Norton security pop up

Scammers Pop-up scams
1

https://lp4.clean-pc-now.club/?uclick=bza47vsy&uclickhash=bza47vsy-bza47v3v-tw4p-0-bz6j-hqpm-hqq5-d7d942#

redirects to this

Screenshot 2020-11-29 062307
Screenshot 2020-11-29 0623071570×867 63 KB

All links on payment page lead to what appears to be the real norton.

2

Seems a ton of domains all run on one server that redirects to some other domains on another server that tracks the redirects. Seems they have been up for quite a long time. All of the domains are registered on NameCheap and the servers have ssh open to any IP and seems to have root login enabled.

Phishing domains (IP:178.62.255.128) :

http://lp4.clean-pc-now.club
http://lp3.clean-pc-now.club
http://lp2.clean-pc-now.club
http://lp5.clean-pc-now.club
http://protect-your-pc.xyz
http://world-money.club/
http://lp2.securephone.online
http://lp2.financeupdate.xyz
http://www.financeupdate.xyz/
http://lp3.financeupdate.xyz/
http://www.securephone.online/
http://lp3.worldfinanceupdate.xyz/
http://lp2.worldfinanceupdate.xyz/
http://www.worldfinanceupdate.xyz/
http://lp4.urgent-security-update.club/
http://lp5.urgent-security-update.xyz/
http://lp2.urgent-security-update.club/
http://www.urgent-security-update.xyz/
http://www.urgent-security-update.club/
http://lp5.urgent-security-update.club/
http://lp3.urgent-security-update.club/
http://lp4.urgent-security-update.xyz/
http://lp2.urgent-security-update.xyz/
http://lp3.urgent-security-update.xyz/
http://global-finance-update.club/
http://lp2.online-security-today.club/
http://www.online-security-today.club/
http://lp3.online-security-today.club/
http://lp4.online-security-today.club/
http://lp5.online-security-today.club/
http://www.customerrewards.xyz/
http://www.swisswinners.world/
http://lp1.vincitore-italiano.club/
http://www.vincitore-italiano.club/
http://www.updatevibernow.club/
http://lp1.updatevibernow.club/
http://lp2.updatevibernow.club/
http://www.pc-alert.site/
http://www.swissprizestoday.club/
http://phonefrompost.xyz/?uclick=h9u3sy
http://premiogratuitoperte.club/

Redirect sites are all running this software:

binom.org

Redirect to (IP:167.71.15.125):

https://gorizzlyskrizzly.com/
https://antivirus-security-now.com/
https://clixalot.club/
https://world-daily-news.club/
https://www.customerrewards.xyz/
https://phonefrompost.xyz

2 Likes