Techniques to discover themed phishing campaigns with Validin
On April 12th, 2024, the FBI published a public service announcement warning of a smishing scam regarding “debt for road toll services.” This scam, like other smishing campaigns, arrives as a text message that resembles the following:
(State Toll Service Name): We’ve noticed an outstanding toll amount of $12.51 on your record. To avoid a late fee of $50.00, visit https://myturnpiketollservices.com to settle your balance.
Of course, the website is fake. It is designed to trick users into providing payment information and other sensitive details.
With this single domain as the starting point, let’s see what we can find with Validin.
Initial Pivots
Our initial search for DNS indicators shows that the threat actor leveraged Cloudflare for hosting. We know from Validin’s popularity hints that these are unlikely to be helpful initial pivots because of the large numbers of domain names that share this infrastructure.
Looking at the Host Responses, we see that the responses changed on April 12th, the day that the FBI released their warning:
Let’s look at the host connections that Validin extracted from host responses to see if we can find some helpful pivot points. Visiting the “Host Connections” tab and filtering with “Last Seen” not after “2024-04-13”, we see two HOST-HEADERS_FINGERPRINT values that were not returned by this domain after the 12th.
Looking at the first host header fingerprint, ede1f159858d50c46210
, we see tens of thousands of host connections. So, I narrowed it down a bit with additional result filters. I added an IPv4 Filter of 0.0.0.0
, which effectively filters out all IP addresses, and a zone filter for com
, which limits connections to the .com TLD.
We know from the original FBI notice that the threat actors used a toll-themed domain name. So, within these results, let’s search for domain names that include the string “toll:”
Applying this filter immediately leads to a set of domains that look like very promising next-order pivots:
Initial results of first pivot yields 7 new domains with 10 additional subdomains (18 total):
floridasunpass-toll[.]com
mail.floridasunpass-toll[.]com
www.floridasunpass-toll[.]com
sunpassservicestoll[.]com
www.sunpassservicestoll[.]com
www.turnpiketollservices[.]com
myturnpiketollservices[.]com
www.myturnpiketollservices[.]com
njtollservices[.]com
www.njtollservices[.]com
sunpasstollservices[.]com
www.sunpasstollservices[.]com
floridasunpasstollservices[.]com
www.floridasunpasstollservices[.]com
mysunpasstollservices[.]com
www.mysunpasstollservices[.]com
turnpikeservicestolls[.]com
www.turnpikeservicestolls[.]com
Expanding the Collection
We know from the initial DNS search that the threat actor leverages a certain degree of anonymity afforded by using Cloudflare infrastructure to avoid standing out with unique DNS responses. However, with 8 observed domain name variations, we can use Validin’s recent lookalike search to find other recently discovered domains that look like any in the initial set.
I set a generous timeout, configured the search to look back 30 days, and set an edit-distance similarity threshold of 5. This similarity threshold will find any domains within an edit distance of 5 characters from the original search term.
Searching for lookalikes to all 8 domains from the initial pivot expansion yields about two dozen net new domains, many of which have additional subdomains, and all of which were registered over the last 30 days.
Searching for lookalikes yielded the following domains that were first observed by validin within the last 30 days:
gasunpasstollservices[.]com
ncsunpasstollservices[.]com
ncsunspasstollservices[.]com
floridasunpasstoll[.]com
sunpass-services[.]com
myturnpiketollservice[.]com
paturnpiketollservices[.]com
turnpiketollservices[.]co
turnpiketollservices[.]com
turnpiketolservices[.]com
turnpiketollservice[.]com
turpiketollservices[.]com
turnpiketolservices[.]com
turnpiketollsservices[.]com
mysunpasstollservices[.]com
sunpasstollservices[.]com
sunpasstollsservices[.]com
sunpasstollservice[.]com
gasunpasstollservices[.]com
ncsunpasstollservices[.]com
sunpasstolservice[.]com
flsunpasstollservices[.]com
ncsunspasstollservices[.]com
texastollservices[.]com
sunpass-service.2347843209.workers[.]dev
sunpass-service[.]com
georgiasunpasstollservices[.]com
The registrar for the initial domain name, myturnpiketollsevices[.]com
, is Eranet International Limited. Of the 28 domain names (not including subdomains) added to our collection from the initial starting domain, half of the rest (14) were registered with the same registrar. This could be an indication that there are multiple campaigns with similar themes.
Using a few variations of lookalike search, we identified additional domains that are possibly related due to their overlap with naming conventions, registrars, and hosting patterns.
Further pivots, discovered with other lookalike variations, uncovered these additional domains:
njtollservices[.]com
tollwayservices[.]com
tollwaysservices[.]com
wwwtollwayservices[.]com
iltollwayservices[.]com
itollwayservices[.]com
illinoistollservices[.]com
iltollswayservices[.]com
itollswayservices[.]com
turnpiketollservices[.]com
paturnpiketollservices[.]com
myturnpiketollservices[.]com
turpiketollservices[.]com
turnpiketollsservices[.]com
nytollsservices[.]com
sunpasstollservices[.]com
floridasunpasstollservices[.]com
flsunpasstollservices[.]com
mysunpasstollservices[.]com
sunpasstollsservices[.]com
ctrtollservices[.]com
texastollservices[.]com
txtollservices[.]com
ncsunspasstollservices[.]com
ncsunpasstollservices[.]com
gasunpasstollservices[.]com
georgiasunpasstollservices[.]com
sun-passtolls[.]com
tolls-sunpass[.]com
sunpass-tolls[.]com
sunpass-toll[.]com
bayareafastrak-toll[.]com
bayareafastrak-tolls[.]com
tolls-407express[.]com
toll[.]a407info[.]com
www[.]toll[.]a407info[.]com
a25bridge-toll[.]com
Most of the domains in our collection have only been hosted on Cloudflare or parking IP addresses, limiting pivotability through the DNS history. However, some of these have recently resolved to IP addresses that are not on Cloudflare or parking IPs, including:
94.232.247[.]104
193.233.203[.]34
5.252.177[.]214
91.215.85[.]79
82.147.85[.]89
65.108.206[.]218
The recent history of domains pointing to those IP addresses shows very likely phishing patterns of various forms.
Common themes for the domains pointing to these IP addresses include:
- Toll payments across the US and Canada (some in French; e.g., villestationnement[.]com)
- Booking and Expedia-themed phishing domains, likely related to booking.com and expedia.com smishing campaigns
- Crypto coins and wallets
- Various support-themed domains
- Package tracking and delivery
Conclusion
Given the great variety of hosting infrastructure uncovered and the open-ended nature of lookalike domain search techniques, we almost certainly uncovered multiple campaigns that we can now track with Validin. This process enabled us to discover large numbers of domains and IPs that are very likely used for phishing in a short time.
Interested in leveraging Validin to build threat intelligence proactively? Check out our individual pricing and plans, or contact us to learn about our enterprise options.
94.232.247[.]104
5.252.177[.]214
193.233.203[.]34
65.108.206[.]218
91.215.85[.]79
82.147.85[.]89
ilibrary[.]pk
starlightserena[.]uk
eghswoodd[.]uk
gravitygrid[.]uk
atralabode[.]uk
starrynightlife[.]uk
dygitalrajdi[.]uk
moonlitmansion[.]uk
stellarvoyager[.]uk
enstojwndikr[.]uk
onfgramewgor[.]uk
twilightvortex[.]uk
solsticesanctuary[.]uk
melding989200[.]com
skttn362500[.]com
mldng094210[.]com
skat128910[.]com
persyavene620[.]com
melding63820[.]com
telekom83920[.]com
reselect-3017920[.]com
persyave340[.]com
reactivate-470[.]com
select-590[.]com
testman90[.]com
nav-melding0[.]com
navmelding0[.]com
nav-info0[.]com
verificatio-0[.]com
kredinorubetalt0[.]com
netassist101[.]com
varsling290201[.]com
melding0001201[.]com
varsling445601[.]com
melding62701[.]com
mldng732801[.]com
skttn098801[.]com
aut1d01[.]com
varsling903211[.]com
mldng982311[.]com
varsling928321[.]com
melding129921[.]com
mldng670091[.]com
mldng643091[.]com
varsle00989091[.]com
log-91[.]com
varsling20e1[.]com
infomessage1[.]com
a25-facture-enligne1[.]com
a25-compte-enligne1[.]com
a25-frais-impaye1[.]com
infoalerts1[.]com
a25-paiement-client1[.]com
amlbotv1[.]com
testi902[.]com
varsle218912[.]com
skatte4522[.]com
crypto-872942[.]com
reorganise-862[.]com
commerz7392[.]com
melding891qe92[.]com
oauthhandler2[.]com
millysms2[.]com
amlbotv2[.]com
se-melding-0303[.]com
melding21912903[.]com
melding0091023[.]com
androcall293[.]com
melding27189214[.]com
ver-2024[.]com
nex-ver2024[.]com
lt-2024[.]com
infonow2024[.]com
melding310124[.]com
transferencia-24[.]com
visita-24[.]com
mad-24[.]com
verifi-24[.]com
segwolly394[.]com
varsling50r4[.]com
select-915[.]com
ponta25[.]com
pont-25[.]com
melding651096735[.]com
payment-checkout-services665[.]com
oma-vero-fi-16[.]com
bit-formulier-467743246[.]com
select-356[.]com
reselect-6458876[.]com
select-596[.]com
be-isabel-6[.]com
etrbridge407[.]com
melding983427[.]com
select-837[.]com
telekom028267[.]com
mldng431567[.]com
restore-511087[.]com
securehost-portal08[.]com
melding83728[.]com
thisisatest29475728[.]com
commerz0921238[.]com
authdocument65348[.]com
77737368[.]com
reactivate-668[.]com
mldng877609[.]com
mldng892119[.]com
minsideno-2719[.]com
mldng982139[.]com
select-279[.]com
return-879[.]com
mldng9128189[.]com
melding1n1a[.]com
join-shiba[.]com
es-bvba[.]com
mbway-verifica[.]com
407on-ca[.]com
westunion-ca[.]com
ontariocourts-setfines-ca[.]com
cadpostes-postalsupport-ca[.]com
ontariowebcourt-ca[.]com
sunpass-florida[.]com
sunpassflorida[.]com
kela-asiantuntijatukea[.]com
turvaline-kasutaja[.]com
suomi-fi-viesteja[.]com
yhteystiietoja[.]com
potvrdit-tarabanka[.]com
nakedcena[.]com
kwetna[.]com
trafiicajoneuvoa[.]com
emta-ee-deklareerimata[.]com
nexiareariservata[.]com
kela-ajankohtaista[.]com
mobiilivahvista[.]com
emihratesndb[.]com
vub-web[.]com
barclays-online-web[.]com
eurobank-web[.]com
pkobp-web[.]com
us-courtweb[.]com
tatrabanka-sk-nb[.]com
customeronlinehub[.]com
mcafeesecurityhub[.]com
a25-quebec[.]com
toysforsaleonfc[.]com
reschedule-logistic[.]com
alerts-boc[.]com
avast-antivirusdownload[.]com
navbeskjed[.]com
districtsessionexpired[.]com
trace-missed[.]com
track-order-missed[.]com
premiumrenewed[.]com
track-order-delayed[.]com
min-sideid[.]com
pos-sid[.]com
possid[.]com
myfakt-id[.]com
op-bonus-finland[.]com
emiratedbnd[.]com
bit-vavo-nl-dashboard[.]com
sharecompareltd[.]com
be-isabel-6-eu-be[.]com
paybc-service[.]com
cr-updateservice[.]com
turnpiketollservice[.]com
myturnpiketollservice[.]com
sunpasstollservice[.]com
sunpasstolservice[.]com
sunpass-service[.]com
ledger-wallet-service[.]com
exodus-wallet-service[.]com
ledger-support-wallet-service[.]com
trust-wallet-service[.]com
tr-ezor-support-service[.]com
divert-assistance[.]com
telekom73920de[.]com
telekom-38303-de[.]com
meo-identidade[.]com
support-ledger-upgrade[.]com
ledger-wallet-upgrade[.]com
support-trust-wallet-upgrade[.]com
trust-wallet-support-upgrade[.]com
commb-de[.]com
cmmrzkundde[.]com
convene-idside[.]com
my-conveneside[.]com
minkredinorside[.]com
pos-side[.]com
combnk-de[.]com
comerz-de[.]com
ebs-removepayee[.]com
pending-package[.]com
dhl-package[.]com
boc-message[.]com
bayareafastrak-message[.]com
the-aptosbridge[.]com
nav-norge[.]com
tvl-official-ie[.]com
monotele[.]com
winb-mobile[.]com
xsemobile[.]com
bawag-mobile[.]com
tbimobile[.]com
1bank-mobile[.]com
revo-mobile[.]com
okta-tmobile[.]com
service-tmobile[.]com
storewatch-tmobile[.]com
rs-tmobile[.]com
scheple[.]com
schecksample[.]com
order-re-schedule[.]com
blackjackwin-supreme[.]com
psi-paymentanytime[.]com
alberta-fine[.]com
bc-fine[.]com
paybc-fine[.]com
cgd-caixaonline[.]com
fastrak-online[.]com
amp-portalonline[.]com
fscs-online[.]com
cgd-particularesonline[.]com
sunpass-online[.]com
be-isabel-6-eu-online[.]com
mcafeesafezone[.]com
today-pepe[.]com
lidostripe[.]com
wealthguide-compare[.]com
service-ledger-hardware[.]com
services-ledger-hardware[.]com
support-ledger-hardware[.]com
mobilbrugere[.]com
customer-secure[.]com
santanderparticulares-secure[.]com
commnetsecure[.]com
a25pont-facture[.]com
smslaayre[.]com
coin-en-2fa-base[.]com
en-c-oin-2-fa-ba-se[.]com
kycsupportcbase[.]com
www-online-coin-en-base[.]com
www-coin-en-base[.]com
873911-coinbase[.]com
29395341-coinbase[.]com
1040024-coinbase[.]com
19384448-coinbase[.]com
874529-coinbase[.]com
19483339-coinbase[.]com
2-fa-coin-base[.]com
path-coinbase[.]com
com-coin-base[.]com
req-coinbase[.]com
0x-coinbase[.]com
donotreply-chase[.]com
ivnestorsparadise[.]com
mbway-analise[.]com
norketse[.]com
gov-security-info-update[.]com
ledger-hardware-site[.]com
eeapisite[.]com
ssapisite[.]com
ledger-support-site[.]com
workinghourmonitize[.]com
metamaskinf[.]com
pops-inf[.]com
bayarea-fastraksf[.]com
onlinentf[.]com
claim-jup-ag[.]com
tbibank-bg[.]com
dsk-smartbg[.]com
dsksmartbg[.]com
majkisblogg[.]com
hali-appconfig[.]com
uin-verstrekking[.]com
snb-olbanking[.]com
sicher-banking[.]com
lowellubetaltinkassoregning[.]com
cra-accounting[.]com
bnqomgeving[.]com
tanverwaltung[.]com
cvbbkwb3ah[.]com
xxxx-flash[.]com
dsraiufm1i[.]com
nsnadi[.]com
mysvei[.]com
maksaaposti-fi[.]com
liikennesakko-fi[.]com
rikostapaus-oikeus-fi[.]com
op-bonus-fi[.]com
hr-humi[.]com
manage-gemini[.]com
onlineparcelevri[.]com
bcr-reactivati[.]com
my-portal-id-citi[.]com
xenxxkhjxi[.]com
fl-ytj[.]com
bayarea-fastrak[.]com
bayareasf-fastrak[.]com
ukamazon-track[.]com
nzpost-track[.]com
ledger-hardware-blackrock[.]com
service-ledger-blackrock[.]com
onlineverzoek[.]com
wannatestmypagequik[.]com
boc-1bank[.]com
vubbank[.]com
web-winbank[.]com
de-targobank[.]com
fscs-metrobank[.]com
pireusbank[.]com
exodus-service-link[.]com
ntflnk[.]com
vub-banka-sk[.]com
web-dsk[.]com
direct-dsk[.]com
smart-dsk[.]com
nabconnecthelpdesk[.]com
overenie-sk[.]com
vub-loginsk[.]com
buv-login-sk[.]com
depot-evriuk[.]com
reschedule-depotuk[.]com
evri-depot-uk[.]com
evri-delivery-depotuk[.]com
infractiondemontreal[.]com
lowellbetal[.]com
chave-movel-digital[.]com
liveteamdigital[.]com
mysecurity-digital[.]com
emiratednbportal[.]com
bayareafastrak-portal[.]com
a25-laval[.]com
a25pont-laval[.]com
premium-renewal[.]com
premiumrenewal[.]com
spotifypremium-renewal[.]com
ledger-blackrock-buidl[.]com
ledger-buidl[.]com
sunpass-fl[.]com
albirland-personall[.]com
kyc-upd-wall[.]com
a25bridge-toll[.]com
bayareafastrak-toll[.]com
sunpassservicestoll[.]com
sunpass-toll[.]com
floridasunpass-toll[.]com
floridasunpasstoll[.]com
scorechains-aml[.]com
bit-vavo-nl-online-nl[.]com
bu-nq-online-nl[.]com
nl-bu-nq-online-nl[.]com
regelen-bit-vavo-nl-nl[.]com
online-bit-vavo-nl[.]com
com-bit-vavo-nl[.]com
regelenbit-vavo-nl[.]com
nl-accounts-bit-vavo-nl[.]com
regelen-online-bu-nq-nl[.]com
werk-bij-bu-nq-nl[.]com
bij-werken-bun-q-nl[.]com
regelen-bu-nq-nl[.]com
werk-bij-mijn-bunq-nl[.]com
topgonsol[.]com
365-personal-irl[.]com
sensitiefmeldingsysteem[.]com
planned-maintenance-com[.]com
coin-ba-se-com[.]com
trafiicom[.]com
bit-vavo-nl-com[.]com
en-blt-vavo-com[.]com
bitupdateplatform[.]com
isabel-6-gegevensplatform[.]com
bcm-gegevens-platform[.]com
bitgegevens-platform[.]com
renewal-premium[.]com
renew-spotifypremium[.]com
odsibian[.]com
ethrecsan[.]com
app-portal-tan[.]com
login-santan[.]com
coin-2fa-base-en[.]com
www-coin-en-base-en[.]com
www-coin-base-en[.]com
delayed-kraken[.]com
delay-kraken[.]com
service-theta-token[.]com
wallet-thetatoken[.]com
support-theta-token[.]com
thehugtoken[.]com
mask-redeem-token[.]com
gothia-portalen[.]com
bit-vavo-nl-regelen[.]com
sencolismen[.]com
www-en-kraken-en[.]com
tanverfahren[.]com
infofraskatteetaten[.]com
innboksmelding-skatteetaten[.]com
logginnskatteetaten[.]com
lesinnboks-skatteetaten[.]com
vub-login[.]com
vublogin[.]com
steampoweredlogin[.]com
erstelogin[.]com
bog-login[.]com
1bank-login[.]com
tbibank-login[.]com
mai-l-co-mmufa-jp-am-bin-am-log-in[.]com
mail-co-mmufa-jp-am-bin-am-login[.]com
mail-commufa-jp-am-bin-am-login[.]com
mail-jp-am-bin-am-login[.]com
skipton-login[.]com
wvw-amplogin[.]com
anp-login[.]com
slsp-login[.]com
bov-login[.]com
sms-mougin[.]com
soluckycoin[.]com
bendigo-verification[.]com
alberta-infraction[.]com
paybc-infraction[.]com
montrealvilleinfraction[.]com
montreal-infraction[.]com
villedemontreal-infraction[.]com
bcpay-infraction[.]com
misterx-production[.]com
atomitsolution[.]com
brgovsolution[.]com
skatteinformasjon[.]com
skatteetateninformasjon[.]com
nav-informasjon[.]com
verohalinon[.]com
verohalinoon[.]com
cad-gst-return[.]com
norbrekbo[.]com
aviso-novobanco[.]com
packagescheduleinfo[.]com
kyc-update-info[.]com
waterschapinfo[.]com
gestionderiesgosinfo[.]com
nav-ubetaltinfo[.]com
cba-review-info[.]com
reauth-weiisfargo[.]com
senderkessgo[.]com
meidentifysho[.]com
raytdium-io[.]com
radyium-io[.]com
casinodem-demo[.]com
furydemo[.]com
navmeldingnorge-no[.]com
navnorge-no[.]com
navmelding-no[.]com
posteninfo-no[.]com
navinnboks-no[.]com
hallintoo[.]com
mcafee-antiviruspro[.]com
inf-popso[.]com
lowellubetaltinkasso[.]com
onlinepagamento[.]com
verohaliinto[.]com
plouo[.]com
nl-2024-bit-vavo[.]com
nl-online-bit-vavo[.]com
werk-bij-bit-vavo[.]com
nl-werk-bij-bit-vavo[.]com
online-nl-bit-vavo[.]com
nl-bijwerken-bit-vavo[.]com
nl-acc-ounts-bit-vavo[.]com
nl-ident-bit-vavo[.]com
nl-blt-vavo[.]com
nl-com-blt-vavo[.]com
acc-ounts-bltvavo[.]com
nlaccounts-blt-vavo[.]com
nl-acc-ount-b-ltvavo[.]com
postbank-sicherheitip[.]com
e8encinukp[.]com
open24-help[.]com
ptsb-open24help[.]com
identityme-onlinehelp[.]com
cooponlinehelp[.]com
cooplivehelp[.]com
co-operative-help[.]com
bayareafastrak-help[.]com
co-operative-bankhelp[.]com
lloydsbankhelp[.]com
mmskshelp[.]com
sunpass-help[.]com
recovery-help[.]com
kredinorhjelp[.]com
cgd-caixadirectaapp[.]com
oprava-vubapp[.]com
santandersecure-app[.]com
1bank-app[.]com
dkb-aktivierenapp[.]com
ens-domains-app[.]com
saberpanelotp[.]com
updateewhatsup[.]com
nl-regelen-bu-nq[.]com
nl-ident-b-unq[.]com
conta-apoiar[.]com
ayrebzignar[.]com
dhldeliveryar[.]com
view-netnumber[.]com
trace-missed-order[.]com
track-missed-order[.]com
delayed-order[.]com
produkt-verkaufer[.]com
just-testingledger[.]com
blackrock-ledger[.]com
buidl-ledger[.]com
services-ledger[.]com
blackrock-support-ledger[.]com
bit-update-formulier[.]com
gegevens-bijwerken-formulier[.]com
flashupdate-orginasier[.]com
altinn-varsler[.]com
altinnvarsler[.]com
navvarsler[.]com
cumberlandbuildingsociety-enter[.]com
24-ver[.]com
trezor-security-recover[.]com
allphaa-gr[.]com
crome-update-gr[.]com
vramcor[.]com
vramdor[.]com
vramkor[.]com
southstate-treasurynavigator[.]com
support-trez-or[.]com
wallet-support-trezor[.]com
allphaa-grr[.]com
hoppassport-tour[.]com
11ap2zzd1s[.]com
melding21n2s[.]com
reschedule-logistics[.]com
reschedulelogistics[.]com
myfakt-ids[.]com
astrosends[.]com
vodamobileservices[.]com
update-hardware-services[.]com
bayareafastrak-services[.]com
turnpiketollservices[.]com
paturnpiketollservices[.]com
myturnpiketollservices[.]com
turpiketollservices[.]com
njtollservices[.]com
ctrtollservices[.]com
texastollservices[.]com
illinoistollservices[.]com
sunpasstollservices[.]com
floridasunpasstollservices[.]com
gasunpasstollservices[.]com
georgiasunpasstollservices[.]com
ncsunpasstollservices[.]com
flsunpasstollservices[.]com
mysunpasstollservices[.]com
ncsunspasstollservices[.]com
txtollservices[.]com
turnpiketolservices[.]com
photo-tan-services[.]com
hardware-ledger-services[.]com
turnpiketollsservices[.]com
sunpasstollsservices[.]com
nytollsservices[.]com
sunpass-services[.]com
tollwaysservices[.]com
tollwayservices[.]com
itollwayservices[.]com
iltollwayservices[.]com
wwwtollwayservices[.]com
itollswayservices[.]com
iltollswayservices[.]com
vosamandes[.]com
bayareafastrak-fees[.]com
bayareafastrak-messages[.]com
ledger-service-updates[.]com
bayareafastraks[.]com
bayareafastrak-tolls[.]com
turnpikeservicestolls[.]com
sunpass-tolls[.]com
sun-passtolls[.]com
s24sms[.]com
steampoweredforums[.]com
steamreportforums[.]com
steamcommunityforums[.]com
alberta-infractions[.]com
bc-infractions[.]com
paybc-infractions[.]com
montreal-infractions[.]com
villedemontreal-infractions[.]com
sid-pos[.]com
mangreactivotps[.]com
verifieren-ups[.]com
ledger-hardware-customers[.]com
web-sunpass[.]com
service-sunpass[.]com
fl-sunpass[.]com
tolls-sunpass[.]com
ebssecureaccess[.]com
a30-express[.]com
tolls-407express[.]com
sunpass-express[.]com
alberta-traffictickets[.]com
bayareafastrak-clients[.]com
montrealpayments[.]com
alberta-accounts[.]com
bcpay-accounts[.]com
our-available-slots[.]com
new-available-slots[.]com
boc-alerts[.]com
1bank-alerts[.]com
menaceaus[.]com
ato-profileaus[.]com
poliisi-rikostapaus[.]com
link-io-exodus[.]com
investmentcomparing-us[.]com
verify-disneyplus[.]com
op-fi-bonus[.]com
avast-antivirus[.]com
service-courtus[.]com
kela-henkiloasiakkaat[.]com
barclayswebchat[.]com
tsb-live-chat[.]com
tsbbanklivechat[.]com
coopbanklivechat[.]com
barclaysbanklivechat[.]com
coop-livechat[.]com
barclaysonlinehelpchat[.]com
erstebank-at[.]com
parcel-date-select[.]com
package-missedredirect[.]com
eflow-ct[.]com
uscourt-ticket[.]com
service-ledger-wallet[.]com
service-trezor-wallet[.]com
support-trezor-wallet[.]com
services-trust-wallet[.]com
services-trustwallet[.]com
directaappnet[.]com
caixadirectaapp-net[.]com
eboo-retablir-net[.]com
dsk-debit[.]com
chromee-update-it[.]com
scrigno-it[.]com
min-convenefakt[.]com
a25-pontspayant[.]com
bayareafastrak-client[.]com
villestationnement[.]com
ontariocourts-webpayment[.]com
premium-acc-payment[.]com
a25-bridgepayment[.]com
fastrak-payment[.]com
ontario-courtspayment[.]com
ignitebio-sharepoint[.]com
americanequity-sharepoint[.]com
407ont[.]com
paybc-account[.]com
epcor-account[.]com
407etr-account[.]com
select-available-slot[.]com
next-available-slot[.]com
order-select-slot[.]com
supremewin-jackpot[.]com
caixa-directapt[.]com
cgd-apppt[.]com
mb-waypt[.]com
738495docencrypt[.]com
dsk-smart[.]com
dsksmart[.]com
ptsbsupport[.]com
o2service-support[.]com
ledger-wallet-service-support[.]com
infogooglesupport[.]com
infoapplesupport[.]com
cooponlinesupport[.]com
cooplivesupport[.]com
ledger-blackrock-support[.]com
trezor-link-support[.]com
nation-wide-digitalsupport[.]com
wallet-thetatoken-support[.]com
defender-support[.]com
upgrade-ledger-support[.]com
claim-ledger-support[.]com
wallet-ledger-support[.]com
suite-trezor-support[.]com
wallet-trezor-support[.]com
ledger-wallet-support[.]com
services-hoppassport[.]com
ontariocanadacourt[.]com
navmeldingulest[.]com
thecloaktest[.]com
cancel-request[.]com
updatevereist[.]com
firstdirectonlineassist[.]com
ontario-court-assist[.]com
generalshost[.]com
ups-infopost[.]com
custom-luxpost[.]com
service-att[.]com
instore-att[.]com
minsideskatt[.]com
elogin-att[.]com
vero-asiointipalvelut[.]com
omavero-palvelut[.]com
service-checkout[.]com
makingitorut[.]com
amphome-au[.]com
hsbc-online-au[.]com
investmentcompare-au[.]com
auspostdeliverytracking-au[.]com
myamp-loginau[.]com
myamp-au[.]com
oma-fi-kirjaudu[.]com
omavero-fi-kirjaudu[.]com
6-isabel-be-eu[.]com
6-isabel-eu[.]com
redeliverymyitechu[.]com
eboo-retablir-lu[.]com
paiiuu[.]com
nahsfijosdifubgewu[.]com
informasjon-nav[.]com
portaalbnqbv[.]com
citadelelv[.]com
spotify-premium-renew[.]com
slothana-buynow[.]com
support-coinbase-0x[.]com
ag-dex[.]com
support-payments-netflix[.]com
arialeexxx[.]com
vermanbay[.]com
pepe-today[.]com
order-delay[.]com
mygooglepay[.]com
vahvistusmobilepay[.]com
danugateaway[.]com
verifique-mbway[.]com
verificarmbway[.]com
bloquear-mbway[.]com
sendergateway[.]com
binance-cy[.]com
eurobank-cy[.]com
eurobankcy[.]com
bankofcyprus-cy[.]com
revolut-cy[.]com
fund-seedify[.]com
zillelandverify[.]com
reinstate-spotify[.]com
k5hfuljioy[.]com
my-auspost-delivery[.]com
uaedlvry[.]com
lowellpaymobility[.]com
revolut-application-security[.]com
resolve-newactivity[.]com
premium-nz[.]com
spotify-nz[.]com
turnpiketollservices[.]co
woot-9099571192[.]shop
qip-7014087516[.]shop
gulu-256414231747[.]shop
klma-2564147608[.]shop
curl-9272720418[.]shop
hb-729184729[.]shop
gosh-8876422349[.]shop
ks283954-shea[.]shop
orju540976430-kliosa[.]shop
kle5843096-dorsa[.]shop
ipu29472sjkd[.]shop
uye23445933-gud[.]shop
k23729192-orud[.]shop
23i823-osde[.]shop
jpi239293738-olhe[.]shop
jks3249087-fsdf[.]shop
sdk09379434-dfggf[.]shop
klio-235789sf[.]shop
oqi94506932-lisf[.]shop
nmo-3984520nbeg[.]shop
sdfjk93032832-ki[.]shop
ursa-07548203kli[.]shop
qpe90934028-ybni[.]shop
uli23942309-lopi[.]shop
jdo07349495-upi[.]shop
atik34907598-oyj[.]shop
kden-204829209l[.]shop
dsjf-32939042hm[.]shop
op-20257320smun[.]shop
kle3457289-jgiro[.]shop
hy0959345-ckep[.]shop
mke9043576-klop[.]shop
klig95699321-knop[.]shop
soy20837219-rop[.]shop
jhil20382813-klup[.]shop
ysek-28943502knup[.]shop
ourk2398754-der[.]shop
dswe3493945-knir[.]shop
pgorj39482304-for[.]shop
ds2093558-djor[.]shop
dvj-23489320fds[.]shop
loi5450943-ores[.]shop
mokr-983489502ks[.]shop
olr436895-ofps[.]shop
sme-5028423ilu[.]shop
htf04529383-poew[.]shop
l2039483-sdfw[.]shop
fl2390458-raisow[.]shop
smi3049657-losw[.]shop
kyo28934700-py[.]shop
terra[.]net
bitdomain[.]net
sunpass-service.2347843209.workers[.]dev