Edit 11–11–2023: Featuring Section E (Mass Hunting sellers & resellers)
Chenlun has made it into a new brand name in order to avoid foreign attention. After me, KrebsonSecurity posted a blog featuring Chenlun products activity on USPS phishing campaigns. Read it:
This probably made Chenlun to get some real attention, so he decided to go on the run hiding as much as possible and rebranding his services. In fact, the main reason for these hasty changes is this private blog from a Spanish blogger.
Operations has not been stopped. Everything is as usual as before, indeed new products were announced to the Chenlun services.
So, I have to update.
Money can sometimes be attractive, especially if you can get it quickly and anonymously. People are seduced by the money, whether it is yours or not (in fact, it is not) and start committing crimes against other people in a rush that has no end. That’s all, money. Financially motivated groups with a common objective: steal from you, no matter the way they can do it.
For those who don’t know what carding means, I would try to summarize it very briefly: credit card fraud, where criminals steal credit card information to gain personal benefits, using the money associated with those cards, or sell this information to other criminals.
A. An Asian community around a phishing website rental service
Starting in October 2022 and using the moniker “Chenlun”, this Chinese-based individual has built a community of hundreds of users to successfully steal credit card information from victims via fake shipping and e-commerce websites with worldwide targets.
He advertises its product as 【沉沦】钓🐟频道 , translated: “[Sinking] Phishing Channel”. Note that Chenlun is the transliteration of 沉沦 and translated to Sinking. (?).
Chenlun offers three options of sophisticated phishing website source code as a rental (using “u” as $USDT, the most used cryptocurrency by Asian individuals, it is meant to be 1 USDT = 1 $USD):
/*translated*/ Source: https://t.me/ChenlunConsultBot
- 1. Basic Credit Card Phishing (100u / month) ~ 92€/month
Website asks for “Ordinary 2D material” including Address, Card Number, CVV and other information.- 2. Regular Verification Code (200u / month) ~ 184€/month
2.1. User comes in to fill in the information, and the background will receive a reminder, ready to bind your channel or wallet card.
2.2. User enters the card number and other information to submit, and the intercepted front desk shows that it has been loading, and you get the information synchronously in the background to top up the card or find a way to realize it.
2.3. After top up, click release, fill in the mobile phone number of the user where you need to receive the verification code, send the verification code to the user, and wait for the user to enter the verification code
2.4. If the input is wrong, you can refuse to obtain the verification code again, and perform the above operation again- 3. Online banking PIN (250u / month) ~ 230€/month
You can log in to users’s online banking to transfer money or check the balance
As stated by him, the first option is already the most commonly sold, and this has been verified as the most common phishing website model seen in the wild. Options above 1 includes the perks of the below options. Consider option 3 as a full version of Chenlun services.
Chenlun offers a wide range of custom phishing websites impersonating companies from all over the world. Furthermore, at a price of 500u / month ~ 460€ / month, he is willing to set up a brand-new customized website in less than a week, impersonating any company on request, and then adding it to his collection at a regular price when the client has ceased its operations. Additional charges are required for special needs, he states “Customization is equivalent to only receiving guaranteed money.”
The main source where the clients of Chenlun services meet each other is Telegram. They can chat or advertise its services or needs.
t.me/sinkintopd (renamed, currently at 1960 users)
t.me/chenlunjx — phishing service advertisement channel
t.me/sinkintojl (renamed, currently at 3775 users)
t.me/chenlunjl — individual advertisement group
Sadly this channel has been closed or made private
t.me/chenlunvip — general chat for users
He also has a Youtube channel (https://youtube.com/@user-ty4zn3fr3s) where he uploaded tutorials on how to setup its products in a real life campaign, and the features of them.
Sadly, videos were deleted because violated Youtube policies.
I will highlight one of these features, the “anti-red principle”:
Summarizing, Chenlun refers to the ability of his fake websites to avoid getting flagged by browsers (with a red screen), as “the same source code is used both by Chenlun products and official websites”. He states that he can bypass those flags using websites with dynamic content capable of isolating crawlers (scraping bots) from real human visits and bypassing an automatic report.
Additionally, Chenlun has been advertising its services on Chinese forums:
https://www.cvv-goods.com/author/521 ~ “League of Libertarians”
https://cosmileonly.com/author/3601
B. Xibanya, a real-life campaign targeting Spanish people
Edit: Some people have noticed Chenlun activities on Spain in the past. Thanks to Germán Fernández Bacian for letting me know that for example, 0xDanielLopez was aware of this threat.
I will expose Chenlun’s services implementation on a campaign done by its clients. Then, it will be easier to understand how this community works, no matter who the target is, and the real threat they represent.
It is important to mention that Chenlun ONLY provides the front-end source as a service, although he shares tutorials and advices on how to implement his products in a real-life campaign.
He, in fact, runs his own campaigns.
1. Smishing, a way to approach victims
Smishing is the fraudulent practice of sending text messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords or credit card numbers.
In the past few days, I’ve been observing fraudulent SMS complaints on Twitter, impersonating Correos, the state-owned postal service company in my country, Spain:
Even more if we search deep on Twitter. These phishing attempts are being reported to Correos, and the CorreosAtiende account is already confirming these threats.
The phishing chain consists of an initial approach to victims via SMS regarding a failed delivery of a package. A link, shortened or not, is provided to a fake website impersonating the company.
Smishing is a practice recommended by Chenlun. He states, “SMS is not the easiest method to use but is highly profitable”, and traditional email phishing is something that he has never used and doesn’t know how to put into practice. Also, he doesn’t recommend the use of shortened links because “robot visits will also be recorded” (tracking users that open the links is a statistical method to know how profitable phishing campaigns are).
Sometimes, to fool people into clicking the phishing link, victims can see that SMSs were sent by some “trustworthy source” or even show off at previous real conversations, instead of being sent by a suspicious phone number. At this point, you must know that the SMS was spoofed, sender was faked to make you fall into phishing. This is very common in traditional email phishing.
There are specialized services known as “SMS providers”, which provide valid and checked numbers prepared to run geo-targeted campaigns. Those services will be one of the main sources for Chenlun-related campaigns. I could identify one provider advertising on Chenlun’s channel, a Chinese threat actor known as “Da Long”. Numbers are being censored to protect the privacy of victims.
2. Fake phishing websites, Chenlun speciality
After successfully making a victim click on the phishing link, a fake website will show up on the device. In this campaign, a website impersonating Correos will tell you that a package delivery is waiting for your confirmation, so you need to send some personal information and pay a tax.
None of this is real, all the information sent to the website is exfiltrated to a control panel and proxified to a Telegram Bot, run by the Chenlun client. Check out Correos phishing page advertisement video on Chenlun’s official channels:
Let’s dive deep into how data is exfiltrated.
One of the latest real examples is zl-correoss[.]top:
The configuration of this sites can be found at /ResourceConfig/urlConfig.json. It’s a common path to all Chenlun Correos websites.
From here, we can see that “serviceURL” would refer to the panel server domain where exfiltrated data is collected, the TG bot where information is proxified, and the chat user who is getting this information.
At first, you were asked for personal information (name, surname, address, email, and phone), at /information.html.
Information is then exfiltered to hxxps://xibanya08.top/cvv-tb/updateCvvTbOnline via POST requests with the following request.
/*Tested with fake information under the TOR circuit*/
{"id":12203,"fastName":"test","lastName":"test","phone":"000000000","email":"test@test.com","country":"España","state":"Valencian Community","city":"test","address1":"test","address2":"","zipCode":"00000","cardNumber":"","cardName":"","cardDate":"","cvv":"","language":"","timezone":"","ua":"","ip":"185.220.101.9","queryState":0,"codeSMS":"","onlineState":1,"threadId":"","bankSchem":"","bankType":"","bankBrand":"","bankCountry":"","bankName":"","cookie":"","ebankClientNumber":"","ebankPwd":"","bankPayPIN":"","pageId":""}
Then, you get asked for Credit Card Information
When you send this information, it will also be updated to the same URL as before. But this time, Credit Card is first checked at lookup[.]binlist[.]net and then all the info is proxified to the telegram account via a bot.
/*Tested with fake information under TOR circuit*/
{"chat_id":"5126770818","text":
"--------->编号:12205<---------
======个人信息======
FirstName: test
LastName: test
电话: 000000000
邮箱: test@test.com
======地址信息======
国家: España
州: Valencian Community
n城市: test
地址1: test
地址2:
邮编: 00000
======卡号信息======
姓名: test test
卡号: ****************
日期: **/**
CVV: ***
======银行信息======
归属: visa
类型: debit
等级: Business
银行: INTER NATIONAL BANK
国家: United States of America
======指纹信息======
IP地址:185.220.103.6
语言:
en-US
时区:
tUTC
浏览器UA: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
获取时间: undefined
--------->编号:12205<---------"}
In this case, user getting info is @pay0828 via @xxy000001_bot (bot6147609678:AAFMveUJ-Cyug3mHRFhcxE_1lmReFqDKxx8)
3. Xibanya websites, a dual working domains
Edit: Chenlun Panel is just a modified version of the Innap — Hotel Admin Dashboard Bootstrap Templates (dexignzone.com). This a common pattern of Chinese phishing products.
Note that Xibanya is the transliteration of Spain, and that’s clearly a demonstration that this is a campaign targeting Spanish users.
You could see that information is stored at a “serviceURL” (xibanya08[.]top), but this is in fact only a storing domain. To access the data exfiltered, you must access another dashboard panel, via xibanya09[.]top or xibanya11[.]top.
Auhorization is made via POST to xibanya08[.]top/user/loginUser
{"userName":"test","pwd":"test","userIP":"185.220.102.253"}
We can take a brief look at how the panel would look without a successful authorization. The server uses some kind of “token authorization”, but content is being generated before authentication. This is, in fact, INNAP, the common dashboard for all Chenlun products. This can already be bypassed.
Dashboard offers diferent themes of personalization as advertised by Chenlun. He offers 5 demo default styles, the sky is the limit.
Personalization palette on xibanya09[.]top
Personalization options as advertised by Chenlun
We can extract the site configuration at /config/urlConfig.json. Note that these panels are being run by the same user that is running the Correos phishing websites.
Let’s see how the dashboard panel looks and what options it has. Content on this page is being generated dynamically; first, it loads all the functionalities on the panel, then checks for authentication to load the data associated with accounts on the other domain (authentication is made on serviceURL). My thoughts are that if somehow I can let the panel load but not connect to serviceURL, I would be able to check the panel without restrictions, but also no data would show up.
This would be what you receive as a new customer of Chenlun.
WE ARE IN! (or likely)
No information was accessed during this research
Null session but logged in. I can’t create accounts.
/index.html. Demo 4 theme.
/guest-list.html ~ This is where the exfiltrated data from phishing sites would show up. This is what you get with the first option of Chenlun services.
Do you remember the format of the data sent to Telegram via the API bot? It looks very similar…
/*translated*/
Query all: As the name implies, all data in the database is queried, sorted by the latest acquisition date by default.
Today’s data: Only query the data obtained today and has not yet been extracted, and sort by the latest acquisition date by default.
Old data: Only data that has not been extracted except today is queried, and the latest acquisition date is sorted by default.
Extracted: Query all extracted data, sorted by the latest acquisition date by default.
/admin-list.html ~ This is where a list of all the users and all the phished victims will show up. Admin is watching all of you, workers…
I’m supposing a client of Chenlun can use his panel to hire third party workers to work for him.
/behaviour.html ~ At this part of the website, it will be a curated list of every phishing site up and connected to the panel. It records every phishing site view for statistical purposes.
Do you remember the advice of Chenlun about shortened links on smishing attacks?
/app-profile.html ~ The famous synchronous panel, the second option of Chenlun services. Here you can see live interactions between victims and the phishing page. The client of Chenlun will get a notification when a victim falls for phishing, and then he can choose to do his job or delete the request.
Fish notification as Phised Victims. Time to fish
All information collected from victims will be shown in a fancy list following this pattern. You will also get a Credit Card .png showing Credit Card Information, ready to share it in a criminal way.
/E-Bank.html ~ the third and last service option of Chenlun. The client will get full interaction with the bank accounts of victims if successful phishing is done. It also has the same perks as previous options.
There are more options for other relevant services that Chenlun offers. They are just copies of /E-bank.html, but adapted and customized to the needs of the client. These are not directly advertised by Chenlun in official channels but promoted as additional features and capabilities of his work. They would have a price of 500U / month ~ 460€ / month.
/apple.html ~ I’m assuming this gateway is used for Apple ID phishing. It also collects credentials for this Apple service. The main objective would be accessing Apple Pay, where credit card information is stored.
Options: Jump user to Login credentials page, to credit card information page, to PIN verification code page Refuse information | Redirect user to official page | Extract: Text info, Images
/ymx.html ~ Chenlun offers phishing as a fake Amazon websites. On this phishing websites, you were asked for your information to get a refund.
Options: Jump to Log In, to Verification Log In , to information page, to Credit Card, to Credit Card Verification Refuse information | Redirect user to official page | Extract: Text info, Images
/wp.html ~ The latest service of Chenlun is a phishing website as an e-commerce site, hosted on Wordpress. Unleash your imagination.
Chenlun states: “ 目前还有很多功能未完成,后期会慢慢完善并添加更多源码” ~ At present, there are still many functions that have not been completed, and more source code will be slowly improved and added in a later stage
4. Past Telemetry
This Correos campaign has been running for weeks, let’s summarize all the related telemetry to this campaign, in order to keep tracking it in the future.
You will note that a lot of domains used by Chenlun clients will follow a pattern. Remember, Chenlun only offers its front-end infrastructure, but gives advices on how to setup a phishing page.
Here’s one of his advices:
PHP类型钓鱼网站搭建 | PHP phishing website construction域名购买:| Domain Purchase:
https://www.namesilo.com/
服务器购买: | Server Purchase:
https://pacificrack.com/portal/aff.php?aff=3997
https://www.lightnode.com/?inviteCode=WFG67T&promoteWay=LINK宝塔国际版CentOS安装指令 (功能少,无需注册)| Pagoda International Edition CentOS Installation Instructions (fewer functions, no registration required)
yum install -y wget && wget -O install.sh http://www.aapanel.com/script/install_6.0_en.sh && bash install.sh forum宝塔国内版CentOS安装指令 (功能多,需要手机号注册)| Pagoda’s domestic version of CentOS installation instructions (multiple functions, mobile phone number registration is required)
yum install -y wget && wget -O install.sh http://download.bt.cn/install/install_6.0.sh && sh install.sh ed8484becXshell7 download link
Xshell7下载链接:https://www.xshell.com/zh/free-for-home-school/源码出租定制频道:https://t.me/chenlunjx 咨询TG:@chenlun
At the time of writing this article:
Ip: 104.129.8.207
AS8100 quadranet enterprises llc
Domains:
Domain Status Resgistrar ServiceURL User
correos-er.top | LIVE | NameSilo 17-08 | xibanya08.top | @pay0828
correos-se.top | DEAD | NameSilo 01-08
se-correos.top | DEAD | NameSilo 26-07
correos-ls.top | DEAD | NameSilo 24-07
correos-e.top | LIVE | NameSilo 21-07 | xibanya08.top | @pay0828
correoss-qq.top | LIVE | NameSilo 21-07 | xibanya08.top | @pay0828
correos-zl.top | DEAD | NameSilo 17-07
correos-ps.com | LIVE | Alibaba 17-07 | xibanya08.top | @pay0828
correos-sp.com | DEAD | Alibaba 17-07
zl-correos.top | LIVE | NameSilo 06-07 | xibanya08.top | @pay0828
zl-correoss.top | LIVE | NameSilo 06-07 | xibanya08.top | @pay0828
ch-correoss.top | LIVE | NameSilo 04-07 | xibanya08.top | @pay0828
correos-sp.top | LIVE | NameSilo 04-07 | xibanya08.top | @pay0828
Ip: 107.150.4.134
AS8100 quadranet enterprises llc
Domain Status Resgistrar ServiceURL User
esp-correos.shop | LIVE | WebNIC 12-08 | xibanya39.top | unknown
Chenlun Panels:
Ip: 204.44.87.146
AS8100 quadranet enterprises llc
xibanya09.top | LIVE | NameSilo 17-08 | LOGIN PANEL
xibanya08.top | LIVE | NameSilo 17-08 | ServiceURL
xibanya11.top | LIVE | NameSilo 14-06 | LOGIN PANEL
xibanya22.top | DEAD | NameSilo 14-06 | ???
Ip: 107.150.4.136
AS8100 quadranet enterprises llc
xibanya33.top | LIVE | NameSilo 05-07 | LOGIN PANEL
xibanya34.top | LIVE | NameSilo 05-07 | ServiceURL
Ip: 107.150.4.136
AS8100 quadranet enterprises llc
xibanya38.top | LIVE | NameSilo 10-08 | LOGIN PANEL
xibanya39.top | LIVE | NameSilo 10-08 | ServiceURL
Ip: 104.223.16.11
AS8100 quadranet enterprises llc
xibanya111.top | LIVE | NameSilo 13-07 | LOGIN PANEL
xibanya222.top | LIVE | NameSilo 13-07 | ServiceURL
This is still active and I expect more activity from this individuals
C. World-Wide Targets
Edit: As of November 7th, Chenlun made his first advertisement under the new handle Sinkinto01. This is Royal Mail pishing kit from UK.
Please refer to further sections to see an active hunting on Chenlun infraestructure.
A total of 24 products have been advertised on Chenlun’s official channels. I’m not going to attach every single demo video, you can find them by yourself on Chenlun channels and they were public and previously shared.
Instead, I will be exposing more live campaigns targeting other countries, listing the available products by country and the advertisement date.
CANADA:
- Canada Post (canadapost-postescanada.ca) [October 18th, 2022]
UNITED STATES:
- United States Postal Service (usps.com) [October 22th, 2022]
- Amazon (amazon.com) [July 2nd, 2023]
FAKE DOMAINS (LIVE CAMPAIGN)
IP:104.129.63.26
IP:155.94.144.112
AS8100 quadranet enterprises llc
Domain Status Resgistrar
uspssx.xyz | LIVE | NameSilo 27-07 |
uspssq.top | LIVE | NameSilo 01-08 |
uspsoi.xyz | LIVE | NameSilo 29-07 |
uspsop.xyz | LIVE | NameSilo 21-07 |
serviceURL -> ht.dkadmin.top
LOGIN PANEL -> dkadmin.top
144.34.160.208 AS25820 it7 networks inc | NameSilo May 20, 2023
OTHERS
LOGIN PANEL -> uspssh.xyz
serviceURL -> ht.uspssh.xyz
192.161.55.32 AS8100 quadranet enterprises llc | NameSilo July 21, 2023
serviceURL -> uspost-mvip.xyz
LOGIN PANEL -> uspost-mvip.life
47.87.130.171 | NameSilo July 03, 2023
LOGIN PANEL -> uspsli.club
LOGIN PANEL -> ht.uspsli.club
serviceURL -> java.uspsli.club
104.129.5.103 AS8100 quadranet enterprises llc | NameSilo July 22, 2023
IP:198.55.106.51
AS8100 quadranet enterprises llc
uspshelp.xyz | LIVE | Alibaba 25-07 |
serviceURL -> gaodeng222.xyz | 204.44.92.110 | DEAD | Namesilo 21-07 |
IP:198.55.106.51
AS8100 quadranet enterprises llc
tools-us-ps.com | LIVE | Goddady 25-07 |
serviceURL -> ibhpestcontrol.com
RELATED
gaodeng222.top | 204.44.92.110 | DEAD | Namesilo 21-07 |
gaodeng111.xyz | 204.44.92.110 | DEAD | Namesilo 21-07 |
gaodeng111.top | 204.44.92.110 | DEAD | Namesilo 21-07 |
LOGIN PANEL -> gaodeng.life
serviceURL -> gaodeng.info
155.94.138.70 AS8100 quadranet enterprises llc | NameSilo July 29, 2023
AUSTRALIA:
- Australia Post (auspost.com.au) [November 11th, 2022]
- LinkT (linkt.com.au) [December 3th, 2022]
- Amazon Australia (amazon.com.au) [May 18th, 2023]
FAKE DOMAINS (LIVE CAMPAIGN)
IP:104.129.63.26
IP:172.86.125.234
AS8100 quadranet enterprises llc
Domain Status Resgistrar User
qataripost.top | LIVE | NameSilo 18-04 | @chenlun
uaupost-ri.xyz | LIVE | NameSilo 17-08 | @chenlun
serviceURL -> java.qataripost.top
LOGIN PANEL -> admin.qataripost.top
JAPAN:
- Amazon Japan (amazon.co.jp) [November 13th, 2022]
SINGAPUR:
- DHL Singapur (dhl.com/sg-en) [December 8th, 2022]
- OneMotoring (onemotoring.lta.gov.sg) [December 17th, 2022]
FRANCE:
- LaPoste (laposte.fr) [Februry 3rd, 2023]
IRELAND:
- An Post (anpost.com) [Februry 10th, 2023]
SPAIN:
- Correos (correos.es) [March 3rd, 2023]
- Vodafone (vodafone.es) [July 15th, 2023]
NEW ZEALAND:
- New Zealand Transport Agency (nzta.govt.nz) [March 20th, 2023]
DENMARK:
- Postnord (postnord.com) [April 1st, 2023]
ITALY:
- Posteitaliane (poste.it) [April 8th, 2023]
NETHERLANDS:
- Post NL (postnl.post) [May 18th, 2023]
GERMANY:
- Telekom Erleben (telekom.de) [May 23th, 2023]
UNITED ARAB EMIRATES:
- Etisalat (etisalat.ae) [June 23th, 2023]
CHILE:
- Correos Chile (correos.cl) [July 2nd, 2023]
IP: 170.106.106.43
AS132203 tencent building kejizhongyi avenue
` Domain Status Resgistrar User
correos.top | LIVE | NameSilo 06-07 | @chenlun
croroeis.top | LIVE | NameSilo 06-07 | @chenlun
coreroeis.top | LIVE | NameSilo 06-07 | @chenlun
serviceURL -> hd.kev-admin.top
LOGIN PANEL -> kev-admin.top
170.106.189.166 AS132203 tencent building kejizhongyi avenue | Alibaba 30/06
correosccl.top | LIVE | NameSilo 08-07 | @chenlun
serviceURL -> uskez.top
LOGIN PANEL -> kev-admin.top
155.94.156.233 AS8100 quadranet enterprises llc | Alibaba 12/05
BRASIL:
- Correios (correios.com.br) [July 20th, 2023]
SWITZERLAND:
- Die Post (post.ch) [August 8th, 2023]
SLOVENIA:
- Pošta Slovenije (posta.si) [August 8th, 2023]
UNITED KINGDOM
- Royal Mail (royalmail.com) [November 7th, 2023]
SAUDI ARABIA
- Saudi Post SPL (splonline.com.sa) [November 15th, 2023]
D. About Chenlun, the developer & his workers
Chenlun used to develop and advertise its products on real hosts until he discovered how to setup his tests on localhost (mostly in 2022). He recorded these advertisements and shared them on his channels, with a poor desire to hide anything that could relate him to those hosts. That way, we can retrieve a little bit of past telemetry from his own operations.
LIVE LOGIN PANELS
LOGIN PANEL -> chenlun.cfd
serviceURL -> hd.chenlun.cfd
38.54.17.118 AS138915 kaopu cloud hk limited | Alibaba 12/06/2022
IP:43.159.44.43
IP:129.226.220.134
AS132203 tencent building kejizhongyi avenue | Alibaba 27/04
LOGIN PANEL -> qd.chenlun2023.top
serviceURL -> hd2.chenlun2023.top
DEAD LOGIN PANELS
chenlun.buzz | NameSilo 05-11-2022 |
admin2022--ht.xyz | NameSilo 24-11-2022 | 192.161.179.153
38.54.110.105 | AS174 cogent communications
admin2022-sg.sbs | NameSilo 12-18-2022 |
FAKE DOMAINS
fanbinghslg.tk | amazoneshop.top | reguspus.top | reguspus.com
ASSOCIATED INFORMATION
emails -> 1760965556@qq.com | loosechaetotaxyio41655@yahoo.com
Chenlun himself shared Credit Card Information on his channels, a total of 121 files, mostly from United States phishing victims. The authenticity of these files can’t be verified.
The community around Chenlun products seems active and growing, new users join every day and advertisements of other individuals services are made on a daily basis.
Some of the trend behind this criminals is to show off his crime results, sharing them on public channels. Every image shared after this was found on Chenlun channels.
Not only online, also in real life “success“:
Regarding information on spanish victims:
And phished credit cards:
At the bottom, we can see criminals showing off their carding frauds. On the left, a threat actor is using a TPV to charge amounts of 29.100 THB (~750€) to credit cards, at some Thai company based in Bangkok, and showing off the possession of a Santander Bank (Spain) card.
On the right, we can see a threat actor possessing an Imagin Bank (Spain) and the fraudulent charge of 200€ on a tobacco shop (Estanc Comandant Benitez, presumably, at Carrer del Comandant Benítez, 28, 08028 Barcelona). I’m assuming this threat actor was already in Spain, because if we look closely, the photo seems to have been taken on a Rodalies train (the regional rail system in the Spanish autonomous community of Catalonia).
Chenlun knows perfectly what he and his people are doing, he even joked once about a report made by KFOR-TV (Oklahoma’s channel 4) (kfor.com) stating the spread of USPS smishings attempts towards US citizens.
文案来了 ~ Here comes the copywriting (Translations seem misled, I believe this refers to other individuals serving USPS phishing products, that copy Chenlun services).
Thousands of Credit Card Information stolen mean thousands of dollars being given to criminals, encouraging crime in an infinite loop. In fact, they also share screenshots of benefits, something that could be attractive to people who decide to become criminals.
E. Mass-Hunting on the “C Circle”: Sellers & Resellers
As stated in previous sections of this blog, phishing landing consists in two parts: The Panel and the Service URL (backend). As we can’t access backend, Panel shows a default version of itself. So, we can easily know who is the owner/seller of panels just by looking on the contact information or default profile picture shown in the html body.
No matter that this information is changed, in order to resell panels. We know every panel came from Chenlun, because every reseller I found seems to forget how to delete comments.
Thanks to FOFA, an amazing InfoSec tool, we can track down Chenlun products on the Internet.
Chenlun panels can be found as easy as: fid=”FC2AZAzMFkyHkLAlyDR9GQ==”
Search results fid=”FC2AZAzMFkyHkLAlyDR9GQ==” — FOFA Search Engine
I will be posting recent ones (from October 1st to 9th November)
These panels were found:
Chenlun LIVE Panels: (USE HTTPS)
IP DOMAIN SERVICE URL
192.161.176.76 | catfishtime.top | houtai.catfishtime.top
47.254.23.190 | money-ht.xyz | money-hd.xyz
43.153.110.104 | fz-admin.top | hd.fz-admin.top
43.130.12.212 | meiguohoutai.icu | meiguoyingshe.icu
43.153.102.68 | br-admin.top | hd.br-admin.top
admin.zauspspptay.icu | java.uszabpay.top:
-- related: admin.uspotbay.top, admin.uszabpay.top
204.44.109.60 | 204.44.109.61 | 204.44.109.62
204.44.109.64 | 204.44.109.66 | 204.44.109.72
204.44.109.73 | 204.44.109.74 | 204.44.109.76
204.44.109.77 | 204.44.109.78 | 204.44.109.80
204.44.109.81 | 204.44.109.83 | 204.44.109.84
204.44.109.86 | 204.44.109.87 | 204.44.109.91
204.44.109.92 | 204.44.109.93 | 204.44.109.94
204.44.109.95 | 204.44.109.98 | 204.44.109.99
204.44.109.95 | 204.44.109.98 | 204.44.109.99
204.44.109.101 | 204.44.109.103 | 204.44.109.104
204.44.109.105 | 204.44.109.106 | 204.44.109.107
204.44.109.108 |
---- zauspspptay.icu , uszabpay.top, uspotbay.top are USPS phishing pages
23.224.132.62 | admin-us001java.pw | tp001-adminjava.top
43.135.164.150 | laozhu2.cyou | laozhu22.cyou
43.153.99.90 | 3.mltz11.icu | 4.mltz11.icu
107.150.6.133 | azxcqwe2.top | azxcqwe1.top
*.2016.hair | anzhuo.2016.hair
*.2754.hair | pingguo.2754.hair
*.3190.hair | pingguo.3190.hair
*.6182.hair | pingguo.6182.hair
fadadacai.xyz
192.161.56.45 | 192.161.56.45 | gao01.fun
43.159.139.233 | 9-admin.top | hd.9-admin.top
155.94.163.246 | clpostustersoscr.top | send.clpostustersoscr.top
204.44.109.26 | clpostusterrnscr.life | send.clpostusterrnscr.life
204.44.109.26 | clpostusroouc.info | send.clpostusroouc.info
5.182.211.175 | allrh.com | tuphu.com
43.153.43.36 | vmz-admin.top. | hd.vmz-admin.top
192.161.55.95 | cemabolong.top | cemabenteng.buzz
107.150.5.166 | hou06.top | hou-06.top
43.134.190.89 | ht.exapasms.shop | java.exapasms.shop
170.106.177.114| j-admin.top | hd.j-admin.top
170.106.103.182| gmds888.top | gmds8888.top
104.129.60.33 | correotpsler.info | send.correotpsler.info
43.128.71.53 | ht.admin-bing.shop | java.admin-bing.shop
43.153.90.210 | 11-admin.top | hd.11-admin.top
170.106.115.76 | d-admin.top | hd.d-admin.top
204.44.109.39 | bg.meiguoupsdemo.top | bh.meiguoupsdemo.top
43.153.41.156 | 4-admin.top | hd.4-admin.top
47.252.3.231 | kelecc1.cc | asdasdwqwe.site
154.7.183.84 | admin2025--ht.top | admin2025--hd.top
38.6.184.243 | dreamcastle.top | jar.dreamcastle.top
43.133.40.126 | c-admin.top | hd.c-admin.top
43.135.158.140 | chen-admin.top | hd.chen-admin.top
204.44.66.46 | hou005.top | fa005.top
43.153.117.103 | ht9.admindada.xyz | java9.admindada.xyz
49.51.161.148 | ht.admindada.xyz | java.admindada.xyz
43.153.73.42 | 8-admin.top | hd.8-admin.top
43.135.176.212 | fi-admin.top | hd.fi-admin.top
43.153.77.6 | houdd.top | houtt.top
43.153.48.25 | goluckaaa.com | 1.goluckaaa.com
43.153.67.4 | w-admin.top | hd.w-admin.top
192.161.56.78 | 11long.top | 22long.top
43.153.44.202 | 2.mltz11.icu | 2.mltz11.icu
43.135.130.254 | hunasda.top | sadkjas.top
43.134.236.178 | jinlunhoutai.top | jinlunjava.top
43.153.38.66 | 3.laozhu8.cyou | 4.laozhu8.cyou
170.106.136.144| laozhu4.cyou | 2.laozhu4.cyou
49.51.195.204 | longge1.cyou | longge2.cyou
43.133.33.117 | sghd2023.top | sght2023.top
43.135.128.8 | e-admin.top | hd.e-admin.top
178.208.92.177 | hen.expanel.me | hen.hongbiet.online
43.153.107.140 | 2-admin.top | hd.2-admin.top
107.150.6.121 | hou003.top | fa003.top
43.135.147.67 | v-admin.top | hd.v-admin.top
204.44.93.209 |pingangetongbuyuhoutai.top| pingangeyingsheyums.top
170.106.189.166| k-admin.top | hd.k-admin.top
170.106.192.50 | 3-admin.top | hd.3-admin.top
170.106.113.34 | 12-admin.top | hd.12-admin.top
43.130.49.213 | cfminfo.top | cfmline.top
43.130.49.106 | bigsb.icu | bigsbb.icu
Cloudflare | houtainiu.top | fa005.top
204.44.66.46 | mistro.top | fa005.top
PANELS SERVING CHENLUN THAT HAVE CHANGED TO ANOTHER
adminnnnn.top/admin
addmuuuuu.top/admin
usps.express-lose.com/admin
Dead / Historical telemetry
admin.deammm.top
us-qrsnp.us
ht6.admindada.xyz
www.hecong.net
*.3572.hair
*.5202.hair
*.8638.hair
*.6714.hair
gaodeng88.top
bing2.admindada.xyz
bing1.admindada.xyz
bing.admindada.xyz
ht8.admindada.xyz
hou99.top
fish-ht.top
jiuqianqi.monster
houtai.postoffice-com-cn.top
jiuqianqi.buzz
adminyyy.top
usps-dd.xyz
adminasssss.xyz
admin2022ht.cyou
youjuholutai.top
gm16888.top
logidddn2023.top
j2-admin.top
j1-admin.top
houtai889998.top
b-usps-admin.top
correosschile.top
laposrse.top
riruguowan.top
houtai.cpostcz.top
admin.anceol.top
admin.sureyfish.top
hthuahot.cc
giao001.top
clpostuseerongvc.life
ht.javas.top
csl9999cls.xyz
sanvce.top
correostgthdcpo.life
backhkajyiu.top
zhongceshi666.top
pyy1-admin.top
clpostusterrn.info
correostnygnss.life
o1-admin.top
meiguo77.top
houtai0100.xyz
yingshe0100.xyz
tongbuhoutai.top
o2-admin.top
uspostmaill.top
qtzippost.com
You can check the full export here https://pastebin.com/fQsh9LDm
So let’s start exposing resellers:
Introducing “GAGA” (Rattle in chinese) @qqhbqq
Following Chenlun’s market model, Gaga also offer “his” services on Telegram channels.
各国鱼站源码租售, 全球手机数据,邮箱数据 ,教学频道:
Fish station source code rental and sale in various countries, global mobile phone data, email data, teaching channel: https://t.me/gagays
收货频道:Receiving channel: https://t.me/nimotvcvv
While the first group is where he advertise his sales, the second link is just a “freebies” section.
Gaga offers a “full set of phishing stations”, and tutorials on how to run a campaign. In fact, products from Chenlun. He also will share with you methods on how to launder money from stolen cards via Tiktok coins, Facebook, 17.live or nimo.tv, in the “most private and secure way of the carding community”.
This guy started his telegram channel at November 22nd, 2022, sharing videos from phishing sources that I can’t identify with the name: AFE — Phishing. Some example:
Domains related to these other panels:
usps-uskt.top | link-au-ga.top | usps-gagacs.top | uspost-dj.top
Leaked emails: 52349490@qq.com | aa52349490@163.com
But in fact he’s a long-time customer of Chenlun, first reference on November 19th, 2022
As of May 27th, the first image of a panel with his own image was shared. I believe close to this date is when he copied the panel and put his information. In fact, the first telemetry of panels is from 2023–07–25
We can also track down Gaga resold products on the Internet.
Stick to fid=”kb+EDBy/JnEanlZPf7HOyw==” in order to track GAGA panels
https://en.fofa.info/result?qbase64=ZmlkPSJrYitFREJ5L0puRWFubFpQZjdIT3l3PT0i
I will be posting the most recent ones (from November 1st to 10th November)
Gaga LIVE panels (USE HTTPS)
IP DOMAIN SERVICE URL
104.223.16.144 | qinchen.biz | api.qinchen.biz
31.222.201.135 | uspostnews.xyz | usposty.top
141.11.208.6 | admin.xxhoutai001.top| java.xxhoutai001.top
46.17.46.177 | 46.17.46.177 | fedexpayw.top
38.60.203.94 | abzcblog.top | loveabzc.top
192.3.134.133 | fyq67.top | api.fyq67.top
192.3.134.133 | usoodkwo19.com | api.fyq67.top
192.3.134.133 | usoakflol1.com | api.fyq67.top
31.222.201.115 | euspost.top | uspostblog.top
204.44.75.45 | usaofipixn.com | api.uspost-zlp.us
204.44.75.45 | usianuiapas.com | api.uspost-zlp.us
192.3.134.133 | uespoafhps.com | api.fyq67.top
155.94.184.138 | admin.correosa-cl.xyz| java.correosa-cl.xyz
188.127.235.47 | happyworksday.com | maozidaiwaiwai.com
155.94.128.28 | admin.uspost-com.top | java.uspost-com.top
47.236.115.55 | australia-post-cv.top| australia-post-au.top
204.44.75.45 | admin.uspost-zlp.us | api.uspost-zlp.us
31.222.201.135 | osspost.life | osspost.top
204.44.66.42 | adminhoutai01.top | java.adminhoutai01.top
141.11.137.179 | admin.uspost-psp.top | java.uspost-psp.top
141.11.89.137 | admin.us-pszip.com | java.us-pszip.com
155.94.184.116 | admin.uspost-app.life| java.uspost-app.life
192.161.55.30 | sgconstruction.life | java.adminhoutai01.top
8.219.4.161 | kuronekoyamato-cv.top| amazon-co-co.top
47.236.115.55 | australia-post-cv.top| australia-post-au.top
204.44.66.42 | authority-ustestshop.top| java.adminhoutai01.top
23.225.195.59 | cr3correos.xyz | crcorreo.top
107.150.5.199 | admin2022-ht.life | admin2022-ht.info
208.83.232.113 | lianjie-houtai.online| houtai-admin123123.online
107.173.250.24 | epitaphbook.net | win0214.xyz
You can check the full export here: https://pastebin.com/J7ZjCHVg
Some panels had an active Telegram WebHook, so I share with them this article:
Related to Gaga, there’s another profile seen in panels until August.:
Introducing “Tanke” (Tank in chinese) @tanke1898
各国鱼站源码租售,代搭建同步鱼塘,电商网站, 全球手机数据,邮箱数据 ,教学频道:https://t.me/tanke6899 频道不定时送新鲜鱼料,各国精准数据。价格全网最低。
Fish station source code rental and sale in various countries, synchronized fish pond construction, e-commerce website, global mobile phone data, email data, teaching channel: https://t.me/tanke6899 The channel delivers fresh fish feed from time to time, and accurate data from various countries. The price is the lowest on the Internet.
Tanke statement on the services he offer (Translated from Chinese):
There are a lot of noobs these days
You may have some misunderstandings about Circle C, thinking that you can get high returns by investing hundreds or thousands with zero investment.
Let me explain here. I rent out the fish station here for 150u a month. In the industry, I dare not say the lowest price, but it is definitely not the most expensive.
Then, you still have to send text messages, and the price will only be more expensive than the fish station, and some are several times more expensive.
The prerequisite for these is that you have some experience in channel hunting, otherwise, even if you really catch a lot of fish, you will still lose everything.So, when playing in the c circle, don’t just think about making tens or hundreds of dollars with thousands of dollars. It’s not impossible, but it basically won’t happen to you.
More than half of the people in this circle are losing money. This is not alarmist.Our tutorials include techniques, channels, and stable ways to make money. Those who can really make money are those who are patient~
Although there’s only activity in these channels since September 16, I strongly believe Tanke is a long time customer of Chenlun services.
Tanke LIVE panels (USE HTTPS)
IP DOMAIN SERVICE URL
141.11.137.180 | tanke-001.top | tanke003.top
Introducing “Chaoren” (Superman in chinese) @chaoren350
各国鱼站源码搭建,全球数据二筛,三筛,源码分享频道:
Source code construction of fish stations in various countries, second and third screening of global data, source code sharing channel: https://t.me/btgaga
互助交流群:Receiving channel: https://t.me/nimotvcvv
Individual started his activity at September 19, offers same services as Chenlun.
鱼站业务:
出租台子,160u(含服务器)/一月,自己添加域名可同时使用20多套源码,无需切换
买断源码,260u/一个国家,售后半年,防红失效或无法部署随时找我更新
电商源码,260u/一个月,买断400u/售后半年,防红失效或无法部署随时找我更新 .@chaoren350Fish station business:
Rental table, 160u (including server)/month, add domain names by yourself, and use more than 20 sets of source codes at the same time, no need to switch
Buy out the source code, 260u/one country, half-year after-sales service, if the red protection fails or cannot be deployed, please contact me for updates at any time
E-commerce source code, 260u/month, buyout 400u/half a year after sale, if the anti-red flag fails or cannot be deployed, please contact me for updates at any time. @chaoren350
Chaoren LIVE panels (USE HTTPS)
IP DOMAIN SERVICE URL
74.48.111.13 | vodocom.top | postnl-poit.top
Introducing “LangLang” @langlang9188
Langlang LIVE panels (USE HTTPS)
IP DOMAIN SERVICE URL
104.234.61.75 | admin.us-psdy.pics | java.us-psdy.pics
Introducing “hrjdjjcvv” @hrjdjjcvv
劫持us jp au uk全球 电商鱼 us
原创同步鱼站各大源码都有,定制和修改都可以硬核技术原创,防洪拉满。
通道分享现金,礼品卡
别问我干撒子的,反正凶的批爆
客服: @hrjniuge
交流群 @hrjniugecvv2
Recycle apple, amazon, steam gift card
Support English service @DajijiCvvHijack us jp au uk global e-commerce fish us
The original synchronized fish station has all major source codes, and can be customized and modified with hard-core technology and originality, which is full of flood prevention.
Channel Share Cash, Gift Cards
Don’t ask me who did it, I’ll criticize it fiercely anyway
Customer Service: @hrjniuge
Communication group @hrjniugecvv2
Recycle apple, amazon, steam gift card
Support English service @DajijiCvv
hrjdjjcvv historical panels (USE HTTPS) (Until September 28th)
IP DOMAIN SERVICE URL
104.233.167.136| pdder.top | ?
104.233.167.136| conels.top | ?
Introducing “ss” UNKNOWN
LIVE Example:
156.242.11.141 | admin.uspsqweasd.com | java.uspsqweasd.com
historical:
admin2023ht.xyz
admin2023hd.top
tp001-admin.top
admin-us001.pw
admin.cp-coin.com
adminus.xyz
usps-zippostadmin.top
admin.uspsbig.com
admin.usps17track.com
admin.uspsboom.com
2dustaizi0001.xyz
xhz-2023.top
2dustaizi0002.xyz
bigdog004.top
tp002-admin.top
admin.ususp.xyz
houtai.zapackage.top
admin.uspsssiu.top
admin.usps-17track.com
admin.usps-17track.tech
admin.uspsso.xyz
admin.usposts.life
dkadmin.top
deloitte1.deloitte.one
F. Keep a close eye
Everything written here is just an example of a real threat targeting worldwide victims. Further investigations must be done in order to successfully track the paths of these users, who are ruining the lives of fooled people.
I focused on Chenlun and his clients, but more users offer other services, similar to their products or necessary to take profit from stolen goods. This is a very big industry giving big benefits to too many people, something must be wrong.
Keep a close eye, I will try to update this with more information.
The rest is on your own. Track them down.
Best regards,
@g0njxa