The Big Bash Dubai 2022 #scamempire

48 reactions · 18 comments | A loyal and highly respected investor sharing her review of the platform. Join this legitimate platform today and you'll be glad you did! Group: Elon... | By Becky | Facebook A loyal and highly respected investor sharing her review of the platform. Join this legitimate platform today and you'll be glad you did! Group: Elon...

Just posted. Quantum AI investments are not a scam. Meta 💸💳 #scamempire
https://www.facebook.com/reel/654852003661912

Get ready for the "Big bash" #scamempire

Ten years ago Boaelite (now Affilomania/Trafficon) published this video. What has really change at the #scamempire?

Coming soon... #scamempire

Landing pages used by affiliates of the #scamempire

Tonight watch #scamempire

#scamempire

“By turning over the material to the media, I/we hope this issue gets enough attention for authorities to take action against these criminals. This problem is not impossible to solve. We all just need to care enough to do something about it.” - Source of the leak of #scamempire

Scam call centers are destroying lives across the world. Now we’re putting the spotlight on them. Coming soon… #ScamEmpire

"When Kehr meets Vextrio" shows how dating scams and disinformation use a common infrastructure.
www.qurium.org/forensics/when-kehr-meet... (1/4) 👇

Yesterday, Bullet Proof Hosting provider sclad{.}us aka Morningstars (AS215939) connected to UAC-0050 (CERT-UA#8453 and CERT-UA#8494 Alerts) announced "technical works" as their main upstream drop them.

One month after the release of our Doppelganger investigation and the shutdown of Aeza at Datacamp, the ASNs that made it to the finish line have migrated to @packetbouncer @aurologiccom and @RoyaleHostingBV @stanvandeklippe
Many prefixes remain behind GRE tunnels.

The power of CSI (194.36.177{.}229) server of 1cent{.}host runs in AS210281. Can you figure out where do the GRE tunnels of this BPH terminate? @banthisguy9349

MTU1448 update: Doppelganger Prefix sneaking away from Aurologic upstream to AS214891. Prefix now using AS56630 Melbikomas (LT) as upstream in Germany. route: 77.91.66.0/24
origin: AS214891
mnt-by: CENTHOST-MNT
last-modified: 2024-08-02T09:47:27Z

The answer is 1448. In a standard setup the maximum payload for a ICMP packet will be 1472 bytes (1500-20-8). 28 bytes for the IP (20) and ICMP (8) headers.
If you run GRE tunnels, you need to account for a 24 extra bytes overhead for Outer IP(20) and GRE(4).
1500-20-8-20-4=1448

Yesterday, AS198981 (netshield/1centhost) continued to serve Doppelganger domains but this time with @packetbouncer (Aurologic) as upstreams. This is not the kind of blocking we were expecting from you.

This is why we think that Lethost bullet proof hosting that run DG is NOT just a costumer of Aeza (1/x)

Suspended Cyberhub ASN that is part of the Doppelganger ecosystem has been just renamed to HellaAS (Hellenic Digital Services Ltd / Luxhost). Seems like "luxhost" is the new Aeza bullet proof hoster. 🤦
@Gi7w0rm @banthisguy9349 @SourcesOuvertes

In a new twist in the saga of Doppelganger, Aeza has decided to stop providing connectivity to two bullet proof hosters: Lethost and Sunhost. What a nice way to show the world that they handle "abuse". (1/3)

Since the release of our forensic investigation about Doppelganger infrastructure there has been a few interesting developments. Once of them is that the F-domains @ TNSECURITY and NETSHIELD remain online thanks to one common upstream provider: Datacamp/CDN77

It seems that TNSECURITY/EVILEMPIRE is no longer routing traffic from Germany. Nice to have now a much clear picture of where Lethost is coming from

Impressed of their setup or our report? Maybe both? @cymnu https://t.co/Ds8gNGobjK

Hostinger today, DNS parking the F domains of DG. bikerspace[.]shop
btwidea[.]shop
cscerbr[.]shop
envhb[.]shop
summitslope[.]shop
vokei[.]shop

TNSecurity (aka Evilempire) is interesting for 4 things:
- Runs from Germany as downstream of @packetbouncer - Runs front proxies for Doppelganger
- It is a hotspot of malware distribution
- It was a "dorector"
@Gi7w0rm @ffforward @banthisguy9349

Let us check of few domains of DG campaign today that were registered with Namecheap and then moved to Hostinger DNS parking service. The service has been provided for months and tje domains have been pointed to:
AS215428 Mykyta Skorobohatko RU
AS216309 Tnsecurity Ltd RU

Just a couple of hours ago, all these domains has been used by Doppelganger. All controlled from:
- Hostinger DNS Parking service and - Served from "Evilempire" downstream of Aurologic in Germany.

Today, we make public our latest research on Doppelganger. www.qurium.org/alerts/russia/exposing-t...

Meet Ben Rose from Supreme Media (Amashen) that runs "regulated financial traffic". 🤣

Do you wonder who is promoting those scams impersonating personalities and media?
Read about how we found three affiliate networks behind those ads.
www.qurium.org/alerts/tell-of-spring-ex... 👇(1/8)