Are you getting text messages about winning prizes at Amazon?
I got one today with the following text from a VOIP-to-SMS number: 1 (410) 200-910
The text was:
"FRM: You have a New Amazon Reward! MSG: http://dmkr3h.com/njngyw"
I threw up a Virtual Machine to check the destination, and got a meaningless echo of the domain name:
Odd. Clicking on the watch takes me to a site for a free Tactical Flashlight. Oh well. The point of this exercise is to feed some of my spam traps anyway. We'll give them one of our spam trap email addresses just to see what they begin spamming to me.
Many of these domains are proven to be interchangeable, as long as your user agent is right. Pasting the "path/file/parameters" from one site to another of the same type usually works.
Conclusion? Don't think I'm going to get my Amazon Prize. Darn.
I got one today with the following text from a VOIP-to-SMS number: 1 (410) 200-910
The text was:
"FRM: You have a New Amazon Reward! MSG: http://dmkr3h.com/njngyw"
I threw up a Virtual Machine to check the destination, and got a meaningless echo of the domain name:
The problem, of course, was that they knew I was supposed to be on a cell phone, since they sent me an SMS. No problem. Let's make my Windows Chrome Browser a Cell Phone:
Ok. Now I'm a Firefox browser on an Android Mobile phone. Let's try again. Much better! The CloudFlare hosted "dmkr3h" now forwards me to "simple-clubs.com" which is a CNAME alias to "seempts-explegal[.]com (35.169.148.30) " which passes my origin and affiliate data to chargingmilkshop[.]com (51.75.46.9), which forwards me to "winopinions[.]com (51.75.46.11)" which shows me this!
Before I take my Survey, I hit my "Back" button, just to see what happens, because often there are traps about such things. Sure enough, hitting the "Back" took me to an ad totally unrelated to my Amazon Prize:
As much as I'd like to be Ketogenically Accelerated, I decided to go back to my original URL from the phone. This time I landed at "ZoneOpinions[.]com" instead of WinOpinions, but since I was still on the same IP address, I decided to keep going and take the survey this time. Here are my five Survey Questions:
OK, now for the excitement! My big Amazon Reward is about to be revealed, right?
Hmmm... do I want a larger penis, a flatter belly, or a $780 watch? I think I'll take the $780 watch, since its free and all ...
Each time I click "Claim Reward" I get sent through a "1592track[.]com" redirector:
Which then forwards me to one of its randomly selected possible fulfillment domains ...
 |
| getemergencygear[.]com |
 |
| I wonder if ClickBank is complicit in these scams? |
Since I'm not actually going to give them my credit card information, I'll see whether I get the same spam by submitting my address info for CBD Oil and Male Enhancement anyway. Where do those clicks take me?
tryhealthoffer [.] com
(a closer look at the Affiliate ID = 600080)
healthchoicev2 [.]com selling Primacin XL
I saved which Spam Trap email I fed to each of the sites above. If I start getting spam on them (none of them have existed before an hour ago and have never received any message prior to being fed to these sites) I'll do a follow-up post.
While trying to decide if this is something to share with my friends at the Federal Trade Commission, I decided to check what country these domains are hosted in ... Poland ...
 |
| ipinfo.io/51.75.46.9 ==> OVH SAS in Poland. |
According to the very useful tool at RiskIQ, it looks like 77 new domains stood up on this IP address about two days ago:
 |
| https://community.riskiq.com/search/51.75.46.9 |
We went ahead and exported that list so we could save a record of what other domains were there. Looks like there are MANY alternative domains for doing the same sort of things ...
| resolve | firstSeen | lastSeen |
| actionopinion.com | 5/30/2019 | 5/31/2019 |
| airopinions.com | 5/30/2019 | 5/31/2019 |
| alertandfocusednow.com | 5/30/2019 | 5/31/2019 |
| alertandsharp.com | 5/30/2019 | 5/31/2019 |
| blazingtea.com | 5/30/2019 | 5/31/2019 |
| brainexpandnow.com | 5/30/2019 | 5/31/2019 |
| brainexpandtoday.com | 5/30/2019 | 5/31/2019 |
| brainexpandtonight.com | 5/30/2019 | 5/31/2019 |
| cellopinion.com | 5/29/2019 | 5/31/2019 |
| centeropinion.com | 5/30/2019 | 5/31/2019 |
| chargingmilkshake.com | 5/30/2019 | 6/1/2019 |
| companyopinions.com | 5/30/2019 | 5/31/2019 |
| connectexclusive.com | 5/25/2019 | 5/31/2019 |
| corpprogram.com | 5/30/2019 | 5/31/2019 |
| dataopinions.com | 5/30/2019 | 5/31/2019 |
| dreamopinions.com | 5/30/2019 | 6/1/2019 |
| exclusivetrendingreport.com | 5/25/2019 | 5/31/2019 |
| fitketonow.com | 5/30/2019 | 5/31/2019 |
| fitketotoday.com | 5/30/2019 | 5/31/2019 |
| fullyhardagain.com | 5/30/2019 | 5/31/2019 |
| fullyhardtonight.com | 5/30/2019 | 5/31/2019 |
| hardandlongagain.com | 5/30/2019 | 5/31/2019 |
| hardandlonger.com | 5/30/2019 | 5/31/2019 |
| hotbreakingreports.com | 5/30/2019 | 5/31/2019 |
| hotnewstonight.com | 5/30/2019 | 5/31/2019 |
| hotviralreports.com | 5/30/2019 | 5/31/2019 |
| latestbreakingreport.com | 5/30/2019 | 5/31/2019 |
| latestviralreport.com | 5/30/2019 | 5/31/2019 |
| learningopinion.com | 5/30/2019 | 5/31/2019 |
| lineprogram.com | 5/30/2019 | 5/31/2019 |
| linkopinions.com | 5/30/2019 | 5/31/2019 |
| linksprogram.com | 5/30/2019 | 5/31/2019 |
| longandhardagain.com | 5/30/2019 | 5/31/2019 |
| longandhardtonight.com | 5/30/2019 | 5/31/2019 |
| longerhardernow.com | 5/30/2019 | 5/31/2019 |
| lookprogram.com | 5/30/2019 | 5/31/2019 |
| lumberingsoda.com | 5/30/2019 | 5/31/2019 |
| magicopinions.com | 5/30/2019 | 5/31/2019 |
| matchopinion.com | 5/30/2019 | 5/31/2019 |
| maxopinions.com | 5/30/2019 | 5/31/2019 |
| mindexpandnow.com | 5/30/2019 | 5/31/2019 |
| monsterprogram.com | 5/30/2019 | 5/31/2019 |
| newbreakingreport.com | 5/30/2019 | 5/31/2019 |
| newbreakingreports.com | 5/30/2019 | 5/31/2019 |
| newtrendingreport.com | 5/30/2019 | 5/31/2019 |
| newtrendingreports.com | 5/30/2019 | 5/31/2019 |
| newviralreport.com | 5/29/2019 | 5/31/2019 |
| portalopinion.com | 5/30/2019 | 5/31/2019 |
| projectopinions.com | 5/30/2019 | 5/31/2019 |
| romanwatermelon.com | 5/25/2019 | 5/31/2019 |
| rushingcoffee.com | 5/30/2019 | 5/31/2019 |
| saveopinion.com | 5/30/2019 | 5/31/2019 |
| shesreadytonight.com | 5/30/2019 | 5/31/2019 |
| shoppingopinions.com | 5/30/2019 | 5/31/2019 |
| slimketonow.com | 5/30/2019 | 5/31/2019 |
| slimketotoday.com | 5/30/2019 | 5/31/2019 |
| slimketotonight.com | 5/30/2019 | 5/31/2019 |
| slowseltzer.com | 5/30/2019 | 5/31/2019 |
| sluggishjuice.com | 5/29/2019 | 5/31/2019 |
| sprintingspirits.com | 5/30/2019 | 5/31/2019 |
| swiftespresso.com | 5/30/2019 | 5/31/2019 |
| teamopinions.com | 5/30/2019 | 5/31/2019 |
| thenewstrends.com | 5/30/2019 | 5/31/2019 |
| tightketonow.com | 5/30/2019 | 5/31/2019 |
| tightketotoday.com | 5/30/2019 | 5/31/2019 |
| tightketotonight.com | 5/30/2019 | 5/31/2019 |
| todaysbreakingstory.com | 5/25/2019 | 5/31/2019 |
| tonightsbreakingstory.com | 5/25/2019 | 5/31/2019 |
| totalbreakingnews.com | 5/30/2019 | 5/31/2019 |
| touchopinion.com | 5/30/2019 | 5/31/2019 |
| trendstonight.com | 5/30/2019 | 5/31/2019 |
| whirlingmilk.com | 5/30/2019 | 5/31/2019 |
| winopinions.com | 5/30/2019 | 6/1/2019 |
| yournewsbreaks.com | 5/30/2019 | 5/31/2019 |
| yournewstrends.com | 5/30/2019 | 5/31/2019 |
| zoneopinions.com | 5/30/2019 | 5/31/2019 |
| zoomingcider.com | 5/30/2019 | 5/31/2019 |
Posts
No comments:
Post a Comment
Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.