You can see the first part of this research in the following link
Hello people, I come to update the second part of the irony scam...
I would like to tell you that GranRethory, me, your server, has achieved it once again.
It turns out that the investigation continues and that they do not guess where it goes?
Simply to put NAME AND SURNAME to the ringleaders of this scam.
Those responsible for diagramming, launching and executing this scam is a group dedicated to computer security and programming.
Investigating start first and main in looking for the ip of one of the sites where the scam is mounted.
I proceeded to open a CMD terminal in windows and performed the ping to one of the corresponding scam sites of them.
Take mcxchange.co as an example
Then I do it in the following way: ping mcxchange.co immediately returning the ip 126.96.36.199
Then with the ip, I decided to search and see if it was linked to any other site or if it was reported or things like that.
The idea itself was to start recompiling Information.
For that again I go to the great friend of every idiot behind a computer (like me) and made the search in the following way:
This search returns some results, but I focused on one of the few that actually returned a domain different from the one I was looking for.
and I came across a domain in such a way: tagotrader.co.il
Looking for tagotrader.co.il at https://www.yougetsignal.com/tools/web-sites-on-web-server/
We ran into the mcxchange.co domain again
Obviously, all these domains are inside the server (this starts to get very nice).
and evidently there, THIS TRAIL is lost, but also continue with the investigation.
I remembered that in the first part of this investigation (see: https://www.publish0x.com/granrethory/the-irony-scam-new-scam-method-english-version-xjmeew?a=JxboQ8Xegw),
as a final note I had added other sites that were IDENTICAL and that made me suspect that they were the same person, since I also searched for the source code
of the script used and never gave with him (and I what I'm looking for I always find it).
I leave a capture of the notes of the first Post:
As you will see now in the edition (I know I am very bad with graphics and could not be called "editing"), I have highlighted the links "WITH JUICE" in red
Coincidentally in google searches, those fake exchange links are prior to the mcxchange.co scam
you see that they have burned those domains and well ... in short they mostly point to a certificate with extension UK (cmbank.uk)
But to say nonsense, I continue
I continue with the investigation ... then looking through yourgetsignal to see where the previous domains directed me (cmbank.ltd and mvcwall.com)
I realized that mvcwall.com was not really the same scammers since it was only HTML and did not have any function.
Then I continue with cmbank.ltd
And there I find the juicy ...
I find the following domains:
cmbank.co <- Fallen
mcvault.co <- index, empty
Then to see this I review 1 to 1 the domains and all were exactly similar or analogically similar, besides being the same script.
But the only place that had nothing to do with (or rather if) or at least was not identical to the others is ... "cyberastra.com"
Then ... resorting to pure logic, many IDENTICAL sites of scams and a single different site and above "computer security",
on the same server ... is not too much "coincidence"?
Well no, my dear, this is not accidental is completely CAUSAL
That's when I understood why the scam currently running on mcxchange.co was on another server, and I understood why it was more exploited.
last than the previous ...
These people simply realized that silly mistake and migrated the server scam, but never remembered that they should erase the previous trace.
To continue with an explanation of why part of the success, make a section and I will go to another line of research ...
In principle when I reviewed the source code of the website of the phones, I realized that at the end of everything they had added links to
some bitcoin forums or related to blockchain and some supposed references to give credibility to other websites FAKES
I realized that they were false for the following reasons:
1) everyone was using the same CMS
2) when registering to comment on the exchange, I sent a password to the email and it was connected, but when I tried to comment, it always appeared offline ...
Below captures http://phone-search.pw one of the many sites that point to mcxchange.co ...
precisely from the link http://phone-search.pw/99890/EDL70G.php
Looking a bit at the code from the console:
Then I determine the real sites and then the false ones
End of the list hahahaha
FALSE (mounted to give credibility to the scam and improve the position in search engines):
Note that the first group all have part of their url "/r/rv7/crypto-coin-exchange"
And in the second group, they all simply have "php" extension
This I have not accommodated myself, I copied it as such and respecting the position in which they are accommodated.
Updated list of some of the telephone sites planted as BAIT
all will show in their root as title "Under Contruction"
and as content "Under Construction This page is currently under contruction."
Now yes, going back to the subject of knowing who are responsible ...
In the own page of cyberastra.com they are, specifically in http://cyberastra.com/#team
The names of them? (I do not assure that they are real)
Lead Digital Marketer
Twitter (I'm not sure if it's him, but it seems) https://twitter.com/ycubed
In addition, twitter is "ycubed" in the forums, it has been published as "ycubed10" and twitter is also a programmer ...
Comparison Twitter and WEB cyberastra.com
Additional data of the "company"
I take it for granted that they are really implicated and responsible in this scam,
first, that all the arrows and computer fingerprints are pointing
towards its servers and towards them, in that server there are only fraudulent sites and its business website ...
Evidently they are the owners of that server or vps
On the other hand, the small conversation I had with someone from that "company" left a lot to be desired ...
I tried to persuade them initially by telling them how I wanted to reach a "silly agreement" that I did not tell them which, but my initial idea was
that between round and round to extract information, but they read and did not respond, then threaten them, and they only told me
"Do not try, this will not work with us"
They have not even bothered to deny it, and after sending the evidence they have not paid attention either,
that tells me that I am right.
Note 1: To avoid that they delete part of the information of the network and to be lost I have saved their profiles of linkedin in zip file, in case they are eliminated,
You can download them from the following links:
Note 2: You, as a good human being, can help me denounce each of these sites to be prohibited, suspended or marked by safesearch as risky
and thus prevent them from continuing to steal.
Note 3: I love to investigate, I am curious, I like to go beyond things, sometimes I invade sites of strange nature, or I try to unmask scams.
If you suspect somewhere, do not hesitate to leave me a comment, I will gladly investigate and try to get to the truth.
Again, do not hesitate to ask me.
Update, Part3 :