NOT YOUR AVERAGE PHISHING CAMPAIGN
TLDR: we published a list to our Pastebin with all the phishing links we found, along with DNS and site information for each URL. There is a link at the bottom of this article.
Phishing scams, the overgrowing nuisance that has plagued that underground community of the darknet since the very beginning. Over the last year or so the popularity of phishing has increased so exponentially. It’s almost impossible to get through a day without stumbling upon some sort of irritating, and usually blatantly obvious phishing link creeping onto your screen. Darknet Forum moderators constantly scrubbing out the shady link litter on their threads. Darknet market moderators clearing dirty phishing links out of their vendors feedback section. What’s next?
Now darknet users need to take the extra precautions of the clearnet. Websites they regularly visit to find invite links to darknet markets. Those are the new playing fields for the modern phisher. The new tactic that has been fooling even seasoned darknet users. Phishing sites disguised as popular news and information websites. These clone sites are nearly exact copies of the websites they imitate. The only difference being the phishing links to the darknet markets and the website URL being one or two letters off the legit websites URL.
Over the last couple months darknet forums and Reddit threads have been buzzing with darknet users who had been duped by these clever clearnet clone sites. Many not realizing they had fallen victim to the crafty new-ish phishing scheme for several days, and by then their market wallet is usually empty. ( don’t leave BTC in your market wallet!)
Due to the lack of coverage on the clearnet phishing sites we decided to take it upon ourselves to draft up a list of these poison URL’s for our readers, thinking the list would be relatively short. A few misspellings of DeepDots site, maybe some others and that should be it. However, we quickly realized that we were dead wrong. Over the last day we stumbled upon nearly 300 of these clearnet phishing sites, nearly all of them registered with in the last 5 or 6 months. But what we really found bizarre, is that it appears that only one or two scammers (or groups) are behind ALL of them.
From our research it appears that nearly all of the URL’s we discovered were purchased through the registrar PDR Ltd. d/b/a PublicDomainRegistry.com. PDR Ltd charges $35 for each domain name registered through their company…per year. This would mean that the person, or group, behind this new scam has invested an estimated $10,395 USD in acquiring the domain names alone, just to cast their massive phishing net. That cost of this scam is likely much higher once the server and hosting cost are added to the total investment, and that can only mean one thing. The scam works, and it’s lucrative enough for the scammers behind the operation to make that type of investment. That being said, we encourage our darknet readers to take the following precautions when visiting ANY website, especially ones related to finances and darknet markets.
DOUBLE CHECK THE WEBSITE’S URL
These websites will look identical to the sites you intend on visiting. If you are in a rush and misspell the website URL then YOU WILL end up on a phishing site. Make sure every single letter in the website domain name is typed out perfectly, especially if you have any plans of using their link list to get to a darknet market.
BOOKMARK OR SAVE LINKS YOU USE REGULARLY
The safest bet is saving a bookmark of the darknet news sites you often visit so this never becomes an issue, or keeping a list of links you frequent. This is especially true with DeepDotWeb. Given that they are a popular and trusted news source, it makes sense that the phishing net is mostly composed of misspelled variations of DDW’s domain name. It might also be a good idea to bookmark or save a link to us (darknetmarkets.net) and any darknet related Reddit groups you frequent.
STAY AWAY FROM ONION SITES THAT END IN “.TOP”
All of the phishing sites mentioned in this article will have 2 noticeable differences from the legitimate website. They will have a misspelled variation of the actual website you intended on visiting, and all of the links to darknet markets, forums and tumblers will end in .top. If you see an onion link ending in “.top” it means you are on a phishing site.
ONLY USE LINKS FROM SITES YOU TRUST
If you don’t have your list or bookmarks of the darknet markets you need to visit, then cautiously use a reputable source for links. That means you don’t use links posted by random strangers in forums or jump on Google/DuckDuckGo and search “Agora Reloaded login page” and use a link from someone’s Tumbler. You can go here to our Darknet Market Link List, which always has working, verifiable links and alternative links. You can also visit DeepDotWeb or DNStats who are both reputable sources for safe links. Just make sure to double check that URL.
Hopefully with a little common sense and caution we can make that massive phishing net nothing more than a big waste of time, money and effort at the expense of the scammers who created it. That being said, here is a list of the phishing links we scraped up that make up most, if not all, of the giant phishing net-work ( see what I did there? ) along with some information we harvested on each of the domains (probably nothing too useful, but its a start). Hopefully someone will make use of it for a good payback doxxing. And if that’s not your forte, then feel free to copy the list of domains and submit them to any of these find phishing link reporting sites, black lists and abuse report pages.
PDR Ltd Abuse Report Form ( Copy and paste the entire list of phishing links directly to their domain registrar in a few clicks and you could cost a group of scamming phishers over $10,000 USD if they lose their domain names. )
Google – Safe Browsing (submission for for phishing sites)
APWG – Anti Phishing Work Group ( Phishing Site Report Page )
BrightCloud ( Malicious site reporting page )
BitDefender ( Malicious Site Reporting Page )
Symantec ( Phishing Site Submission Form )
TrendMicro ( URL Submission Page )
TrustWave ( Malicious Site Submission Form )
Yandex ( Malicious/Phishing Site Report Page )
AVG – Report Phishing Sites via email: [email protected]
ESET – Report Phishing Sites via email: [email protected]