Crypto Crisis

Another day, another email trying to convince me to withdrawal some crypto which I don't own. At first I thought I would be in and out, foiling an amateur scam artist, but this quickly evolved into a deep investigation. Let's have a look at the initial email. 

Something doesnt add up here. The email is trying to reset my password? Lets investigate relatyv.com. A quick look at the site reveals that it is a simple wordpress site, and we are able to reset our password for an account we never made. 

Hmmmm. Wait a minute, this site doesn't have any email verification when you make an account. Aha! So the scammers are probably using a script, signing people up for an account and setting the display name to be their phishing site. OK Let's investigate this. 

The scammers initially are using Blogspot as a redirector. Immediately when we visit the site we are greeted with some javascript to redirect our browser

But wait on a minute. Blogspot is owned by Google, surely we can report abuse. You are correct. If we remove the script entirely then we can start to dig up more information about the scammer's Blogspot profile. 

Lets look a little further into this person's profile. 

Woooah! This person looks busy writing all these empty blogs! Some of these blog sites redirect to suspicious sites like "my02000isreal[dot]space" or "minbic090[dot]shop, but the majority of these blog sites redirect to the same location: get188[dot]info. A quick search of this site reveals that it probably is a redirector or filterer of some kind. Probably helps with avoiding automated scans. This is notion is supported as my Burp session no longer works after I start... uh... "probing" the website. 

Unsurprisingly, the ASN hosting this redirector has a bad reputation. Most recently the Internet Weather Report added it to their watch list. 

Time to send an abuse complaint to publicdomainregistry. 

OK so lets recap this scheme so far. 

1. The scammers use a script to automate signing up accounts on relatyv[dot]com and then mass send password reset requests in order to send the initial emails to the victims. 

2. The initial link leads to Blogspot: A Google owned company. This is probably to avoid trivial link scanning, but any scanner worth it's salt is going to follow the redirect. 

3. Blogspot redirects using window.location to get188[dot]info. 

4. get188[dot] info filters and rate limits incoming traffic. Probably an attempt at thwarting analysis. 

So what does get188[dot]info acutally do? It redirects to another website, but this one is the real deal. We finally land on the phisihing site!

Let's Investigate!

NICENIC! WE MEET AGAIN!!! Anyways doing some research reveals that, this geropoless.cc used to be a site which sold proxy services, but somewhere along the timeline of 2025 the site was converted into this phishing site. There's also another website being ran on the server,  which is also interesting. It would be cool to do something about it the phishing site though. OK so lets do some more digging. Searching through weblinks I stumbled across this 

HUH? Whats this Cryptodadsignals[dot]space, and it uses the same publicdomainregistry registrar. Coincidence?  Probably not. Regardless, some simple web enumeration revealed that the scammer left his server directory exposed. Ruh Roh!

WOOOOAAAHH THE SOURCE CODE!? I'm definitely leaking this to my Github. 

Ok so lets dig deeper. Going to /cgi-sys/ reveals an interesting error page. 

Clicking on the link leads us to a help page for iFastNet, a cloud hosting provider. Looking up the IP of the cryptodadsignals[dot]space website reveals that the site could be proxied though.

Hmmm  anything else? Well, going through the source code on the index page I found an interesting PDF detailing "Making money on Instagram" and of course it was all in Russian. 

Another thing of interest was that the source code also had references to www.coinpilot.co[dot]uk

Unfortunately the website is now defunkt, but it has left some impressions on the internet. You can lookup the website on the wayback machine and Google's caching also has a bit of information.

OK surely we are done untangling this web of scams right?

WRONG! Cryptodadsignals[dot]space had a specific web app running which I had never seen before. 

I've never seen this springsoft IT Auto Installer before. Searching for key words related to the installer reveals that more scam websites which haven't been set up yet.

WTF! That's a lot of scam sites! How can this be? 

If there is one thing that we know about scammers, it's that a lot of them are not as tech savvy as you think, and that they like to use other people's work. The chances are REALLY good that this bitcoin scamming site is a piece of software that's shared around with scammers everywhere. One notion that supports this is the fact that some of these installer pages have a "NULLED by raz0r" label plastered at the bottom of the installer page. Doing a quick search you can find this raz0r fella chilling on a forum and distributing cracked wordpress resources.

So, the chances are that a lot of these sites have nothing to do with each other, and it is just a bunch of unrelated scammers doing scamming. I think that I can wrap it up here. Stay safe on the internet folks.