Dissection of the scammer site (case)
btconline.io is a fraudulent site. His legend is that you enter your Bitcoin wallet address there and Bitcoins immediately start to be mined for you. Everything is very simple – you do not even need to register. There is only one problem – Bitcoins are dripping slowly for you, and the minimum sum for withdrawal is high. But, of course, there is a way out: you can buy paid packages and your Bitcoins will be mined faster – the more expensive the package, the faster Bitcoins will be mined! When it comes time to pay, you are told about the “restrictions”, they are asked to verify (send photos of your passport, bank card, etc.), or simply say - “an error has occurred, try again later”.
There is someone who does this, sends them money, spreads information for “referral deductions” (in quotes, since no one will receive anything) …
Sometimes these “projects” operate on the principle of a financial pyramid (for the former they make some kind of payments), but more often this is just a fraud.
Part 1. Analysis of the history of changing the IP addresses of the web site
This is the most elementary – many sites fails this way, they worked under their real IP, then they set up CloudFlare and consider that they were “hidden”…
Therefore, if among the previous IPs belonging to the target site there are not IP CloudFlare, then there is a high probability that this is the real address of the site. In any case, it is a new thread that can lead to a lot.
So, the History of IP addresses of the site shows this result:
securitytrails showed this result:
Everything is bad – these IPs belong only to CloudFlare.
Part 2. Checking with CloudFail
By the way, CloudFail manual is here.
The online service “Disclosure of the real IP site behind the CloudFlare network using incorrectly configured DNS and the database of old records” - but it did not find any useful information.
And now it would seem – there is no way to find out the real IP address of the site behind CloudFlare. Everything is bad.
Part 3. Modus operandi
Modus operandi is a Latin phrase, meaning “course of action”, often used in criminology under the meaning of “method of committing a crime”.
In simple terms – if we do something, then every time we do it about the same way, in our actions contain similar features.
I looked at the btconline.io fraudulent site, read the texts and realized that they were hardly written by a native speaker – most likely a machine translation. But if this is so, then he needed to write texts:
- come up with his own long texts (there are questions and answers there, and there is a lot of text on the landing page, and so on)
- translate these texts
And it takes effort.
Such fraudulent sites, in fact, very rarely bring something to their creators. However, often the first crafts especially unsuccessful – there may simply be something not work. Since almost certainly the owner of this site has more sites – and in the case of his last child, he did everything for conspiracy, but did he do everything correctly for the previous sites?..
So I just took quite large pieces of text, put them in double quotes and did a search on Google and Yandex. Fragments of the text I used:
"Our service make Bitcoin mining absolitely easy for every person! You don't need to buy expensive equipment and loose your time to configure mining servers"
"Your email address will be used to send login codes when suspicious or unusual activity is detected, to remind you of your account bitcoin address login"
- Service "Advanced Search in Google"
I was looking for sites in which there is an exact entry of these phrases, as a result I have compiled a list of the following sites:
IP history maxminer.net gave the following results:
There you can "mine" Lightcoin, Dogecoin, Ethereum – and why not? If you can mine the main Shitcoin, why not mine the minor Shitcoins?!
The maxminer.net site has an IP address 126.96.36.199, let's look at the information for it in securitytrails:
Let's look at the history of probtc.biz:
We see there, including, the IP address 188.8.131.52.
I showed a direct path to the address 184.108.40.206, in fact, it was branched out – I looked at the history of domains I know and collected IP addresses, for these IP addresses I collected new domains and again looked at the history of their IP addresses, each of these IP addresses I checked if it belongs to btconline.io. I did this using cURL with a command like this:
curl IP_TO_CHECK -v -A "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36" -H 'Host: btconline.io'
Instead of IP_TO_CHECK, I set the real IP address. If I received something interesting, I did a control check with the same IP command like this:
curl IP_TO_CHECK -v -A "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36" -H 'Host: FAKE.HOST'
That is, to compare the results obtained, the host btconline.io is replaced with FAKE.HOST (that is, any other host that was not related to this web server).
In the end, the command with 220.127.116.11:
curl 18.104.22.168 -v -A "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36" -H 'Host: btconline.io'
It gave the following result:
Pay attention to the lines:
< Location: http://www.btconline.io/ < X-Served-By: Namecheap URL Forward < <a href='http://www.btconline.io/'>Found</a>.
That is, the server responded to this host and wants to redirect us to the address http://www.btconline.io/. But there are web servers that are configured to redirect anything. Check it with another host:
curl 22.214.171.124 -v -A "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36" -H 'Host: ya.ru'
For the host ya.ru just nothing was found.
To confirm in the /etc/hosts file:
sudo gedit /etc/hosts
I add a line
Save and close the file. And now I’m trying to open btconline.io in a browser – it redirects to https://www.btconline.io/ (to subdomain www), the layout is broken, but the site opens!
That is, the creator of btconline.io did for the conspiracy "all correct":
- WHOIS - closed
- after creating the btconline.io website, it never worked on real IP – it was immediately added to CloudFlare
But it didn’t help him at all – this site revealed the entire net of domains and all the IPs currently in use or earlier, each of which is a new lead and a thread leading farther and farther away.
Part 4. Answers to questions that this site can cause
Real Time Payouts – payments in real time, someone really paid? There after all there are links to blockchain.com – these are real wallets and real payments!
Yes, the wallets are real and the payments are real, only the order is different, the fraudulent site parses the data from blockchain.com and, on the basis of them, “draws” its payments.
- there are wallets in payments that have never sent money to anyone, although it is stated in the payments that they work at a certain marketing plan – if these wallets did not make transfers, then this is impossible.
- the script has a funny bug: if you enter the address of a Bitcoin wallet, get your referral link, then follow this referral link, and then sign up with a wallet that has already been paid, everything will work out! That is, the one who seems to have already received the payment becomes your referral! Although re-register with the same wallet is impossible in principle.
Pop-up messages about purchased packages?
- Revealing the perimeter (CASE) (95%)
- How to find out all sites at an IP (66.7%)
- How to find out if a site is behind CloudFlare or not (66.7%)
- How to find out the real IP of a site in Cloudflare (66.7%)
- How to see locked HTML code, how to bypass social content lockers and other website info gathering countermeasures (66.7%)
- How to Install and run WPScan on Windows (RANDOM - 5.1%)