
lnk95.com
hrf21.com
http://www.opn12.com
http://www.opn0.com
http://www.opn4.com
http://www.opn11.com
lnkz.icu
addr.icu
hrf13.pw
http://www.hrf94.com
http://www.hrf93.com
http://www.hrf91.com
http://www.hrf9.com
http://www.hrf89.com
http://www.href6.com
http://www.lnkmy.com
http://www.lnk95.com
http://www.lnk94.com
http://www.lnk91.com
http://www.zsite7.com
http://www.nclk5.com
http://www.tlnk7.com
opn30.pw
ilnk.bid
http://www.bstclick.com
clk56.pw
http://www.lnk57.com
http://www.lnk53.com
http://www.lnk85.com
http://www.goto74.com
http://www.goto71.com
http://www.goto50.com
http://www.goto48.com
http://www.goto13.com
http://www.hrf86.com
http://www.href76.com
http://www.href72.com
http://www.href68.com
http://www.href67.com
http://www.href66.com
http://www.href50.com
http://www.href23.com
http://www.href15.com
http://www.href10.com
http://www.lnk82.com
http://www.lnk75.com
http://www.lnk74.com
http://www.25clks.com
25clks.com
http://www.yclk44.com
http://www.yclk31.com
url37.pw
http://www.yclk23.com
http://www.yclk15.com
http://www.clk777.com
http://www.opn777.com
http://www.goto77.com
http://www.hrf79.com
http://www.hrf75.com
http://www.hrf73.com
http://www.hrf72.com
http://www.77clk.com
http://www.hrf57.com
http://www.hrf25.com
http://www.hrf24.com
http://www.href7.com
http://www.flink7.com
http://www.101clk.com
http://www.43fclk.com
http://www.wlink7.com
http://www.wlink5.com
http://www.zlink1.com
http://www.33fclk.com
http://www.href78.com
http://www.href21.com
http://www.href12.com
http://www.goto12.com
http://www.href11.com
http://www.href16.com
clkz.pw
ilnk.icu
msg11.pw
http://www.lnk81.com
http://www.hrf49.com
http://www.hrf28.com
hrf61.pw
http://www.hrf20.com
http://www.hrf16.com
http://www.lnk18.com
http://www.lnk19.com
http://www.lnk22.com
http://www.60fclk.com
http://www.zsite8.com
http://www.zlink8.com
http://www.addr7.com
http://www.rdr9.com
http://www.hrf95.com
http://www.tlink7.com
http://www.hrf12.com
http://www.href9.com
http://www.nclk7.com
http://www.wopn8.com
http://www.opn7.com
hrf20.info
lnk16.info
lnk17.info
http://www.hrf92.com
http://www.lnk12.com
http://www.opnlnk.com
lnk19.site
hrf21.info
hrf29.pw
opn28.pw
http://www.flink1.com
77clks.com
myclk7.com
11clks.com
jmp77.com
lnk20.site
lnk15.site
http://www.lnk77.com
http://www.rdr7.com
http://www.zlink7.com
http://www.opn5.com
http://www.href8.com
http://www.zlink3.com
http://www.offr7.com
http://www.jmp77.com
http://www.addr5.com
http://www.jmp12.com
http://www.href7.net
http://www.link16.pro
http://www.href20.pro
http://www.goto15.pro
http://www.goto16.pro
http://www.link19.pro
http://www.link18.pro
http://www.link15.pro
http://www.href19.pro
http://www.goto20.pro
http://www.goto17.pro
http://www.goto18.pro
http://www.href16.pro
http://www.goto14.pro
lnk77.com
rdr7.com
zlink5.com
opn5.com
href8.com
zlink3.com
offr7.com
lnk11.com
addr5.com
jmp12.com
hrf19.site
zopn1.com
rhrf5.com
tlnk1.com
wopn5.com
zopn8.com
zopn5.com
tlink8.com
gonow7.com
link21.pro
hrf14.site
yclk26.com
17fclk.com
20fclk.com
99clk.com
wclk11.com
wclk7.com
55clks.com
15clks.com
wclk77.com
100clk.com
flink9.com
goto15.com
opn100.com
addr.bid
http://www.hrf93.pro
http://www.hrf79.pro
http://www.hrf92.pro
http://www.hrf80.pro
http://www.href13.pro
http://www.hrf59.pro
http://www.lnk56.pro
http://www.lnk67.pro
http://www.lnk75.pro
http://www.hrf56.pro
http://www.lnk59.pro
http://www.lnk61.pro
http://www.lnk64.pro
http://www.lnk66.pro
http://www.lnk76.pro
http://www.lnk60.pro
http://www.hrf67.pro
http://www.hrf76.pro
lnk11.info
http://www.hrf45.pro
http://www.lnk52.pro
http://www.hrf49.pro
http://www.lnk51.pro
http://www.hrf53.pro
http://www.lnk54.pro
http://www.lnk53.pro
http://www.lnk47.pro
http://www.hrf43.pro
http://www.hrf44.pro
http://www.hrf42.pro
http://www.lnk49.pro
http://www.hrf54.pro
http://www.hrf46.pro
http://www.lnk46.pro
http://www.hrf47.pro
http://www.lnk43.pro
http://www.hrf52.pro
lnk13.info
opnnow.pro
hrf13.info
hrf12.info
hrf11.info
http://www.link12.pro
http://www.hrf26.pro
http://www.href10.pro
http://www.lnk23.pro
http://www.lnk27.pro
http://www.hrf21.pro
http://www.link10.pro
http://www.lnk24.pro
http://www.href11.pro
http://www.lnk26.pro
http://www.hrf24.pro
lnk12.info
link28.pro
bstlink.site
hrf11.site
hrf30.info
lnk12.site
hrf10.site
bstlnk.press
lnk10.site
hrf3.press
href30.press
lnk8.site
href0.info
lnk6.info
hrf6.site
hrf29.info
goto29.site
link27.pro
http://www.lnk19.pro
http://www.lnk15.pro
http://www.goto29.pro
http://www.href29.pro
http://www.lnk29.pro
http://www.lnk20.pro
http://www.hrf30.pro
http://www.lnk30.pro
http://www.lnk10.pro
http://www.href28.pro
lnk9.info
link30.pro
link28.site
link9.press
clkbest.site
goto28.site
lnk2.press
bestclk.info
nowklk.info
lnk28.press
lnk28.site
hrf30.pw
lnk4.press
hrf29.press
link3.site
hrf30.press
fastclk.site
nowclk.info
hrf2.press
nowopn.pro
goto3.site
lnk29.press
opnnow.site
prssnow.site
href2.site
http://www.link6.pro
http://www.bstlnk.pro
http://www.goto9.pro
http://www.link3.pro
http://www.lnk4.pro
http://www.href2.pro
http://www.href6.pro
http://www.lnk5.pro
http://www.link5.pro
http://www.href3.pro
http://www.goto2.pro
http://www.href4.pro
http://www.lnk7.pro
http://www.lnk6.pro
bstclick.pro
lnk7.site
msg26.pw
msg27.pw
bestclk.site
myclk.site
bstclk.press
fastclk.info
clkme.site
nowklk.pro
lnk3.site
hrf7.site
hrf.pw
clkz.icu
clk22.pw
clk15.pw
url25.pw
clk25.pw
clk38.pw
clk58.pw
clk24.pw
opn42.pw
url52.pw
hrf39.pw
url58.pw
opn56.pw
opn57.pw
hrf58.pw
http://www.tolnk.pro
http://www.golnk.pro
http://www.lnkmy.pro
msg23.pw
opn58.pw
msg51.pw
hrf55.pw
clk47.pw
hrf54.pw
url55.pw
clk8.pw
url57.pw
msg57.pw
clk52.pw
url43.pw
opn55.pw
hrf21.pw
url19.pw
url46.pw
http://www.urlz.bid
http://www.clks.bid
http://www.addr.bid
url50.pw
msg47.pw
opn53.pw
msg53.pw
clk20.pw
clk18.pw
clk51.pw
hrf52.pw
msg46.pw
opn49.pw
msg48.pw
clk50.pw
hrf49.pw
url47.pw
clk49.pw
opn48.pw
hrf31.pw
hrf48.pw
opn47.pw
hrf47.pw
opn45.pw
hrf43.pw
msg45.pw
msg44.pw
opn46.pw
msg35.pw
clk46.pw
opn15.pw
msg42.pw
clk45.pw
msg43.pw
clk43.pw
url42.pw
url40.pw
msg36.pw
msg40.pw
clk39.pw
url61.pw
clk62.pw
opn60.pw
hrf60.pw
clk60.pw
clk57.pw
clk40.pw
opn39.pw
msg38.pw
hrf38.pw
msg37.pw
url36.pw
opn36.pw
msg33.pw
hrf32.pw
opn33.pw
hrf33.pw
clk34.pw
url31.pw
opn32.pw
msg31.pw
opn31.pw
hrf11.pro
clk6.pro
clk31.pw
msg2.pro
url34.pw
clk35.pw
http://www.opn18.pro
http://www.clk17.pro
http://www.clk18.pro
http://www.opn16.pro
http://www.url15.pro
http://www.msg15.pro
http://www.clk16.pro
http://www.msg16.pro
http://www.opn15.pro
http://www.hrf15.pro
http://www.opn14.pro
http://www.clk14.pro
http://www.clk15.pro
http://www.url14.pro
hrf5.pw
hrf2.pw
http://www.hrf13.pro
http://www.opn13.pro
http://www.msg13.pro
url0.pro
opn12.pro
clk7.pro
clk11.pro
http://www.opn12.pro
http://www.clk13.pro
http://www.clk12.pro
http://www.url12.pro
url12.pro
hrf3.pw
http://www.msg11.pro
http://www.hrf11.pro
http://www.url10.pro
http://www.clk10.pro
http://www.opn11.pro
url30.pw
hrf4.pro
opn4.pro
url29.pw
msg30.pw
clk29.pw
opn18.pw
msg1.pw
opn26.pw
url28.pw
opn19.pw
clk30.pw
msgr.icu
clk27.pw
http://www.hrf6.pro
msg29.pw
opn24.pw
url27.pw
rdrct.pw
url15.pw
http://www.rdrct.pro
hrf26.pw
hrf27.pw
url22.pw
hrf23.pw
clks.pro
clk26.pw
clk23.pw
http://www.rndm.pro
msg20.pw
msg21.pw
rdrct.icu
opn21.pw
url17.pw
clk21.pw
hrf22.pw
hrf24.pw
msg17.pw
opn7.info
hrf18.pw
http://www.href.men
hrf8.pw
clk19.pw
opn20.pw
hrf15.pw
clk17.pw
hrf17.pw
url16.pw
hrf16.pw
clk9.pw
clk3.pw
rndm.icu
msg14.pw
opn17.pw
http://www.opn1.pro
opn13.pw
hrf10.pw
url13.pw
opn10.pw
opn12.pw
clk0.pw
cittiibank.com
clk4.pw
lnks.icu
http://www.msg7.pro
url3.pw
url5.pw
url0.pw
clk8.info
hrf0.pw
msg2.pw
url4.pw
msg6.pw
clk6.pw
hrf6.pw
msg4.pw
hrf4.pw
hrf1.info
opn1.info
hrf9.info
url3.info
opn9.info
hrf3.info
http://www.msg1.pro
http://www.hrf1.pro
http://www.msg9.pro
http://www.opn9.pro
url1.pw
clk3.info
opn8.info
opn9.pw
http://www.lnkz.bid
hrf9.pw
msg3.pw
http://www.clk9.pro
http://www.msg3.pro
msg9.pw
clk1.pw
http://www.clk3.pw
msg8.info
hrf8.info
url5.info
http://www.url8.pro
msg8.pw
http://www.url5.pro
http://www.clk5.pro
http://www.opn5.pro
http://www.hrf5.pro
msg5.pw
http://www.url7.pro
http://www.opn7.pro
http://www.clks.pro
href.space
msgr.pw
msgs.press
msgr.press
shr.party
klk.space
klk.press
urlz.trade
urlz.space
urls.press
rdr.space
addr.press
doit.host
ilnk.club
lnkz.host
lnkz.site
lnks.host
clks.site
clks.host
clks.date
ilnk.date
ilnk.site
shrt.host

This entry was posted in Uncategorized. Bookmark the permalink.

7 Responses to Whatsapp spreading spam “IDN” links (offr.rocks / milolead.com)

  1. Pingback: Phishing campaign via WhatsApp offers sport shoes as “prize” | Information Security, latest Hacking News, Cyber Security, Network Security

  2. Pingback: Phishing campaign via WhatsApp offers sport shoes as “prize” – ESET Ireland

  3. Pingback: 安全News|阿迪达斯69周年免费送2500双鞋?这背后的真相究竟是什么? | 孤独常伴

  4. Pingback: Phishing anniversary: Here’s a free $50/month subscription - LatestHackerNews.com

  5. Pingback: Phishing anniversary: Here’s a free $50/month subscription – Hacking & Cyber Security

  6. Pingback: Phishing anniversary: Here’s a free $50/month subscription – Adonaiprotect

  7. Pingback: Phishing anniversary: Here’s a free $50/month subscription – CyberSecurityNews

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s