Spam

From Phishing Crypto Seeds to Burning Blogspot Fun

Synfinner

21 Apr 2025 — 6 min read

Hello all!

I know it’s been a while since my last post—life has been busy. That said, I recently observed a trend across several inboxes involving phishing links sent from compromised WordPress sites. While the phishing scheme itself wasn’t particularly notable, the use of Blogspot/Blogger stood out.

Phishing

The initial email sent was that we have a username assigned to us and need to set a password to claim BTC.

As we can see, the lure is trying to redirect us to a Blogspot url, www[.]segfdt[.]blogspot[.]sn. When browsing to the blog, we're greeted with a window.location JavaScript redirector:

Once we're redirected to yet another redirection handler:

The JavaScript code fetches a domain from an external malicious server (sharkboss[.]top) upon page load, selects a predefined URL path, then redirects users dynamically to the combined malicious URL. It includes basic error handling to log failures. This approach is commonly used in phishing campaigns to evade detection and dynamically adjust phishing destinations. In our case, the site being pulled was hxxps://godprox[.]cc

Upon visiting the site, we're presented with some of the phishing component that's intended to steal our crypto or try and get us to pay to claim fake BTC.

Rather than boring you with just more crypto currency stealing content, I wanted to see if there was anything else I could find in my limited time.

Blogspot Fun

Because Blogspot is--well--a blog, it gives us a link to the posting user. In this case, we see that blog is owned by: hxxps://www[.]blogger[.]com/profile/01526673279526651391. When navigating to the Blogger user, we can see that they have quite the list of Blogs.

One can probably infer that each of these random generated titles are Blogs designed to redirect users to additional campaigns. One would be correct in assuming this. With that said, it would be a royal pain to go to each blog one-by-one; leading us to the following:

"If you have to do something more than three times, script it."

After creating our script, we were able to obtain a list of every Blog URL and where they redirect to:

Here's the full list:

hxxp://yjgrgw[.]blogspot[.]com/ -> hxxps://my02000isreal[.]space/zxc[.]php
hxxp://jyggex[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://wqerde[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://dgfcfr[.]blogspot[.]com/ -> hxxps://get188[.]info/xx[.]php
hxxp://dbgnxs[.]blogspot[.]com/ -> hxxps://get188[.]info/xx[.]php
hxxp://ohujfr[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://htfytc[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://mdfhrs[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://jjftxd[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://wfjxde[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://kgyjyr[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://hjyred[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://nthwzy[.]blogspot[.]com/ -> hxxps://minbic090[.]shop/mm[.]html
hxxp://drgede[.]blogspot[.]com/ -> hxxps://my02000isreal[.]space/zxc[.]php
hxxp://jjyjgj[.]blogspot[.]com/ -> hxxps://my02000isreal[.]space/zxc[.]php
hxxp://hgrbvd[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://hgytrz[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://sdgjtw[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://htbfro[.]blogspot[.]com/ -> hxxps://my02000isreal[.]space/zxc[.]php
hxxp://jhgrxd[.]blogspot[.]com/ -> hxxps://get188[.]info/xx[.]php
hxxp://redrxq[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://ghegxs[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://awfhtv[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://gjyrdd[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://sefhjd[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://hjgdez[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://segfdt[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://egstxd[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://nawmhx[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://sfhtfx[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://drhydx[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://nhvfjy[.]blogspot[.]com/ -> hxxps://my02000isreal[.]space/zxc[.]php
hxxp://bsdhwa[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://yukybd[.]blogspot[.]com/ -> hxxps://tiredyes96[.]fun/shop[.]html
hxxp://grtyyw[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://ftuhrx[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://jgfrxd[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://jgybfb[.]blogspot[.]com/ -> hxxps://my02000isreal[.]space/zxc[.]php
hxxp://afwcfe[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://jytdxd[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://ikhtxd[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://nhfjye[.]blogspot[.]com/ -> hxxps://minbic090[.]shop/mm[.]html
hxxp://iyjtdr[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://bnghrs[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://kuhznc[.]blogspot[.]com/ -> hxxps://tiredyes96[.]fun/shop[.]html
hxxp://jhgfez[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://khfbgr[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://oyutrx[.]blogspot[.]com/ -> hxxps://get188[.]info/xx[.]php
hxxp://fddbsz[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://jkykgx[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://fvajrd[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://jddbde[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://mxgnjf[.]blogspot[.]com/ -> hxxps://tiredyes96[.]fun/shop[.]html
hxxp://yruifr[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://jygndw[.]blogspot[.]com/ -> hxxps://minbic090[.]shop/mm[.]html
hxxp://bdnghr[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://msngdr[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://jydbxd[.]blogspot[.]com/ -> hxxps://get188[.]info/xx[.]php
hxxp://gseeft[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://fhtbde[.]blogspot[.]com/ -> hxxps://my02000isreal[.]space/zxc[.]php
hxxp://esgnfr[.]blogspot[.]com/ -> hxxps://tiredyes96[.]fun/shop[.]html
hxxp://jygfrq[.]blogspot[.]com/ -> hxxps://my02000isreal[.]space/zxc[.]php
hxxp://htyrbf[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://afhjse[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://trgrxd[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://bfdhrx[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://wegnhs[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://nsdhtw[.]blogspot[.]com/ -> hxxps://my02000isreal[.]space/zxc[.]php
hxxp://wevvbg[.]blogspot[.]com/ -> hxxps://get188[.]info/xx[.]php
hxxp://ygkvng[.]blogspot[.]com/ -> hxxps://tiredyes96[.]fun/shop[.]html
hxxp://wahtbf[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://msjfrx[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://fgbbse[.]blogspot[.]com/ -> hxxps://get188[.]info/xx[.]php
hxxp://nsgjft[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://efbhxd[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://ngjtdp[.]blogspot[.]com/ -> hxxps://get188[.]info/xx[.]php
hxxp://jfhsgs[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://jgbfes[.]blogspot[.]com/ -> hxxps://minbic090[.]shop/zoo[.]php
hxxp://aweydd[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://msujcf[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://sefsge[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://hgjrrs[.]blogspot[.]com/ -> hxxps://get188[.]info/xx[.]php
hxxp://kuhrxs[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://uhures[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://ygjyde[.]blogspot[.]com/ -> hxxps://get188[.]info/xx[.]php
hxxp://jtycdf[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://efwxeh[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://uthbfs[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://fhtbfq[.]blogspot[.]com/ -> hxxps://my02000isreal[.]space/zxc[.]php
hxxp://dgryfx[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://ytybrf[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr
hxxp://tfuted[.]blogspot[.]com/ -> hxxps://get188[.]info/2/rr

It wouldn't be very kind of me to talk about a script and not share it with the world. Here's the script I used to extract a user's blogs and extract the window.location contents to build the above list:

IOCs

Below is the unique list of redirectors (most of which I could no longer connect to):

hxxps://tiredyes96[.]fun/shop[.]html
hxxps://my02000isreal[.]space/zxc[.]php
hxxps://minbic090[.]shop/mm[.]html
hxxps://minbic090[.]shop/zoo[.]php
hxxps://get188[.]info/xx[.]php
hxxps://get188[.]info/2/rr

Final Redirector/Target

hxxps://godprox[.]cc

Blogger User Profile Link:

hxxps://www[.]blogger[.]com/profile/01526673279526651391

Likely compromised WP site:

hxxps://www[.]church-int[.]com

From Phishing Crypto Seeds to Burning Blogspot Fun

Synfinner

Phishing

Blogspot Fun

IOCs

Read more

Hiding in the Ether - Wallet Draining Phish

Partially Dissecting a Wallet Drainer Scam (October 2024)

Digging Deeper on Mailgun Phishing (October 2024)

Confusing Methods, Mailgun Phishing, and More?