Ask coding questions

← Back to all posts
repl's Being Abused for Phishing
RavinduL

I received the following repl.co link over Facebook, which leads to a phishing page that resembles Facebook.

https://colorfullightcyantask.dd315b4f10v.repl.co/#0.42331671848072316

IMHO, repl.it badly needs a feature to report these!

Peeking at the code,

  • They've banned a bunch of IPs from that page, redirecting them to as song "Hawái" by "Maluma"...

    ...no idea why. They seem to belong to a bunch of US ISPs.

  • The page loads a script from https://jordan--001.tk/jp/?api=1&lan=facebooknew&ht=1&counter0=jeansaldo01
  • When you click "log in", it POSTs the values of the form along with a bunch of geographical data retrieved via GeoJS, to https://jordan--001.tk/jp/save.php?api=1&lan=facebooknew&ht=1&counter0=jeansaldo01.
  • They also grab an image from https://whos.amung.us/widget/jeansaldo01. whos.amung.us which looks like a website traffic analytics tool.

Report them: https://www.enom.com/help/abusepolicy.aspx and [email protected].

Answered by SixBeeps [earned 5 cycles]
View Answer
Voters
kukia
Kookiez
heyitsmarcus
MarcusWeinberger
angrydoge
HahaYes
ANDREWVOSS
studentAlfredAl
PattanAhmed
Warhawk947
Comments
hotnewtop
SixBeeps

Looks like the user has a few different Repls for this: https://repl.it/@dd315b4f10v

Honestly I'd contact Repl.it directly for this rn. I've heard that a Report User functionality is in the works, so problems like these can be more easily resolved.

RavinduL

@SixBeeps nice find! Out of curiosity, how did you map the repl to the user? 😅

SixBeeps

@RavinduL The format for Repl.it sites are ReplName.Username.repl.co. In the link you gave, colorfullightcyantask is the name of the Repl, dd315b4f10v is the user.

RavinduL

@SixBeeps Thanks 😊

gibbsfreenergy

There should be a way to track down the IP Address of this user. @SixBeeps

SixBeeps

@JosephSanthosh Ehm, for what purpose?

PieroMaddaleni

@SixBeeps Generally to ban such users from accessing our platform and to see if they have any other accounts from said address. Also, I've passed this on to the rest of the team, so within an hour or two something should happen.

SixBeeps

@PieroMaddaleni Yeah, but they could very well be using a VPN, which would eliminate the entire purpose of an IP ban.

Battledash2

Cool they're banned xD

AmazingMech2418

Seems like the person is banned...

AmazingMech2418

@AmazingMech2418 Also, their only remaining repl:

iocoder

@RavinduL when I go to https://clubhouseguard.com/ now it brings me to google.com is this a remake of it too, or is it the real one, cause some users can find a domain that is exactly the same as another

HahaYes

oh wow thats bad.

PattanAhmed

Where do you find his Repl?
I mean this guy:-
https://repl.it/@dd315b4f10v

gibbsfreenergy

That page is somehow so accurate!

Smart0ne

@FluidCycling Is this sarcasm of not?

gibbsfreenergy

How? @Smart0ne