The irony scam - Those responsible for this - New scam method -Investigation part 2

By GranRethory | GranRethory | 28 May 2019

$0.28 tipped


You can see the first part of this research in the following link

https://www.publish0x.com/granrethory/the-irony-scam-new-scam-method-english-version-xjmeew?a=JxboQ8Xegw

190903265-23b838ce1df3e741287e70772c6f4822fd4fde472a2b846052aba70fa38bdeed.png

190903265-076d02f0dae0584b29981ddb1bbfbeafb945e8fdc0c34eaf707045352ce4e446.png

 

Hello people, I come to update the second part of the irony scam...

 

I would like to tell you that GranRethory, me, your server, has achieved it once again.

It turns out that the investigation continues and that they do not guess where it goes?

Simply to put NAME AND SURNAME to the ringleaders of this scam.

Those responsible for diagramming, launching and executing this scam is a group dedicated to computer security and programming.

Investigating start first and main in looking for the ip of one of the sites where the scam is mounted.

I proceeded to open a CMD terminal in windows and performed the ping to one of the corresponding scam sites of them.


190903265-cea032735a3d3b0e539b025fae3091ba5019ba74fd3c324112fc909abcce1b6a.png

Take mcxchange.co as an example
Then I do it in the following way: ping mcxchange.co immediately returning the ip 160.153.133.158

190903265-d560561d5c449f0e30c2f6530bd9f7dc0132b911bd22fa16addf3d6d8c533d63.jpeg


Then with the ip, I decided to search and see if it was linked to any other site or if it was reported or things like that.
The idea itself was to start recompiling Information.
For that again I go to the great friend of every idiot behind a computer (like me) and made the search in the following way:

ip 160.153.133.158

This search returns some results, but I focused on one of the few that actually returned a domain different from the one I was looking for.

and I came across a domain in such a way: tagotrader.co.il

190903265-a07e76ab1e0fd4d2b73c07eb7210fe8593429e31f47c41df404173756147b0cd.jpeg

190903265-3add490fe5d7671202390e6f7051f3416529595a4c2c2823fb24c52e85dfe7d4.jpeg

190903265-cea032735a3d3b0e539b025fae3091ba5019ba74fd3c324112fc909abcce1b6a.png

 

Looking for tagotrader.co.il at https://www.yougetsignal.com/tools/web-sites-on-web-server/
We ran into the mcxchange.co domain again
Obviously, all these domains are inside the server (this starts to get very nice).

190903265-a5192864cc39f6c9eb130804abf93df3e588f842c1ce762e1818df0c9c16180e.jpeg


190903265-60f8a28da42d536d0bec22d1bada48c5de474d718101824bef8069eaf56f05d6.png


and evidently there, THIS TRAIL is lost, but also continue with the investigation.
I remembered that in the first part of this investigation (see: https://www.publish0x.com/granrethory/the-irony-scam-new-scam-method-english-version-xjmeew?a=JxboQ8Xegw),
as a final note I had added other sites that were IDENTICAL and that made me suspect that they were the same person, since I also searched for the source code
of the script used and never gave with him (and I what I'm looking for I always find it).

I leave a capture of the notes of the first Post:

190903265-68d1762ae4cf712fd81d9e89b7a86c995eb39c63e291cc78cc9727e9793012ad.jpeg


190903265-cea032735a3d3b0e539b025fae3091ba5019ba74fd3c324112fc909abcce1b6a.png


As you will see now in the edition (I know I am very bad with graphics and could not be called "editing"), I have highlighted the links "WITH JUICE" in red

Coincidentally in google searches, those fake exchange links are prior to the mcxchange.co scam
you see that they have burned those domains and well ... in short they mostly point to a certificate with extension UK (cmbank.uk)

But to say nonsense, I continue

I continue with the investigation ... then looking through yourgetsignal to see where the previous domains directed me (cmbank.ltd and mvcwall.com)
I realized that mvcwall.com was not really the same scammers since it was only HTML and did not have any function.
Then I continue with cmbank.ltd


And there I find the juicy ...
I find the following domains:

cmbank.co <- Fallen
cmbank.ltd
cmbank.uk
cyberastra.com
marketcoinvault.com
mcvault.co <- index, empty

190903265-c1fb167c3810228d3ccfd0d4aa6086c6bc3027d7c225aa8b2cb320af450b028b.jpeg


190903265-cea032735a3d3b0e539b025fae3091ba5019ba74fd3c324112fc909abcce1b6a.png


 

Then to see this I review 1 to 1 the domains and all were exactly similar or analogically similar, besides being the same script.

190903265-d62695c3a05b5b1486423bcbabe0b139b02f889de3cae80cc0eafab9bc2d108d.jpeg


190903265-2156e4fdaced23b12fbdaa962b024fcd462c8a0285873a9114f32e4c56f17103.jpeg


190903265-79de588942f56821ded44009c1e065ab31c4743c4c87810187dd902670ec0581.jpeg

190903265-60f8a28da42d536d0bec22d1bada48c5de474d718101824bef8069eaf56f05d6.png


 

But the only place that had nothing to do with (or rather if) or at least was not identical to the others is ... "cyberastra.com"

190903265-cd3512924ebd59688068a40252273a06a53e247cb1ae40a1fd664098d45ef20b.jpeg

 

 

Then ... resorting to pure logic, many IDENTICAL sites of scams and a single different site and above "computer security",
on the same server ... is not too much "coincidence"?

Well no, my dear, this is not accidental is completely CAUSAL
That's when I understood why the scam currently running on mcxchange.co was on another server, and I understood why it was more exploited.
last than the previous ...

These people simply realized that silly mistake and migrated the server scam, but never remembered that they should erase the previous trace.


To continue with an explanation of why part of the success, make a section and I will go to another line of research ...


In principle when I reviewed the source code of the website of the phones, I realized that at the end of everything they had added links to
some bitcoin forums or related to blockchain and some supposed references to give credibility to other websites FAKES
I realized that they were false for the following reasons:
1) everyone was using the same CMS
2) when registering to comment on the exchange, I sent a password to the email and it was connected, but when I tried to comment, it always appeared offline ...

Below captures http://phone-search.pw one of the many sites that point to mcxchange.co ...
precisely from the link http://phone-search.pw/99890/EDL70G.php

190903265-0dcc6e8677debb569af94f7adb1b9eec0a6a8ca12a6160810312f5b9f5236cd4.jpeg

Looking a bit at the code from the console:

 

190903265-cacf0d36d2258be512b70c8bf8c5034df0e4dbfe9d41cefff728bf0d2b1d6a38.jpeg

 


190903265-cea032735a3d3b0e539b025fae3091ba5019ba74fd3c324112fc909abcce1b6a.png


 

Then I determine the real sites and then the false ones

 

TRUE:
https://bitcointalk.org/index.php?topic=5146890
https://www.reddit.com/r/Bitcoin/comments/bsfffv/btc_wallet_error/

End of the list hahahaha

FALSE (mounted to give credibility to the scam and improve the position in search engines):

First group:


http://tokentops.icu/r/rv1/crypto-coin-exchange
http://coinclarity.pw/r/rv2/crypto-coin-exchange
http://cryptofrontline.pw/r/rv3/crypto-coin-exchange
http://bitrates.pw/r/rv4/crypto-coin-exchange
http://abitgreedy.xyz/r/rv5/crypto-coin-exchange
http://bitreview.icu/r/rv6/crypto-coin-exchange
http://btcbestbuy.icu/r/rv7/crypto-coin-exchange

Second group:


http://aqoxhep.xyz/bitcoin-discussions.php
http://bielbers.icu/blockonomics-plugin-error.php
http://boyking.xyz/help-with-wordpress-bugs.php
http://catskills.icu/malfunctioning-btc-tools.php
http://coopastay.icu/password-leaking-bug-blockonomics.php
http://copy-tay.xyz/wallet-error-with-wp-plugin.php
http://daxzip.icu/what-is-wallet-error-408.php
http://dollomyte.xyz/wordpress-malware-update.php
http://errap.xyz/wordpress-plugin-error.php
http://fakety.icu/wordpress-plugin-error-loconomics.php


Note that the first group all have part of their url "/r/rv7/crypto-coin-exchange"
And in the second group, they all simply have "php" extension

This I have not accommodated myself, I copied it as such and respecting the position in which they are accommodated.

 

Updated list of some of the telephone sites planted as BAIT

all will show in their root as title "Under Contruction"
and as content "Under Construction This page is currently under contruction."


http://number-id.xyz/3145/UR8D3Z.php
http://phone-id-register.host/5939/TIPYZF.php
http://dial-uncover.host/44774/0MEK7R.php
http://xphone-look-up.pw/3495/5RWODF.php
http://dial-show.xyz/44229/UC0RYG.php
http://caller-look-up.pw/90372/FIE6DJ.php
http://phone-search.pw/99893/Z4YL0F.php
http://caller-book.host/23354/HX4HEE.php
http://caller-register.xyz/4473/GJNT5I.php
http://caller-idx.space/1508/WC0TV5.php
http://dial-uncover.xyz/49331/KWT6I4.php
http://call-register.host/2011/HUFF6R.php
http://dial-show.pw/44191/OCQJVA.php
http://caller-id.site/234701/56K9GY.php
http://phone-register.host/88019/4UA0CI.php


Now yes, going back to the subject of knowing who are responsible ...


In the own page of cyberastra.com they are, specifically in http://cyberastra.com/#team

190903265-a1b2032961814ef68239fda21fee2e0c8a370e981cf0e0e0fe056071380a3ca8.jpeg


190903265-cea032735a3d3b0e539b025fae3091ba5019ba74fd3c324112fc909abcce1b6a.png


The names of them? (I do not assure that they are real)

 

Harshita Bhambhani
190903265-77fdd8201c7d2491b5d5d46f4065a022e28800a8ce3b078b07f05066054b20aa.jpeg
Lead Digital Marketer
Facebook https://www.facebook.com/bhambhani.harshita
Linkedin https://www.linkedin.com/in/harshita-bhambhani-5a024593/


Manmohan Chauhan
190903265-78c0e6f72d218ace9b64f6a3c726000a769835fc611a433f2b4e33c4f72afc52.jpeg
Cyber Security Researcher & Programmer
Facebook https://www.facebook.com/manmohan.s.chauhan.5
Linkedin https://www.linkedin.com/in/techfreakit/



Narendra Singh
190903265-d3907a52bfc10ecdae50580c72a9f8bd90fcb311757d947bccd6893445b1f026.jpeg
Facebook https://www.facebook.com/nnnwithnnn
Linkedin https://www.linkedin.com/in/narendraa-singh/

Twitter (I'm not sure if it's him, but it seems)  https://twitter.com/ycubed

 

In addition, twitter is "ycubed" in the forums, it has been published as "ycubed10" and twitter is also a programmer ...


190903265-cea032735a3d3b0e539b025fae3091ba5019ba74fd3c324112fc909abcce1b6a.png


Screenshot Bitcointalk


190903265-b69edb16e6ecd56e353bdae73deee7536800774af0dd9a88f84279dcc4638e00.jpeg


Screenshot Reddit


190903265-00a1dd31954e2eada709e05a9c045949d0b75e951b9f5bcec2f57174e4f3f82a.jpeg


Capture Twitter


190903265-7e4c49973f512b2290b8116ab4e63fc0faf5091ed50d057218db9de46b4ffdbf.jpeg

 

Comparison Twitter and WEB cyberastra.com

190903265-92b3129594f18d7344228bdebba1f689c99a7016768ae9ccf2aabf7be70db092.jpeg


Additional data of the "company"

 

https://github.com/cyberastra/cablog

mohan.2kit@gmail.com

https://twitter.com/CyberAstra


https://www.facebook.com/cyberastra/


https://www.linkedin.com/in/cyberastra-924914171/


https://www.instagram.com/cyberastra.official/


https://www.youtube.com/channel/UCLqgDVhlCfeW8yQeFuZPUHQ

 

190903265-77285254bb0b23f8bba6e28785bc628e73ae9fbb0bf185c8e0e1a1f5420603c9.jpeg


 


Conclusion

 

I take it for granted that they are really implicated and responsible in this scam,
first, that all the arrows and computer fingerprints are pointing
towards its servers and towards them, in that server there are only fraudulent sites and its business website ...
Evidently they are the owners of that server or vps

On the other hand, the small conversation I had with someone from that "company" left a lot to be desired ...

I tried to persuade them initially by telling them how I wanted to reach a "silly agreement" that I did not tell them which, but my initial idea was
that between round and round to extract information, but they read and did not respond, then threaten them, and they only told me
"Do not try, this will not work with us"

190903265-e7bf9d50d8fced9196e97139b3f4ecb0249759af385348be28a7980c0d5fd28d.jpeg

 

They have not even bothered to deny it, and after sending the evidence they have not paid attention either,

that tells me that I am right.

 

Note 1: To avoid that they delete part of the information of the network and to be lost I have saved their profiles of linkedin in zip file, in case they are eliminated,
You can download them from the following links:

http://s000.tinyupload.com/index.php?file_id=55903889291630694666

http://www.yourfilelink.com/get.php?fid=2025132

https://www.filehosting.org/file/details/802881/scammers.zip

 

Note 2: You, as a good human being, can help me denounce each of these sites to be prohibited, suspended or marked by safesearch as risky
and thus prevent them from continuing to steal.

https://safebrowsing.google.com/safebrowsing/report_phish/?hl=es-419

https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en-419

https://safebrowsing.google.com/safebrowsing/report_badware/?hl=es

 

Note 3: I love to investigate, I am curious, I like to go beyond things, sometimes I invade sites of strange nature, or I try to unmask scams.

If you suspect somewhere, do not hesitate to leave me a comment, I will gladly investigate and try to get to the truth.

Again, do not hesitate to ask me.


Regards!

 

Update, Part3 :

https://www.publish0x.com/granrethory/the-irony-scam-new-scam-method-investigation-part-3-suspended-domains-xgppqm

190903265-7af8b3a86a45b58904597bd4537aa72cc4f082d0c44f8b597f2de134f21cfc50.jpeg

190903265-c7d835473d8ce89ba76e29fa11bb21db894ce63afd2bb48807b602b476417f70.png


GranRethory
GranRethory

Hello! welcome


GranRethory
GranRethory

Technical analysis, crypto, news, cryptocurrencies, Informatic security, Lifestyle, and much more

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.