CRYPTOCURRENCY INVESTMENT SCAM "TEMU WORK PLATFORM"

    Date: 10/28/2024

    Severity: Medium

    Summary

    The "TEMU Work Platform" is a cryptocurrency investment scam that has been active since July 2024. It gained significant attention with a spike in traffic starting October 15, 2024. The scam involves multiple stockpiled domains that host visually identical mobile-friendly versions of the platform. Registration requires a referral code, but it allows any input, including "0." All domains share the same backend service, enabling accounts created on one site to be used across others. The campaign is tracked as phishing_temuwork_platform.

    Indicators of Compromise (IOC) List

    URL/Domain

    pmotu-301.com

    bmotu-289.com

    cawotu-209.com

    cawotu-739.com

    mar-work254.com

    cawotu-146.com

    pmotu-892.com

    cawotu-639.com

    pmotu-408.com

    pmotu-591.com

    cawotu-162.com

    cawotu-705.com

    pmotu-807.com

    bmotu-279.com

    bmotu-942.com

    bmotu-137.com

    bmotu-865.com

    mar-work304.com

    bmotu-602.com

    bmotu-624.com

    bmotu-308.com

    pmotu-084.com

    pmotu-146.com

    cawotu-867.com

    cawotu-248.com

    cawotu-670.com

    bmotu-859.com

    pmotu-792.com

    bmotu-304.com

    cawotu-726.com

    pmotu-894.com

    pmotu-921.com

    bmotu-935.com

    pmotu-769.com

    pmotu-721.com

    bmotu-017.com

    cawotu-683.com

    bmotu-419.com

    bmotu-562.com

    bmotu-583.com

    bmotu-587.com

    bmotu-590.com

    bmotu-784.com

    bmotu-967.com

    cawotu-250.com

    cawotu-349.com

    cawotu-380.com

    cawotu-534.com

    cawotu-671.com

    cawotu-785.com

    cawotu-975.com

    mar-work829.com

    mar-work840.com

    pmotu-412.com

    pmotu-493.com

    pmotu-803.com

    dnxmq.shop

    ebgkm.shop

    kcyiw.shop

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "pmotu-301.com" or url like "pmotu-301.com" or userdomainname like "bmotu-289.com" or url like "bmotu-289.com" or userdomainname like "cawotu-209.com" or url like "cawotu-209.com" or userdomainname like "cawotu-739.com" or url like "cawotu-739.com" or userdomainname like "mar-work254.com" or url like "mar-work254.com" or userdomainname like "cawotu-146.com" or url like "cawotu-146.com" or userdomainname like "pmotu-892.com" or url like "pmotu-892.com" or userdomainname like "cawotu-639.com" or url like "cawotu-639.com" or userdomainname like "pmotu-408.com" or url like "pmotu-408.com" or userdomainname like "pmotu-591.com" or url like "pmotu-591.com" or userdomainname like "cawotu-162.com" or url like "cawotu-162.com" or userdomainname like "cawotu-705.com" or url like "cawotu-705.com" or userdomainname like "pmotu-807.com" or url like "pmotu-807.com" or userdomainname like "bmotu-279.com" or url like "bmotu-279.com" or userdomainname like "bmotu-942.com" or url like "bmotu-942.com" or userdomainname like "bmotu-137.com" or url like "bmotu-137.com" or userdomainname like "bmotu-865.com" or url like "bmotu-865.com" or userdomainname like "mar-work304.com" or url like "mar-work304.com" or userdomainname like "bmotu-602.com" or url like "bmotu-602.com" or userdomainname like "bmotu-624.com" or url like "bmotu-624.com" or userdomainname like "bmotu-308.com" or url like "bmotu-308.com" or userdomainname like "pmotu-084.com" or url like "pmotu-084.com" or userdomainname like "pmotu-146.com" or url like "pmotu-146.com" or userdomainname like "cawotu-867.com" or url like "cawotu-867.com" or userdomainname like "cawotu-248.com" or url like "cawotu-248.com" or userdomainname like "cawotu-670.com" or url like "cawotu-670.com" or userdomainname like "bmotu-859.com" or url like "bmotu-859.com" or userdomainname like "pmotu-792.com" or url like "pmotu-792.com" or userdomainname like "bmotu-304.com" or url like "bmotu-304.com" or userdomainname like "cawotu-726.com" or url like "cawotu-726.com" or userdomainname like "pmotu-894.com" or url like "pmotu-894.com" or userdomainname like "pmotu-921.com" or url like "pmotu-921.com" or userdomainname like "bmotu-935.com" or url like "bmotu-935.com" or userdomainname like "pmotu-769.com" or url like "pmotu-769.com" or userdomainname like "pmotu-721.com" or url like "pmotu-721.com" or userdomainname like "bmotu-017.com" or url like "bmotu-017.com" or userdomainname like "cawotu-683.com" or url like "cawotu-683.com" or userdomainname like "bmotu-419.com" or url like "bmotu-419.com" or userdomainname like "bmotu-562.com" or url like "bmotu-562.com" or userdomainname like "bmotu-583.com" or url like "bmotu-583.com" or userdomainname like "bmotu-587.com" or url like "bmotu-587.com" or userdomainname like "bmotu-590.com" or url like "bmotu-701.com" or userdomainname like "bmotu-784.com" or url like "bmotu-784.com" or userdomainname like "bmotu-967.com" or url like "bmotu-967.com" or userdomainname like "cawotu-250.com" or url like "cawotu-250.com" or userdomainname like "cawotu-349.com" or url like "cawotu-349.com" or userdomainname like "cawotu-380.com" or url like "cawotu-380.com" or userdomainname like "cawotu-534.com" or url like "cawotu-534.com" or userdomainname like "cawotu-671.com" or url like "cawotu-671.com" or userdomainname like "cawotu-785.com" or url like "cawotu-785.com" or userdomainname like "cawotu-975.com" or url like "cawotu-975.com" or userdomainname like "mar-work829.com" or url like "mar-work829.com" or userdomainname like "mar-work840.com" or url like "mar-work840.com" or userdomainname like "pmotu-412.com" or url like "pmotu-412.com" or userdomainname like "pmotu-493.com" or url like "pmotu-493.com" or userdomainname like "pmotu-803.com" or url like "pmotu-803.com" or userdomainname like "dnxmq.shop" or url like "dnxmq.shop" or userdomainname like "ebgkm.shop" or url like "ebgkm.shop" or userdomainname like "kcyiw.shop" or url like "kcyiw.sh"

    Reference: 

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-10-24-IOCs-for-crypto-investment-scam.txt  


    Tags

    MalwarePhishingExploitationOnline Fraud

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags