AdguardFilters icon indicating copy to clipboard operation
AdguardFilters copied to clipboard
verified publisher icon AdguardTeam

[False Negative]: add 40 phishing domains (face-it[.]co[.]com, buff163[.]co[.]com, ...)

Open ninjacatcher opened this issue 2 weeks ago • 0 comments

[!IMPORTANT]

Executive Summary

This report documents 40 domain(s) that have been identified as part of active phishing operations. These domains exhibit characteristics consistent with malicious infrastructure and pose an immediate security risk to internet users.

The following 40 domain(s) have been analyzed and confirmed as participating in phishing campaign(s):

face-it.co.com
buff163.co.com
skinsmonkye.com
skinsmnky.com
skinsmonkey.co.com
secure-paymentech.co.com
skrill-app.co.com
slash-on.co.com
join-slash.co.com
app-slash.co.com
slash-ap.co.com
www-slash.co.com
getmoss.co.com
www-mechanicsbank.co.com
treasury-simmonsbank.co.com
bankplus.co.com
www-tipalti.co.com
ofx.co.com
ofx-app.co.com
payhawk.co.com
paymentech.co.com
spendesk.co.com
www-simmonsbonk.top
www-bankplus.top
www-tipolti.top
www-firsthorlzan.top
www-getmass.top
ofx-login.top
www-simmonsbank.top
convergepay.co.com
www-payhawk.top
www-firsthorlzon.top
www-getmoss.top
www-paymontech.top
www-mechonics.top
www-flrstherizen.top
www-spendesk.top
www-tipalti.top
www-convergapay.top
barclaycerdus.top

Threat Analysis

Phishing Attack Details

These domains are part of a phishing campaign targeting cryptocurrency companies and cryptocurrency holders/investors. Attackers may use fake login pages, fake Web3 wallet connection prompts, fake cryptocurrency exchange/swap interfaces, or modified/malicious software to steal cryptocurrency seed phrases/keys.

Technical Details

  • No sophisticated cloaking detected.

Detections & Targeted Brands

  • face-it.co.com targets Faceit (faceit.com)
    • VirusTotal: 0 detections - https://www.virustotal.com/gui/domain/face-it.co.com/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=face-it.co.com
    • Listed on APVA - https://api.antiphish.org/v1/lookup?host=face-it.co.com
  • buff163.co.com targets BUFF Market (buff.163.com)
    • VirusTotal: 0 detections - https://www.virustotal.com/gui/domain/buff163.co.com/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=buff163.co.com
  • skinsmonkye.com targets SkinsMonkey (skinsmonkey.com)
    • VirusTotal: 14 detections - https://www.virustotal.com/gui/domain/skinsmonkye.com/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=skinsmonkye.com
    • Listed on APVA - https://api.antiphish.org/v1/lookup?host=skinsmonkye.com
  • skinsmnky.com targets SkinsMonkey (skinsmonkey.com)
    • VirusTotal: 13 detections - https://www.virustotal.com/gui/domain/skinsmnky.com/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=skinsmnky.com
    • Listed on APVA - https://api.antiphish.org/v1/lookup?host=skinsmnky.com
  • skinsmonkey.co.com targets SkinsMonkey (skinsmonkey.com)
    • VirusTotal: 0 detections - https://www.virustotal.com/gui/domain/skinsmonkey.co.com/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=skinsmonkey.co.com
  • secure-paymentech.co.com targets Chase Paymentech (chasepaymentech.com)
    • VirusTotal: 0 detections - https://www.virustotal.com/gui/domain/secure-paymentech.co.com/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=secure-paymentech.co.com
  • skrill-app.co.com targets Skrill (skrill.com)
    • VirusTotal: 1 detections - https://www.virustotal.com/gui/domain/skrill-app.co.com/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=skrill-app.co.com
  • slash-on.co.com targets Slash (slash.com)
    • VirusTotal: 0 detections - https://www.virustotal.com/gui/domain/slash-on.co.com/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=slash-on.co.com
  • join-slash.co.com targets Slash (slash.com)
    • VirusTotal: 1 detections - https://www.virustotal.com/gui/domain/join-slash.co.com/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=join-slash.co.com
  • app-slash.co.com targets Slash (slash.com)
    • VirusTotal: 0 detections - https://www.virustotal.com/gui/domain/app-slash.co.com/detection
  • slash-ap.co.com targets Slash (slash.com)
    • VirusTotal: 0 detections - https://www.virustotal.com/gui/domain/slash-ap.co.com/detection
  • www-slash.co.com targets Slash (slash.com)
    • VirusTotal: 0 detections - https://www.virustotal.com/gui/domain/www-slash.co.com/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=www-slash.co.com
  • getmoss.co.com targets Moss (getmoss.com)
    • VirusTotal: 4 detections - https://www.virustotal.com/gui/domain/getmoss.co.com/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=getmoss.co.com
  • www-mechanicsbank.co.com targets Mechanics Bank (mechanicsbank.com)
    • VirusTotal: 2 detections - https://www.virustotal.com/gui/domain/www-mechanicsbank.co.com/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=www-mechanicsbank.co.com
  • treasury-simmonsbank.co.com targets Simmons Bank (simmonsbank.com)
    • VirusTotal: 0 detections - https://www.virustotal.com/gui/domain/treasury-simmonsbank.co.com/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=treasury-simmonsbank.co.com
  • bankplus.co.com targets BankPlus (bankplus.net)
    • VirusTotal: 0 detections - https://www.virustotal.com/gui/domain/bankplus.co.com/detection
  • www-tipalti.co.com targets Tipalti (tipalti.com)
    • VirusTotal: 2 detections - https://www.virustotal.com/gui/domain/www-tipalti.co.com/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=www-tipalti.co.com
  • ofx.co.com targets OFX (ofx.com)
    • VirusTotal: 2 detections - https://www.virustotal.com/gui/domain/ofx.co.com/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=ofx.co.com
  • ofx-app.co.com targets OFX (ofx.com)
    • VirusTotal: 1 detections - https://www.virustotal.com/gui/domain/ofx-app.co.com/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=ofx-app.co.com
  • payhawk.co.com targets Payhawk (payhawk.com)
    • VirusTotal: 0 detections - https://www.virustotal.com/gui/domain/payhawk.co.com/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=payhawk.co.com
  • paymentech.co.com targets Chase Paymentech (chasepaymentech.com)
    • VirusTotal: 8 detections - https://www.virustotal.com/gui/domain/paymentech.co.com/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=paymentech.co.com
  • spendesk.co.com targets Spendesk (spendesk.com)
    • VirusTotal: 0 detections - https://www.virustotal.com/gui/domain/spendesk.co.com/detection
  • www-simmonsbonk.top targets Simmons Bank (simmonsbank.com)
    • VirusTotal: 2 detections - https://www.virustotal.com/gui/domain/www-simmonsbonk.top/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=www-simmonsbonk.top
    • Listed on APVA - https://api.antiphish.org/v1/lookup?host=www-simmonsbonk.top
  • www-bankplus.top targets BankPlus (bankplus.net)
    • VirusTotal: 4 detections - https://www.virustotal.com/gui/domain/www-bankplus.top/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=www-bankplus.top
    • Listed on APVA - https://api.antiphish.org/v1/lookup?host=www-bankplus.top
  • www-tipolti.top targets Tipalti (tipalti.com)
    • VirusTotal: 1 detections - https://www.virustotal.com/gui/domain/www-tipolti.top/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=www-tipolti.top
  • www-firsthorlzan.top targets First Horizon Bank (firsthorizon.com)
    • VirusTotal: 3 detections - https://www.virustotal.com/gui/domain/www-firsthorlzan.top/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=www-firsthorlzan.top
  • www-getmass.top targets Moss (getmoss.com)
    • VirusTotal: 1 detections - https://www.virustotal.com/gui/domain/www-getmass.top/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=www-getmass.top
  • ofx-login.top targets OFX (ofx.com)
    • VirusTotal: 1 detections - https://www.virustotal.com/gui/domain/ofx-login.top/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=ofx-login.top
  • www-simmonsbank.top targets Simmons Bank (simmonsbank.com)
    • VirusTotal: 18 detections - https://www.virustotal.com/gui/domain/www-simmonsbank.top/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=www-simmonsbank.top
  • convergepay.co.com targets Converge (convergepay.com)
    • VirusTotal: 2 detections - https://www.virustotal.com/gui/domain/convergepay.co.com/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=convergepay.co.com
    • Listed on APVA - https://api.antiphish.org/v1/lookup?host=convergepay.co.com
  • www-payhawk.top targets Payhawk (payhawk.com)
    • VirusTotal: 1 detections - https://www.virustotal.com/gui/domain/www-payhawk.top/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=www-payhawk.top
  • www-firsthorlzon.top targets First Horizon Bank (firsthorizon.com)
    • VirusTotal: 11 detections - https://www.virustotal.com/gui/domain/www-firsthorlzon.top/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=www-firsthorlzon.top
    • Listed on APVA - https://api.antiphish.org/v1/lookup?host=www-firsthorlzon.top
  • www-getmoss.top targets Moss (getmoss.com)
    • VirusTotal: 4 detections - https://www.virustotal.com/gui/domain/www-getmoss.top/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=www-getmoss.top
  • www-paymontech.top targets Chase Paymentech (chasepaymentech.com)
    • VirusTotal: 3 detections - https://www.virustotal.com/gui/domain/www-paymontech.top/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=www-paymontech.top
  • www-mechonics.top targets Mechanics Bank (mechanicsbank.com)
    • VirusTotal: 2 detections - https://www.virustotal.com/gui/domain/www-mechonics.top/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=www-mechonics.top
  • www-flrstherizen.top targets First Horizon Bank (firsthorizon.com)
    • VirusTotal: 11 detections - https://www.virustotal.com/gui/domain/www-flrstherizen.top/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=www-flrstherizen.top
  • www-spendesk.top targets Spendesk (spendesk.com)
    • VirusTotal: 2 detections - https://www.virustotal.com/gui/domain/www-spendesk.top/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=www-spendesk.top
  • www-tipalti.top targets Tipalti (tipalti.com)
    • VirusTotal: 1 detections - https://www.virustotal.com/gui/domain/www-tipalti.top/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=www-tipalti.top
  • www-convergapay.top targets Converge (convergepay.com)
    • VirusTotal: 4 detections - https://www.virustotal.com/gui/domain/www-convergapay.top/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=www-convergapay.top
    • Listed on APVA - https://api.antiphish.org/v1/lookup?host=www-convergapay.top
  • barclaycerdus.top targets Barclays US
    • VirusTotal: 1 detections - https://www.virustotal.com/gui/domain/barclaycerdus.top/detection
    • Listed on Spamhaus - https://check.spamhaus.org/results/?query=barclaycerdus.top
    • Listed on APVA - https://api.antiphish.org/v1/lookup?host=barclaycerdus.top

Diagrams

Phishing Campaign Mindmap Overview 
%%{init: {'theme': 'base', 'themeVariables': {'primaryColor': '#f97316', 'primaryTextColor': '#ffffff', 'primaryBorderColor': '#ea580c', 'lineColor': '#fb923c', 'secondaryColor': '#fed7aa', 'tertiaryColor': '#fff7ed'}}}%%
mindmap
    root((Phishing Campaign<br/>40 domains))
        ))TARGETS((
            ["Slash"]
                (slash-on.co.com)
                (join-slash.co.com)
                (app-slash.co.com)
                (slash-ap.co.com)
                (www-slash.co.com)
            ["SkinsMonkey"]
                (skinsmonkye.com)
                (skinsmnky.com)
                (skinsmonkey.co.com)
            ["Chase Paymentech"]
                (secure-paymentech.co.com)
                (paymentech.co.com)
                (www-paymontech.top)
            ["Moss"]
                (getmoss.co.com)
                (www-getmass.top)
                (www-getmoss.top)
            ["Simmons Bank"]
                (treasury-simmonsbank.co.com)
                (www-simmonsbonk.top)
                (www-simmonsbank.top)
            ["Tipalti"]
                (www-tipalti.co.com)
                (www-tipolti.top)
                (www-tipalti.top)
            ["OFX"]
                (ofx.co.com)
                (ofx-app.co.com)
                (ofx-login.top)
            ["First Horizon Bank"]
                (www-firsthorlzan.top)
                (www-firsthorlzon.top)
                (www-flrstherizen.top)
            ["Mechanics Bank"]
                (www-mechanicsbank.co.com)
                (www-mechonics.top)
            ["BankPlus"]
                (bankplus.co.com)
                (www-bankplus.top)
            ["Payhawk"]
                (payhawk.co.com)
                (www-payhawk.top)
            ["Spendesk"]
                (spendesk.co.com)
                (www-spendesk.top)
            ["Converge"]
                (convergepay.co.com)
                (www-convergapay.top)
            ["Faceit"]
                (face-it.co.com)
            ["BUFF Market"]
                (buff163.co.com)
            ["Skrill"]
                (skrill-app.co.com)
            ["Barclays US"]
                (barclaycerdus.top)
        ))INFRASTRUCTURE((
            {{"AS13335 Cloudflare"}}
                172.67.200.92
                104.21.21.213
                172.67.189.155
                104.21.81.135
                188.114.97.3
                188.114.96.3
                188.114.96.11
                188.114.97.11
                104.21.47.246
                172.67.174.145
                172.67.191.127
                104.21.49.173
                104.21.92.88
                172.67.190.220
                104.21.62.173
                172.67.137.227
                104.21.67.88
                172.67.219.34
            {{"AS36351 IBM Cloud"}}
                169.60.151.233
            {{"AS207567 Intezio Worldwide Limited"}}
                144.31.244.50
            {{"AS210457 Kyonix Networks Limited"}}
                144.31.221.177
        ))REGISTRARS((
            ("耐思尼克国际集团有限公司")
            ("NICENIC INTERNATIONAL GROUP CO., LIMITED")
Phishing Campaign Full Overview (v1) 
%%{init: {'theme': 'base', 'themeVariables': {'primaryColor': '#6366f1', 'primaryTextColor': '#ffffff', 'primaryBorderColor': '#4f46e5', 'lineColor': '#a5b4fc', 'secondaryColor': '#e0e7ff', 'tertiaryColor': '#eef2ff'}}}%%
flowchart LR
    subgraph BRANDS["TARGET BRANDS"]
        direction TB
        B1["Slash"]
        B2["SkinsMonkey"]
        B3["Chase Paymentech"]
        B4["Moss"]
        B5["Simmons Bank"]
        B6["Tipalti"]
        B7["OFX"]
        B8["First Horizon Bank"]
        B9["Mechanics Bank"]
        B10["BankPlus"]
        B11["Payhawk"]
        B12["Spendesk"]
        B13["Converge"]
        B14["Faceit"]
        B15["BUFF Market"]
        B16["Skrill"]
        B17["Barclays US"]
    end

    subgraph DOMAINS["PHISHING DOMAINS"]
        direction TB
        D1([face-it.co.com])
        D2([buff163.co.com])
        D3([skinsmonkye.com])
        D4([skinsmnky.com])
        D5([skinsmonkey.co.com])
        D6([secure-paymentech.co.com])
        D7([skrill-app.co.com])
        D8([slash-on.co.com])
        D9([join-slash.co.com])
        D10([app-slash.co.com])
        D11([slash-ap.co.com])
        D12([www-slash.co.com])
        D13([getmoss.co.com])
        D14([www-mechanicsbank.co.com])
        D15([treasury-simmonsbank.co.com])
        D16([bankplus.co.com])
        D17([www-tipalti.co.com])
        D18([ofx.co.com])
        D19([ofx-app.co.com])
        D20([payhawk.co.com])
        D21([paymentech.co.com])
        D22([spendesk.co.com])
        D23([www-simmonsbonk.top])
        D24([www-bankplus.top])
        D25([www-tipolti.top])
        D26([www-firsthorlzan.top])
        D27([www-getmass.top])
        D28([ofx-login.top])
        D29([www-simmonsbank.top])
        D30([convergepay.co.com])
        D31([www-payhawk.top])
        D32([www-firsthorlzon.top])
        D33([www-getmoss.top])
        D34([www-paymontech.top])
        D35([www-mechonics.top])
        D36([www-flrstherizen.top])
        D37([www-spendesk.top])
        D38([www-tipalti.top])
        D39([www-convergapay.top])
        D40([barclaycerdus.top])
    end

    subgraph SPACER1[" "]
        direction TB
        S1[ ]
        S2[ ]
    end

    subgraph HOSTING["HOSTING INFRASTRUCTURE"]
        direction TB

        subgraph CF["AS13335 Cloudflare"]
            IP1{{172.67.200.92}}
            IP2{{104.21.21.213}}
            IP3{{172.67.189.155}}
            IP4{{104.21.81.135}}
            IP5{{188.114.97.3}}
            IP6{{188.114.96.3}}
            IP7{{188.114.96.11}}
            IP8{{188.114.97.11}}
            IP9{{104.21.47.246}}
            IP10{{172.67.174.145}}
            IP11{{172.67.191.127}}
            IP12{{104.21.49.173}}
            IP13{{104.21.92.88}}
            IP14{{172.67.190.220}}
            IP15{{104.21.62.173}}
            IP16{{172.67.137.227}}
            IP17{{104.21.67.88}}
            IP18{{172.67.219.34}}
        end

        subgraph NC["AS36351 IBM Cloud"]
            IP19{{169.60.151.233}}
        end

        subgraph LN["AS207567 Intezio Worldwide Limited"]
            IP20{{144.31.244.50}}
        end

        subgraph HO["AS210457 Kyonix Networks Limited"]
            IP21{{144.31.221.177}}
        end
    end

    subgraph SPACER2[" "]
        direction TB
        S3[ ]
        S4[ ]
    end

    subgraph REGISTRARS["REGISTRARS"]
        direction TB
        R1[("耐思尼克国际集团有限公司")]
        R2[("NICENIC INTERNATIONAL GROUP CO., LIMITED")]
    end

    B14 -.-> D1
    B15 -.-> D2
    B2 -.-> D3
    B2 -.-> D4
    B2 -.-> D5
    B3 -.-> D6
    B16 -.-> D7
    B1 -.-> D8
    B1 -.-> D9
    B1 -.-> D10
    B1 -.-> D11
    B1 -.-> D12
    B4 -.-> D13
    B9 -.-> D14
    B5 -.-> D15
    B10 -.-> D16
    B6 -.-> D17
    B7 -.-> D18
    B7 -.-> D19
    B11 -.-> D20
    B3 -.-> D21
    B12 -.-> D22
    B5 -.-> D23
    B10 -.-> D24
    B6 -.-> D25
    B8 -.-> D26
    B4 -.-> D27
    B7 -.-> D28
    B5 -.-> D29
    B13 -.-> D30
    B11 -.-> D31
    B8 -.-> D32
    B4 -.-> D33
    B3 -.-> D34
    B9 -.-> D35
    B8 -.-> D36
    B12 -.-> D37
    B6 -.-> D38
    B13 -.-> D39
    B17 -.-> D40

    D1 --> S1
    S1 --> IP1
    D2 --> S2
    S2 --> IP2

    D2 --> IP3
    D2 --> IP4
    D3 --> IP5
    D3 --> IP6
    D4 --> IP7
    D4 --> IP8
    D5 --> IP8
    D5 --> IP7
    D6 --> IP6
    D6 --> IP5
    D7 --> IP9
    D7 --> IP10
    D8 --> IP11
    D8 --> IP12
    D9 --> IP13
    D9 --> IP14
    D10 --> IP19
    D11 --> IP19
    D12 --> IP19
    D13 --> IP20
    D14 --> IP8
    D14 --> IP7
    D15 --> IP15
    D15 --> IP16
    D16 --> IP20
    D17 --> IP5
    D17 --> IP6
    D18 --> IP21
    D19 --> IP17
    D19 --> IP18
    D20 --> IP6
    D20 --> IP5
    D22 --> IP19
    D23 --> IP20
    D24 --> IP20
    D25 --> IP20
    D26 --> IP20
    D27 --> IP20
    D28 --> IP20
    D30 --> IP20
    D31 --> IP20
    D32 --> IP20
    D34 --> IP20
    D35 --> IP20
    D36 --> IP20
    D37 --> IP20
    D39 --> IP20
    D40 --> IP20

    IP1 --> S3
    S3 --> R1
    IP21 --> S4
    S4 --> R1

    D3 --- R2
    D4 --- R2
    D23 --- R1
    D24 --- R1
    D25 --- R1
    D26 --- R1
    D27 --- R1
    D28 --- R1
    D29 --- R1
    D31 --- R1
    D32 --- R1

    classDef brandStyle fill:#dc2626,stroke:#991b1b,stroke-width:2px,color:#fff
    classDef domainStyle fill:#7c3aed,stroke:#5b21b6,stroke-width:2px,color:#fff
    classDef ipStyle fill:#0891b2,stroke:#0e7490,stroke-width:2px,color:#fff
    classDef registrarStyle fill:#d97706,stroke:#b45309,stroke-width:2px,color:#fff
    classDef invisible fill:none,stroke:none,color:transparent
    classDef invisibleSubgraph fill:none,stroke:none
    class B1,B2,B3,B4,B5,B6,B7,B8,B9,B10,B11,B12,B13,B14,B15,B16,B17 brandStyle
    class D1,D2,D3,D4,D5,D6,D7,D8,D9,D10,D11,D12,D13,D14,D15,D16,D17,D18,D19,D20,D21,D22,D23,D24,D25,D26,D27,D28,D29,D30,D31,D32,D33,D34,D35,D36,D37,D38,D39,D40 domainStyle
    class IP1,IP2,IP3,IP4,IP5,IP6,IP7,IP8,IP9,IP10,IP11,IP12,IP13,IP14,IP15,IP16,IP17,IP18,IP19,IP20,IP21 ipStyle
    class R1,R2 registrarStyle
    class S1,S2,S3,S4 invisible
    class SPACER1,SPACER2 invisibleSubgraph

    linkStyle 40,41,42,43,92,93,94,95 stroke:none
Phishing Campaign Registrars Pie Chart 
%%{init: {'theme': 'base', 'themeVariables': {'primaryColor': '#6366f1', 'pieStrokeColor': '#1e1b4b', 'pieStrokeWidth': '2px', 'pieSectionTextColor': '#ffffff', 'pieLegendTextColor': '#1e1b4b', 'pieOuterStrokeColor': '#312e81'}}}%%
pie showData
    title Domain Registrars Distribution
    "耐思尼克国际集团有限公司" : 9
    "NICENIC INTERNATIONAL GROUP CO., LIMITED" : 2
Phishing Campaign ASN Hosting Pie Chart 
%%{init: {'theme': 'base', 'themeVariables': {'primaryColor': '#6366f1', 'pieStrokeColor': '#1e1b4b', 'pieStrokeWidth': '2px', 'pieSectionTextColor': '#ffffff', 'pieLegendTextColor': '#1e1b4b', 'pieOuterStrokeColor': '#312e81'}}}%%
pie showData
    title ASN Hosting Distribution
    "AS207567 Intezio Worldwide Limited" : 17
    "AS13335 Cloudflare" : 14
    "AS36351 IBM Cloud" : 4
    "AS210457 Kyonix Networks Limited" : 1

Screenshots

(Screenshots for some scans may not display or may not contain complete or correct content for various reasons, which can be seen on the specific scan page)

Screenshots

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Scans

  • face-it.co.com - https://urlscan.io/result/019b1da5-f141-700d-8750-04d63c9a817a/
  • buff163.co.com - https://urlscan.io/result/019b1da6-02ee-740b-87fd-981d0278b696/
  • skinsmonkye.com - https://urlscan.io/result/019b1da6-0841-768f-ae18-b0badfcfcd32/
  • skinsmnky.com - https://urlscan.io/result/019b1da6-1103-71d8-be93-2493f46fcb26/
  • skinsmonkey.co.com - https://urlscan.io/result/019b1da6-1672-741a-8418-fc852184bedf/
  • secure-paymentech.co.com - https://urlscan.io/result/019b1da7-059d-76a9-bc05-43e601bcdb64/
  • skrill-app.co.com - https://urlscan.io/result/019b1da7-0b11-77b5-808a-c7c2c279a92f/
  • slash-on.co.com - https://urlscan.io/result/019b1da7-1e27-75ca-af7a-1490543fb055/
  • join-slash.co.com - https://urlscan.io/result/019b1da7-2938-760a-8a72-3272e1bf0364/
  • app-slash.co.com - https://urlscan.io/result/019b1da8-186b-740e-a598-5c97825df626/
  • slash-ap.co.com - https://urlscan.io/result/019b1da8-1dde-7756-b088-e1e14e8abd34/
  • www-slash.co.com - https://urlscan.io/result/019b1da8-2448-723b-9eb1-e5f90575ad1a/
  • getmoss.co.com - https://urlscan.io/result/019b1da8-34a5-740f-923d-251cff9b8737/
  • www-mechanicsbank.co.com - https://urlscan.io/result/019b1da9-1a41-775e-ac53-51ba3ce78e81/
  • treasury-simmonsbank.co.com - https://urlscan.io/result/019b1da9-1f82-76eb-8cc5-1bdd81b401d1/
  • bankplus.co.com - https://urlscan.io/result/019b1da9-2c1c-77ed-8829-93414e91c97a/
  • www-tipalti.co.com - https://urlscan.io/result/019b1da9-3177-751b-acdb-07a38f902fae/
  • ofx.co.com - https://urlscan.io/result/019b1daa-20b0-7581-8a6d-cbbba05aebc1/
  • ofx-app.co.com - https://urlscan.io/result/019b1daa-261a-7025-81da-3b83a7ee2090/
  • payhawk.co.com - https://urlscan.io/result/019b1daa-2b79-764e-8ee3-1f8a31f07c0f/
  • paymentech.co.com - N/A
  • spendesk.co.com - https://urlscan.io/result/019b1dab-2050-768e-bedf-311638d9b6c6/
  • www-simmonsbonk.top - https://urlscan.io/result/019b1dab-2648-741a-b7f8-e643a5256975/
  • www-bankplus.top - https://urlscan.io/result/019b1dab-2c7d-7019-ac31-08f0506520d7/
  • www-tipolti.top - https://urlscan.io/result/019b1dab-3f40-70ef-8359-ff505d07d4d6/
  • www-firsthorlzan.top - https://urlscan.io/result/019b1dac-2df2-751f-9d36-778e7a0d9eac/
  • www-getmass.top - https://urlscan.io/result/019b1dac-3527-768a-872c-922223a32635/
  • ofx-login.top - https://urlscan.io/result/019b1dac-4824-735e-99ed-5bd7d0c4938b/
  • www-simmonsbank.top - N/A
  • convergepay.co.com - https://urlscan.io/result/019b1dad-5f54-724b-aafc-db1564e58ec5/
  • www-payhawk.top - https://urlscan.io/result/019b1dad-64a4-703f-bc66-a9c91faa4f10/
  • www-firsthorlzon.top - https://urlscan.io/result/019b1dad-6b24-77dc-a768-a40acf5a1d84/
  • www-getmoss.top - N/A
  • www-paymontech.top - https://urlscan.io/result/019b1dae-6399-7687-beb9-25f8b1c2a97a/
  • www-mechonics.top - https://urlscan.io/result/019b1dae-77bf-7602-afc5-880ad0c9405a/
  • www-flrstherizen.top - https://urlscan.io/result/019b1dae-824a-71d9-ab90-727aaa60a926/
  • www-spendesk.top - https://urlscan.io/result/019b1dae-8789-7229-b01d-9afdc1baf2b4/
  • www-tipalti.top - N/A
  • www-convergapay.top - https://urlscan.io/result/019b1daf-86b9-70f3-8774-e17ed62d902e/
  • barclaycerdus.top - https://urlscan.io/result/019b1daf-77bb-7178-bf68-153b210d4e30/

Report Metadata ID: 3a618a427d4b9497d50 | Timestamp: 14.12.2025 17:13:56 UTC | Domains: 40 | (Total) Detections: VT: 120 | Spamhaus: 36 | APVA: 9 | Attack Vector: Phishing

ninjacatcher avatar Dec 14 '25 17:12 ninjacatcher