Google is evil (continued from https://infosec.exchange/@ErikvanStraten/113737891651336874).
The websites are (or were) also hosted on servers from other hosting companies, mostly in Russia. That's where this wave seems to have begun; an often seen domain name is (2/94) "0010001e·com". The last entry under "Passive DNS Replication (120)" points to https://www.virustotal.com/gui/ip-address/158.160.12.99/summary, a Yandex server where "0010001e·com" pointed to on 2024-05-25 - and the following domain names on that same date:
3/94 canada2024return·com
1/94 canadareturn2024·com
6/94 canhst24·com
3/94 carbonclimategate·ca
0/94 carbonrebateonline·ca
1/94 cdn902credit·com
0/94 cdn902tax·com
13/94 cdnincome2024·com
Note: after longer inactivity of a website with a specific domain name, the number of virus scanners that dectects it decreases over time (to reduce the size of the detection-database they distribute).
The last domain name mentioned (cdnincome2024·com) was first "seen" on 2024-05-10 and, on that date, referred to 45·8·96·217 (also a Russian server).
Other domains include:
Postal services related ("package scams"):
4/94 myordermanagement·com
5/94 valdateparcellnfo·com
8/94 dhl-deliver·com
12/94 my-dhl-status8801·com
5/94 mydhlparcelschedule·com
10/94 delivery-expressdhlcan·com
8/94 canada-post-verifybilling·com
4/94 dhlmyorder82662-info-can·com
9/94 trackingdhl67·com
6/94 monchoixpostale·com
Bank related:
4/94 rbcmobile·ca
11/94 myrbc-login·com
13/94 rbc-accountreset·com
11/94 auth-rbcroyalbank-online·com
6/94 rbc-canada-onlineaccess-securltylogin·com
5/94 identityvalidation-cibconline·com
Other:
11/94 carbonrebatecanadaservice·com
11/94 gigadatcanada·com
5/94 sim-myrogers·com
7/94 rogersverify·com
6/94 freedom-mobile-verify·com
Various older sites, possibly no longer active:
9/94 canpostselect·com
11/94 issue-fedex-adresse36284·com
12/94 mobilereceiveprocess·com
5/94 trustedparcelexpress·com
11/94 secure-scotiabank-online·com
13/94 cdnincome2024·com
11/94 scotia-secureid·com
12/94 myreschedulepost·com
13/94 rbcnotif·com
14/94 clientdesjardinsconnexion·com
12/94 verificationscotia-login·com
13/94 interac-e-tranfer·com
13/94 handlemyorder·com
11/94 dropoffcanadapost·com
npub12rqs75jl65esxczzcxh3uzzuc7ltmcu0pugaqz93wq4vcmp9u9lqpd74my (npub12rq…74my)
#Google #Evil #GoogleIsEvil #BigTech #Profits #Cybercrime #Phishing #GoogleFacilitatesCybercrime
Erik van Straten /
npub1yz…ql3r7
2024-12-29 20:03:29
in reply to nevent1q…ddw9
Author Public Key
npub1yzfshvmugq4nd4jhwve7hhwqzvvt7g9g23sharz5f5wdvg65r92qhql3r7Published at
2024-12-29 20:03:29Event JSON
{
"id": "756ac28a3e8cd718210e1a19c6a616742d9c1c444cf3ad66787bcd0c1dfefd77",
"pubkey": "20930bb37c402b36d6577333ebddc01318bf20a854617e8c544d1cd623541954",
"created_at": 1735502609,
"kind": 1,
"tags": [
[
"p",
"50c10f525fd533036042c1af1e085cc7bebde38f0f11d008b1702acc6c25e17e",
"wss://nostr.sprovoost.nl"
],
[
"p",
"bc89055aec52e95f9d2638c524f955bf409ae5e6d26f51b11a9b27a8b01f3cc9",
"wss://nostr.sprovoost.nl"
],
[
"e",
"ab6cc1fa7350d545c2b93c1501e34b998bfa0c3e788dd877e4cdb45395c285b9",
"wss://nostr.sprovoost.nl",
"reply"
],
[
"t",
"google"
],
[
"t",
"evil"
],
[
"t",
"googleisevil"
],
[
"t",
"bigtech"
],
[
"t",
"profits"
],
[
"t",
"cybercrime"
],
[
"t",
"phishing"
],
[
"t",
"googlefacilitatescybercrime"
],
[
"proxy",
"https://infosec.exchange/users/ErikvanStraten/statuses/113737899006464714",
"activitypub"
]
],
"content": "Google is evil (continued from https://infosec.exchange/@ErikvanStraten/113737891651336874).\n\nThe websites are (or were) also hosted on servers from other hosting companies, mostly in Russia. That's where this wave seems to have begun; an often seen domain name is (2/94) \"0010001e·com\". The last entry under \"Passive DNS Replication (120)\" points to https://www.virustotal.com/gui/ip-address/158.160.12.99/summary, a Yandex server where \"0010001e·com\" pointed to on 2024-05-25 - and the following domain names on that same date:\n\n 3/94 canada2024return·com\n 1/94 canadareturn2024·com\n 6/94 canhst24·com\n 3/94 carbonclimategate·ca\n 0/94 carbonrebateonline·ca\n 1/94 cdn902credit·com\n 0/94 cdn902tax·com\n13/94 cdnincome2024·com\n\nNote: after longer inactivity of a website with a specific domain name, the number of virus scanners that dectects it decreases over time (to reduce the size of the detection-database they distribute).\n\nThe last domain name mentioned (cdnincome2024·com) was first \"seen\" on 2024-05-10 and, on that date, referred to 45·8·96·217 (also a Russian server).\n\nOther domains include:\n\nPostal services related (\"package scams\"):\n\n 4/94 myordermanagement·com\n 5/94 valdateparcellnfo·com\n 8/94 dhl-deliver·com\n12/94 my-dhl-status8801·com\n 5/94 mydhlparcelschedule·com\n10/94 delivery-expressdhlcan·com\n 8/94 canada-post-verifybilling·com\n 4/94 dhlmyorder82662-info-can·com\n 9/94 trackingdhl67·com\n 6/94 monchoixpostale·com\n\nBank related:\n\n 4/94 rbcmobile·ca\n11/94 myrbc-login·com\n13/94 rbc-accountreset·com\n11/94 auth-rbcroyalbank-online·com\n 6/94 rbc-canada-onlineaccess-securltylogin·com\n 5/94 identityvalidation-cibconline·com\n\nOther:\n\n11/94 carbonrebatecanadaservice·com\n11/94 gigadatcanada·com\n 5/94 sim-myrogers·com\n 7/94 rogersverify·com\n 6/94 freedom-mobile-verify·com\n\nVarious older sites, possibly no longer active:\n\n 9/94 canpostselect·com\n11/94 issue-fedex-adresse36284·com\n12/94 mobilereceiveprocess·com\n 5/94 trustedparcelexpress·com\n11/94 secure-scotiabank-online·com\n13/94 cdnincome2024·com\n11/94 scotia-secureid·com\n12/94 myreschedulepost·com\n13/94 rbcnotif·com\n14/94 clientdesjardinsconnexion·com\n12/94 verificationscotia-login·com\n13/94 interac-e-tranfer·com\n13/94 handlemyorder·com\n11/94 dropoffcanadapost·com\n\nnostr:npub12rqs75jl65esxczzcxh3uzzuc7ltmcu0pugaqz93wq4vcmp9u9lqpd74my \n#Google #Evil #GoogleIsEvil #BigTech #Profits #Cybercrime #Phishing #GoogleFacilitatesCybercrime",
"sig": "04c5337e732ca62cf12ac21aaf23757ae23a8119baffc08d6c4cbfe56d31023938745763a6da6365768c315862557c8dedf29e792115eee6b0138294b2d1c2ec"
}