repl's Being Abused for Phishing
I received the following
repl.co link over Facebook, which leads to a phishing page that resembles Facebook.
repl.it badly needs a feature to report these!
Peeking at the code,
They've banned a bunch of IPs from that page, redirecting them to as song "Hawái" by "Maluma"...
...no idea why. They seem to belong to a bunch of US ISPs.
- The page loads a script from
- When you click "log in", it
POSTs the values of the form along with a bunch of geographical data retrieved via GeoJS, to
- They also grab an image from
whos.amung.uswhich looks like a website traffic analytics tool.
https://clubhouseguard.com/, and both of these seem to be made specifically for phishing.
https://whois.domaintools.com/jordan--001.tk and https://whois.domaintools.com/clubhouseguard.com says they're both registered via