add-domain - phishing (cf)

[ninjacatcher]

Phishing Domain/URL/IP(s):

coinomi.is
phamton.is
safepal.llc
sun-io.app
exodus.farm
exodus.kim
exodus.llc
safepal.bid
safepal.one
safepal.page
safepal.zip
tokenpocket.biz
safepal.com.mx
tradingview.la
tokenpocket.ink
exodus.cab
safepal.co.com
safepal.com.mx
metamask-extension.app
metamask-extension.net
safepal.me
safepal.one
web-safepal.com
safepal.ooo
targern.com
tokenpocket.cam
tokenpocket.how
tokenpocket.ink
tokenpocket.llc
v2-safepal.com
app.phanntom.pro
ledjer.cc
legder.cc
ff-info-online.com
trezor-wallet.fr
trustwallet.ing
phantom.ong

Impersonated domain

metamask
coinomi
safepal
exodus
tonkeeper
trustwallet
trezor
ledger
phantom wallet
and various other companies, it would take a long time to list them all.

Describe the issue

Most are exactly the same method of attack described in #694 and #703

Related external source

https://www.virustotal.com/gui/domain/coinomi.is
https://www.virustotal.com/gui/domain/phamton.is
https://www.virustotal.com/gui/domain/safepal.llc
https://www.virustotal.com/gui/domain/sun-io.app
https://www.virustotal.com/gui/domain/exodus.farm
https://www.virustotal.com/gui/domain/exodus.kim
https://www.virustotal.com/gui/domain/exodus.llc
https://www.virustotal.com/gui/domain/safepal.bid
https://www.virustotal.com/gui/domain/safepal.one
https://www.virustotal.com/gui/domain/safepal.page
https://www.virustotal.com/gui/domain/safepal.zip
https://www.virustotal.com/gui/domain/tokenpocket.biz
https://www.virustotal.com/gui/domain/safepal.com.mx
https://www.virustotal.com/gui/domain/tradingview.la
https://www.virustotal.com/gui/domain/tokenpocket.ink
https://www.virustotal.com/gui/domain/exodus.cab
https://www.virustotal.com/gui/domain/safepal.co.com
https://www.virustotal.com/gui/domain/safepal.com.mx
https://www.virustotal.com/gui/domain/metamask-extension.app
https://www.virustotal.com/gui/domain/metamask-extension.net
https://www.virustotal.com/gui/domain/safepal.me
https://www.virustotal.com/gui/domain/safepal.one
https://www.virustotal.com/gui/domain/web-safepal.com
https://www.virustotal.com/gui/domain/safepal.ooo
https://www.virustotal.com/gui/domain/targern.com
https://www.virustotal.com/gui/domain/tokenpocket.cam
https://www.virustotal.com/gui/domain/tokenpocket.how
https://www.virustotal.com/gui/domain/tokenpocket.ink
https://www.virustotal.com/gui/domain/tokenpocket.llc
https://www.virustotal.com/gui/domain/v2-safepal.com
https://www.virustotal.com/gui/domain/app.phanntom.pro
https://www.virustotal.com/gui/domain/ledjer.cc
https://www.virustotal.com/gui/domain/legder.cc
https://www.virustotal.com/gui/domain/ff-info-online.com
https://www.virustotal.com/gui/domain/trezor-wallet.fr
https://www.virustotal.com/gui/domain/trustwallet.ing
https://www.virustotal.com/gui/domain/phantom.ong

Takedown requests from APVA (soon to be available from Netcraft as well):
https://incident.antiphish.org/9f5a1f2766df/
https://incident.antiphish.org/744d18b52175/
https://incident.antiphish.org/76a22a206cfe/
https://incident.antiphish.org/9ee1f640ba7e/
https://incident.antiphish.org/24e870e1c7c7/
https://incident.antiphish.org/8e381377fdfa/
https://incident.antiphish.org/e109a967f45e/
https://incident.antiphish.org/82e3bbbb55bc/
https://incident.antiphish.org/e5be41a3a0f9/
https://incident.antiphish.org/df9b8ddaf181/
https://incident.antiphish.org/0b7444a6c993/
https://incident.antiphish.org/2c405b447f0b/
https://incident.antiphish.org/f97afd1e7a8b/
https://incident.antiphish.org/68469656666f/

Screenshot

Click to expand

pls check incident antiphish and netcraft pages for screenshots

[ninjacatcher]

@spirillen or @g0d33p3rsec could you remove some duplicate domains from the https://github.com/Phishing-Database/phishing/blob/master/add-domain file ? thx

[spirillen]

My little sort script should be taking care of that, once merged

@g0d33p3rsec are you taking care of @ninjacatcher PR's?

[ninjacatcher]

opened 4 days ago

[spirillen]

And now it needs to be rebased, I marked this one as unread and looking into it tomorrow, Kinda hoped scott had picked this one up.

So if you rebase I have a look at it tommow