Administrator <info@webseodesigners.com> wrote:2025-8-23 08:05
Email subject: 2 Messages are on Hold - Staff Action Required For contact@webseodesigners.com August 2025 - 8/23/2025 10:05:21 a.m.
Reply-to: Administrator <info@webseodesigners.com>
[✔] webseodesigners.com E-Mail Support
_an automated Notification from webseodesigners.com.
_ DEAR CONTACT,
Please verify your Email contact@webseodesigners.com below is active
to confirm it is still in use by only you in the company
Verify Your Email
[https://googleads.g.doubleclick.net/pcs/click?xai=AKAOjssIdZGtK2LGw4coQMwtQcONuf8cVZUVHUrlFgT33_wiLCuxpoweUvHdBH9neY4iW-CZh2SzgITptx6j64F0B2pEU0uoeRfmKTeyn7LSG5Irubqjv6IFl9MeqTp84ZT99WRJlZDMgrwUaUI7QjgNwL22AVveJm980wuVNryiILT2WhxCPmcY8M7PVIOygAXT_382p7PUn7bIByn2OjlTfCiaqta3tAhZWCuROeXZPznm5cGhgUYspVywPb8Y8GbuT5pyEUyF89icmqe5zg&sig=Cg0ArKJSzFtr0kI2Y6Ll&adurl=https://1e3bfc3c8259f97074fdc0d7c39.cloudns.pro#contact@webseodesigners.com]
Failure to verify your email would lead to loss of important incoming
emails and outgoing messages.
Thank You for Understanding
webseodesigners.com E-Mail Security
Administrator I.T HelpDesk
_® 2025 WEBSEODESIGNERS.COM IT Help Desk Support.
All Rights Reserved 8/23/2025 10:05:21 a.m._
2025-07-21: We have updated our Privacy Policy. Thanks to Vietnamese blackhat SEO wannabe DDoS:ing forums with Russian malware developed by Aleksandr Ryanchenko (Александр Рябченко) aka Alexandru Robu for automatic registrations and spam posts, this forum is now manually moderated to ban clueless script kiddies.
2 Messages are on Hold - Staff Action Required For contact@webseodesigners.com August 2025 - 8/23/2025 10:05:21 a.m.
-
emailbot
- Posts: 514
- Joined: 2025-4-22 17:52
-
PhishingBuster
This phishing attack has at least 3 different domain registrars and platform providers involved.
Google is enabling this phishing attack by providing a redirect for the malicious webmail page that is stealing password:
https://googleads.g.doubleclick.net
The same website is being used in multitude of other phishing attacks for the same purpose.
The webmail phishing page where the user is redirected is at
https://1e3bfc3c8259f97074fdc0d7c39.cloudns.pro
Stolen passwords are recorded using a PHP script at
https://profiilelogin.click/N3w1wm0/nwk2k3i.php
Google is enabling this phishing attack by providing a redirect for the malicious webmail page that is stealing password:
https://googleads.g.doubleclick.net
The same website is being used in multitude of other phishing attacks for the same purpose.
The webmail phishing page where the user is redirected is at
https://1e3bfc3c8259f97074fdc0d7c39.cloudns.pro
Stolen passwords are recorded using a PHP script at
https://profiilelogin.click/N3w1wm0/nwk2k3i.php
-
s
- Posts: 360
- Joined: 2017-7-5 09:58
I have reported the involved domains to registrars. Let's see what happens.
-
s
- Posts: 360
- Joined: 2017-7-5 09:58
Quick update:
"Please be advised that Markmonitor is the Registrar for the domain in your email and is not the Registrant of this domain name. As a Registrar, Markmonitor registers domain names on behalf of our clients who, as the Registrants, are responsible for the content of such domains (including the domain that is the subject of your notice). Markmonitor has neither control nor responsibility over any the content of the domain mentioned, including any personal information included in such domain. Further, Markmonitor does neither manage nor operate the servers on which such content is hosted."
"The mentioned DNS zone is suspended in our system."
This makes both Google and sav.com accomplices in that phishing attack.
Apparently Poople Google does not give a shit about enabling phishing attacks and providing broken systems like this one for the attackers to exploit as you can see from the reply of abusecomplaints@markmonitor.com:PhishingBuster wrote: ↑2025-8-24 04:01Google is enabling this phishing attack by providing a redirect for the malicious webmail page that is stealing password:
https://googleads.g.doubleclick.net
"Please be advised that Markmonitor is the Registrar for the domain in your email and is not the Registrant of this domain name. As a Registrar, Markmonitor registers domain names on behalf of our clients who, as the Registrants, are responsible for the content of such domains (including the domain that is the subject of your notice). Markmonitor has neither control nor responsibility over any the content of the domain mentioned, including any personal information included in such domain. Further, Markmonitor does neither manage nor operate the servers on which such content is hosted."
abuse@cloudns.net took an immediate action to thwart the attack:PhishingBuster wrote: ↑2025-8-24 04:01The webmail phishing page where the user is redirected is at
https://1e3bfc3c8259f97074fdc0d7c39.cloudns.pro
"The mentioned DNS zone is suspended in our system."
So far no response from the registrar abuse-contact@sav.com so it seems like they do not care either.PhishingBuster wrote: ↑2025-8-24 04:01Stolen passwords are recorded using a PHP script at
https://profiilelogin.click/N3w1wm0/nwk2k3i.php
This makes both Google and sav.com accomplices in that phishing attack.
