repl's Being Abused for Phishing
RavinduL

I received the following repl.co link over Facebook, which leads to a phishing page that resembles Facebook.

https://colorfullightcyantask.dd315b4f10v.repl.co/#0.42331671848072316

IMHO, repl.it badly needs a feature to report these!

Peeking at the code,

  • They've banned a bunch of IPs from that page, redirecting them to as song "Hawái" by "Maluma"...

    ...no idea why. They seem to belong to a bunch of US ISPs.

  • The page loads a script from https://jordan--001.tk/jp/?api=1&lan=facebooknew&ht=1&counter0=jeansaldo01
  • When you click "log in", it POSTs the values of the form along with a bunch of geographical data retrieved via GeoJS, to https://jordan--001.tk/jp/save.php?api=1&lan=facebooknew&ht=1&counter0=jeansaldo01.
  • They also grab an image from https://whos.amung.us/widget/jeansaldo01. whos.amung.us which looks like a website traffic analytics tool.

Report them: https://www.enom.com/help/abusepolicy.aspx and [email protected].

You are viewing a single comment. View All
Answered by SixBeeps [earned 5 cycles]
View Answer
HahaYes

oh wow thats bad.