Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Re: [20BTC bounty] Bitcointalk phishing site, max para.vn , impersonation scammer
by
0nc3forg0tt3n
on 09/07/2018, 04:55:21 UTC
Quote from: TradeFortress on July 09, 2018, 04:33:02 AM
Quote from: 0nc3forg0tt3n on July 09, 2018, 04:24:19 AM
Quote from: Quickseller on July 09, 2018, 04:08:50 AM
Quote from: 0nc3forg0tt3n on July 09, 2018, 03:47:13 AM
If you google the domain it looks like it was compromised by some guy who owns the instagram account mwr and goes by 'SLNTAR' as seen in a mirror of the website from May 18 2018. It looks like the owner of the website has regained control but it's possible the website is still under the attackers control.

Considering that the domain is still being used as a phishing site to steal login credentials, I would say whoever currently is in control of the domain is the culprit.
I wouldn't overestimate the technological ability of random Vietnamese business owners. It is highly likely that: a.) they are technologically uninclined b.) started the website for their business legitimately as they still list it on their Facebook page to this day even though it's not currently in use

They probably were using a vulnerable version of some publicly available software  which then allowed someone to upload a shell to the website. The owner then likely probably set the entire website to the current default page as a remedy to the problem. If the vulnerable software in question was something like an online store to sell their kitchen hardware, they could have deleted that but the shell could have given them SSH access to the entire system or worse. The alternative is the website could have been vulnerable to some other remote exploit due to outdated server software which would mean the attackers still got SSH access and owned the server.

By your logic, a bunch of Vietnamese kitchen hardware dealers (who own a physical building apparently???) are using their own website which was hacked at least once before to scam people. The business is registered in Vietnam and it's listed on their Facebook page and on the domain registration so I think it'd be a little dumb for them to use that as a platform if the culprit was they themselves.


The phishing pages aren't extremely sophisticated but by the looks of it they were probably created from scratch or using a program and the ICO page has an advanced mechanism that a.) only allows 1 registration per IP to prohibit bot spamming or the like and b.) requires passwords of 8 characters. The website also uses fairly good English and punctuation which it is evident the owner of the website or whoever is operating their social media does not have.

The person who executed the scam seems technologically savvy and is at least familiar with the English language which it doesn't appear the people at Maxpara are. All evidence points to the website being used by external people to run their scam to avoid getting caught. Someone who is smart enough to code their own phishing page that shows a relative familiarity with computer programming probably isn't using their own domain name with no whois protection to run a scam. It'd be funny if it actually was Vietnamese kitchen dealers but unfortunately if it's probably not

Quoting this post, 0nc3forg0tt3n had also pretended to be another CL user so they may be related, or they may be another person.

In any case, the email communications of the maxpara phisher did not demonstrate solid English. English is definitely a very second language for them; there is no reason for them to use broken english while trying to pretend to be me and communicate with a CL user.
I am not related but it goes to show how many people are hustling on this forum and how careful you have to be.

I didn't read the emails you uploaded, I was only going off what I knew from examining their website.


Interestingly enough, the website was compromised by SLNTAR on May 16th (or the 18th I can't recall what the mirror date was and I cba to look again) and on May 28th the domain was being used to scam Bitcointalk users. Again though, SLNTAR appears to be using automated methods so it's possible multiple people were able to gain a foothold into the website. SLNTAR doesn't appear to have a good grasp on the English language and (his instagram is in arabic).

There's publicly available information to contact the company who owns the domain to the website and assumingly the server. If you can contact them, theoretically you could get the logs and locate the person who uploaded the shell/compromised the server. The language barrier might be an issue but their cooperation is probably your best bet here

The best avenue besides that for you to take would be Blockchain analysis. It's a long shot but there's always a possibility of something coming up.

If the victims of the scam were able to provide additional information on the perpetrator/copies of emails (with metadata as to see what server the spoofed emails are coming from -- are they coming from a public service or a private server? It's a good question and if it's a private server then you have a good lead there. received that'd also be useful.

edit: also didn't read your response before posting but no problem lol it's kind of like a puzzle to be solved and puzzles are exciting

In response to Quickseller, it's possible that they just switched to the new website because the old one was defaced and they didn't know how to fix the vulnerability or whatever so they switched domains/hosts to alleviate the problem. I didn't check the registry but the odds are that they still own the domain and the server that hosts it as the IP of the website is the same as it was when it was mirrored on May 18th. I'll check later though