Phishing | googleusercontent.com

[spirillen]

What are the subjects of the phishing (domains, URLs or IPs)?

• example.com
• sub.example.com
• https://example.com/page
• https://sub.example.com/page
• NSFW example.com
• 192.168.0.0/16
  00f74ba44b80f08e469019d0c9fef3f3e48564247e-apidata.googleusercontent.com|phishing
  107.64.70.34.bc.googleusercontent.com|phishing
  32.19.192.35.bc.googleusercontent.com|phishing
  109.245.225.35.bc.googleusercontent.com|phishing
  24.174.232.35.bc.googleusercontent.com|phishing
  27.251.247.35.bc.googleusercontent.com|phishing

What are the impersonated domains?

• example.org
• sub.example.org
• https://example.org/page
• https://sub.example.org/page
  Various

Where or how did you discover this phishing?

I discovered this phishing by...
I was targeted by this phishing by...

I can see in https://kb.mypdns.org/issue/MTX-40416 (mypdns/matrix#40032) that I have marked some subdomains marked for phishing, anyone who would be able to check if these are still active in phishing?

Do you have a screenshot?

Screenshot

nope

Related external source

• https://sub.example.co.uk/page

• MTX-40416 (https://kb.mypdns.org/issue/MTX-40416/googleusercontent.com)
• MTX-122569 (https://mypdns.youtrack.cloud/issue/MTX-122569/googleusercontent.com)
• googleusercontent.com mypdns/matrix#40032
• There are no known issue for googleusercontent.com in Phishing-Database
• DNS  T1998-beep/Google-DNS-Blocksliste-#1
• Asterisk for the firewall emanuele-f/PCAPdroid#480
• Blockdomain Rule Unexpected Behavior hoodedpaladin/HeartGuard#5
• Getting error on lh3.googleusercontent.com mtalcott/google-photos-deduper#75
• html testSlingr/test#79
• Upstream proxy is not solving youtube's problem msasanmh/DNSveil#220
• https://github.com/tychografie/polomaps-ios-app/issues/1
• Update: Google Play simple-icons/simple-icons#12008
• google plus ip失效 zjrman/smarthosts#748
• google plus ip失效 linwenhui/smarthosts#748
• google plus ip失效 JasonOldWoo/smarthosts#748
• 谷歌等常见境外地址屏蔽 xfdyd/-#1969
• Poll History data json check gosu-polls/poll-ui#5
• google plus ip失效 lnln1111/smarthosts#748
• google plus ip失效 abngsa/smarthosts#748
• 今天开始ip失效，请修改成202.183.138.151或者74.125.128.199 zjrman/smarthosts#322
• 今天开始ip失效，请修改成202.183.138.151或者74.125.128.199 linwenhui/smarthosts#322
• 今天开始ip失效，请修改成202.183.138.151或者74.125.128.199 JasonOldWoo/smarthosts#322
• 今天开始ip失效，请修改成202.183.138.151或者74.125.128.199 lnln1111/smarthosts#322
• 今天开始ip失效，请修改成202.183.138.151或者74.125.128.199 abngsa/smarthosts#322
• google plus ip失效 dubiao/smarthosts#748
• google plus ip失效 haobug/smarthosts#748
• Add Google image domain to next.config.js kleneway/quill#1
• Pics 2.0 KeepTalkingNobodyExplodes/keeptalkingnobodyexplodes#2
• google plus ip失效 zyecs/smarthosts#748
• google plus ip失效 roryyu/smarthosts#748
• google plus ip失效 yu8357305/smarthosts#748
• fyne: overview page new UI raedahgroup/godcr-old#421
• 今天开始ip失效，请修改成202.183.138.151或者74.125.128.199 dubiao/smarthosts#322
• 今天开始ip失效，请修改成202.183.138.151或者74.125.128.199 sqguokai/smarthosts#322

Additional Information or Context

I have also noticed that...

Response Policy Zone - RPZ

Found these RPZ records in My Privacy DNS

Domain records	Type	content
*.googleusercontent.com.strict.adult.mypdns.cloud	CNAME	.
00f74ba44b80f08e469019d0c9fef3f3e48564247e-apidata.googleusercontent.com.phishing.mypdns.cloud	CNAME	.
107.64.70.34.bc.googleusercontent.com.phishing.mypdns.cloud	CNAME	.
109.245.225.35.bc.googleusercontent.com.phishing.mypdns.cloud	CNAME	.
111.91.190.35.bc.googleusercontent.com.tracking.mypdns.cloud	CNAME	.
119.29.196.104.bc.googleusercontent.com.tracking.mypdns.cloud	CNAME	.
175.220.196.104.bc.googleusercontent.com.tracking.mypdns.cloud	CNAME	.
184.48.190.35.bc.googleusercontent.com.tracking.mypdns.cloud	CNAME	.
200.94.201.35.bc.googleusercontent.com.adware.mypdns.cloud	CNAME	.
202.90.190.35.bc.googleusercontent.com.tracking.mypdns.cloud	CNAME	.
24.174.232.35.bc.googleusercontent.com.phishing.mypdns.cloud	CNAME	.
246.39.190.35.bc.googleusercontent.com.tracking.mypdns.cloud	CNAME	.
27.251.247.35.bc.googleusercontent.com.phishing.mypdns.cloud	CNAME	.
32.19.192.35.bc.googleusercontent.com.phishing.mypdns.cloud	CNAME	.
42.219.186.35.bc.googleusercontent.com.adware.mypdns.cloud	CNAME	.
42.219.186.35.bc.googleusercontent.com.tracking.mypdns.cloud	CNAME	.
49.74.190.35.bc.googleusercontent.com.adware.mypdns.cloud	CNAME	.
49.74.190.35.bc.googleusercontent.com.tracking.mypdns.cloud	CNAME	.
64.98.201.35.bc.googleusercontent.com.adware.mypdns.cloud	CNAME	.
64.98.201.35.bc.googleusercontent.com.tracking.mypdns.cloud	CNAME	.
84.249.186.35.bc.googleusercontent.com.adware.mypdns.cloud	CNAME	.
84.249.186.35.bc.googleusercontent.com.tracking.mypdns.cloud	CNAME	.
affiliate.googleusercontent.com.adware.mypdns.cloud	CNAME	.
affiliate.googleusercontent.com.tracking.mypdns.cloud	CNAME	.
afs.googleusercontent.com.adware.mypdns.cloud	CNAME	.
afs.googleusercontent.com.tracking.mypdns.cloud	CNAME	.

[g0d33p3rsec]

The phishing related content seems to be from 2019 and long since resolved. The tracking issues seem to be with consent of the first-party, so not so relevant here but maybe worth considering still for the matrix. Some examples of the mentioned links from 2019:
107.64.70.34.bc.googleusercontent.com
https://urlscan.io/result/9935139b-0175-4c85-bd91-dcc3415733df/
32.19.192.35.bc.googleusercontent.com
https://urlscan.io/result/49007fda-9008-488d-9737-fd9b7ab1e02a/
109.245.225.35.bc.googleusercontent.com
https://urlscan.io/result/c4070548-a6d1-42b8-bb56-d2639b842c65/

https://urlscan.io/search/#googleusercontent.com

[spirillen]

Cool, thanks for looking at them, closing as no longer relevant.

No longer adding subdomains to (.)google(.) they are blacklisted at the root. then people have to whitelist if they are masochists.