Advanced Fiat Drainer: Automated Brand Impersonation on Peer-to-Peer Marketplaces

This entry documents a live, multi-stage financial phishing and asset draining operation hosted on transient infrastructure (chilw-order.lat). The interface targets regional consumers of major Japanese classifieds and peer-to-peer marketplaces, specifically cloning the infrastructure of Jimoty (jmty.jp).

The Attack Vectors and Social Engineering Heuristics

The vector utilizes a sophisticated deployment of manufactured account urgency to neutralize user suspicion. The attack relies on three distinct technical phases embedded within a single dynamic web layout:

  • Manufactured Account Restriction (KYC Baiting): Victims are routed to the page under the false pretext of an urgent security lock. The interface displays an official-looking “Account Restriction Notice,” claiming that compliance with Japan’s Financial Services Agency (FSA) regulations requires immediate verification. It displays pre-completed technical stages (such as email and phone validation) to establish a false baseline of trust.
  • Balance-Targeted Extraction Mechanics: The core billing script requests not only full primary account numbers (PAN), expiration dates, and card verification values (CVV) but explicitly mandates the submission of the card’s exact current available balance in JPY. This field allows the threat actors to dynamically calibrate their backend merchant API requests to initiate a single-draw transaction optimized to completely drain the victim’s account parameters.
  • Real-Time 2FA Bypass Framework: The backend system acts as an active reverse-proxy, processing input validation dynamically. It utilizes specific sub-interfaces to capture incoming SMS One-Time Passwords (3D Secure tokens) and instructs the victim to approve secondary mobile banking push notifications. Concurrently, the platform attempts device webcam activation under the guise of biometrical verification to defeat modern banking anti-fraud parameters.

Defensive Matrix Deployment

Due to the localized nature of the script, filters should deploy string-matching regex parameters targeting combinations of specific localized keywords like account restriction alerts combined with standardized unverified payment interfaces. The entity chilw-order.lat shows zero footprints of indexing or corporate legitimacy and should be systematically terminated across all routing proxies.

A phishing campaign targeting Depop sellers

This set of screenshots shows a phishing campaign targeting Depop sellers. The scam uses a fake “orders suspended” notification and a counterfeit support chat to trick victims into providing full credit/debit card details and billing information.

Threat Analysis: Depop Phishing – Fake “Orders Suspended” & Card Harvesting

How the scam works:

Fake Suspension Notice (1st screenshot)
The victim is told that orders in their account are temporarily suspended and they must “verify” their payment details to restore store operations. A “Verify” button leads to the next step.

Fake Support Chat with “Amelia” (2nd screenshot)
A fake live chat window opens with a message from “Amelia” (posing as customer support). The message claims that the victim needs to provide card details for verification, that the process is secure and only done once, and that “Amelia is a real person, not a robot.” This social engineering trick is designed to lower the victim’s guard.

Card & Billing Details Form (3rd screenshot)
The victim is taken to a page that asks for:

  • Full card number
  • Expiration date (MM/JJ, shown as MM/YY)
  • CVV
  • Name on the card
  • Billing address (street, city, postal code) The page displays logos of Visa, American Express, and Discover, and claims “All transactions comply with PCI DSS” – a fake security badge.

The goal:
The attacker collects:

  • Full credit/debit card details (number, expiry, CVV)
  • Cardholder name and billing address
  • Postal code and city

With this data, the attacker can:

  • Make fraudulent online purchases
  • Clone the card or sell the information on criminal markets
  • Use the personal details for identity theft

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain like depop.securedirect.cfd – not the official Depop domain (depop.com). The .cfd TLD is unusual for a legitimate site.
  • Fake chat support that initiates contact: Real customer support does not automatically send a pre‑scripted message explaining that you need to provide card details.
  • Request for full card details (including CVV) to “verify” a suspended account: Depop never asks for your card security code to restore account access. Such verification is done through official payment methods within the app, not by entering raw card data on a third‑party page.
  • Threat of lost orders / store suspension: Creates urgency to pressure the victim.
  • PCI DSS claim and payment logos: These are copied from legitimate sites to appear trustworthy, but the page itself is a phishing site.
  • Poor grammar / language inconsistencies: The English is slightly awkward, and the Dutch text appears in some screenshots (the target is likely a mix of English and Dutch speakers, or the template was copied).

What to do if you encounter this:

  • Do not click “Verify” or enter any card details.
  • Do not interact with the fake chat.
  • If you are a Depop seller, always log into your account by typing depop.com directly into your browser. Check your account status and any notifications from the official app.
  • If you have already entered card details, contact your bank immediately to block the card and dispute any unauthorized charges.
  • Report the phishing page to Depop’s security team.

Protective measures:

  • Never click links in unsolicited messages claiming your seller account is suspended.
  • Always type the official Depop URL directly into your browser or use the official app.
  • Never trust a pop‑up chat that asks for card details – legitimate support will never request that information.
  • Enable two‑factor authentication on your Depop account and email.
  • Check the URL carefully – look for misspellings, extra words, or unusual top‑level domains (.cfd, .top, .xyz).

Tise.com fake page detected

Anatomy of a Marketplace Phishing Scam: The Scamsite Intermediary Method

This image captures a live instance of a highly convincing phishing campaign targeting users of Tise (tise.com), a popular Norwegian and Nordic second-hand marketplace. The layout mimics an official security notification, utilizing precise brand elements to manipulate the victim under a manufactured state of urgency.

The Vector of Attack

The scam typically originates directly within the official marketplace chat infrastructure or via a smishing (SMS phishing) message. A fraudulent buyer expresses interest in an item listed by the victim, claims to have made a payment, and sends a short link to “confirm the sale” or “receive the funds.”
Once clicked, the link routes the victim through a shortener or intermediate proxy to mask the toxic domain from automated defensive scanners, landing them on this deceptive interface.

The Deceptive Interface Analysis

The attackers built an accurate visual clone of the platform to exploit user familiarity and neutralize suspicion:

  • Brand Impersonation (The Identity Theft): The page perfectly replicates the official typography, logo formatting, search bar layout, and corporate color palette of Tise. It uses flawless Norwegian text to maximize credibility among local targets.
  • Artificial Urgency (The 24-Hour Lockdown): The heading reads: “Hei, din Tise-konto er midlertidig begrenset” (Hi, your Tise account is temporarily restricted). The copy states that the seller account has been locked and demands the user confirm their identity and bank details within 24 hours (“innen 24 timer”). This psychological pressure forces immediate action, hindering the victim from double-checking the technical architecture.
  • The Payment Gateway Trap: The call-to-action button “Verifiser nå” (Verify now) does not lead to an identity verification portal. It acts as a gateway to a credential and credit card harvesting script. Clicking it opens a form designed to capture complete credit card numbers, expiration dates, CVV codes, and BankID codes, allowing the perpetrators to initiate unauthorized wire transfers immediately.

Key Red Flags for Fraud Detection

  1. Unaffiliated Domain Structure: The address bar reveals the domain ordernzt.net, which has absolutely no legal or infrastructure relation to the official platform (tise.no or tise.com). Attackers buy cheap, generic domains to host transient infrastructure.
  2. Reverse Verification Logic: Legitimate marketplaces never demand a seller enter full credit card and banking details to receive funds for a sold item. Payments are handled natively through pre-linked bank accounts (IBAN/BIC) without requiring secondary authentication.
  3. Mismatched Technical Indicators: While the page title in the browser tab attempts to mimic authenticity by displaying “Tise | TISE.NO”, the actual underlying URL and the lack of official security certificates tied to the actual company prove the site is an entirely fraudulent entity.

Tech Support / Flight Booking Scam

Anatomy of a High-Tier Support & Billing Scam: The Trapped Invoice Method

This image captures a live instance of an aggressive, targeted financial fraud operation known as a “Tech Support / Flight Booking Scam.” Unlike generic mass phishing, this method relies heavily on multi-channel social engineering and highly customized billing infrastructure to bypass traditional security detection.

The Vector of Attack

The deception begins before the victim ever encounters this payment gateway. Typically, the target receives an urgent email or SMS notification masquerading as an automated receipt from a well-known enterprise—frequently an airline, travel agency, or tech corporation.
The notification states that a substantial charge (in this case, $1,278) has already been authorized on their account for an item they never purchased (“Seats”). To create a state of panic, the message explicitly avoids containing a direct refund link. Instead, it provides a toll-free customer assistance number: 1-860-616-0240 (which the perpetrators subtly embedded directly into the URL path of the website).

The Call Center Intervention

When the panicked victim dials the provided number, they do not reach an automated enterprise system. They are connected directly to a fraudulent call center operative. The operative acts as a “support agent,” verifies the fake invoice number (31654), and assures the victim that they can reverse the pending transaction.
To “process the cancellation,” the operative generates a single-use, highly customized short link via an API and sends it to the victim via SMS or chat.

The Deceptive Interface Analysis

The screenshot reveals why this specific landing page is highly effective at exploiting human psychology and bypassing baseline technical automated defenses:

  • Pre-Filled Immobilization (The JWT Exploit): Under “Transaction Details,” every field—including the victim’s full legal name, private email address, phone number, and exact target amount—is permanently hardcoded and locked. The fields are completely uneditable (editable: false inside the technical token). This creates an illusion of a secure, formal system that already “knows” who they are, reinforcing the false legitimacy of the support agent.
  • The “Process Payment” Inversion: The psychological core of the trap relies on an absolute inversion of reality. The operative tells the victim that they are entering their payment details into a “secure cancellation portal” to verify their identity and receive a reverse credit. In reality, the victim is filling out a standard merchant billing portal. Clicking the blue button executes a live charge, immediately pulling $1,278 out of the victim’s account.
  • Exploitation of Third-Party Trust: The page embeds official merchant integration styles for Google Pay and Apple Pay alongside a standard reCAPTCHA widget. The presence of these secure, recognizable global tech components lowers the victim’s critical suspicion, making them feel as though they are interacting with a heavily audited payment architecture.

Key Red Flags for Fraud Detection

  1. The Inversion of Refunds: Legitimate companies never require a customer to input a full credit card number, expiration date, and CVV code on a web form to receive an automated refund or cancellation.
  2. Raw IP and Unverified Domain Chains: The payment form relies on a completely unverified, external payment routing domain (mypayvault.com) that has no structural or legal affiliation with the company the victim initially believed they were contacting.
  3. URL Embedded Directives: Finding a phone number or consumer identifier hardcoded straight into the URL structure (/Airtickt240-860-6160) is a definitive technical marker of an automated campaign infrastructure rather than a standardized corporate billing route.

Fake Xfinity Login Pages

We have discovered a phishing campaign that uses fake Xfinity pages to steal your login credentials. Below is how the attack works, based on real screenshots.

How the Scam Works

Step 1 – The “Thanks for choosing xfinity” lure
The victim lands on a simple page with an Xfinity logo, a “Thanks for choosing xfinity” message, and a button that says “click here to continue”.


This page has no real function – its only purpose is to make you click the button and move to the fake login form.

Step 2 – The fake sign‑in page
After clicking, you are taken to a second page that mimics Xfinity’s real login screen.

It asks for:

  • Email / mobile / username
  • Password (not shown in the screenshot, but the next field is implied)

The page includes fake legal text: “By signing in, you agree to our Terms of Service and Privacy Policy.”
There is a “Let’s go” button to submit your data.

Step 3 – Credential theft
When you enter your Xfinity ID and password, the information is sent directly to the attackers. They can then:

  • Access your Xfinity account (TV, internet, billing)
  • Change your plan or order services
  • Use the same email/password combination to attack other accounts (email, banking, social media)

Red Flags You Should Notice

Real Xfinity login pageThis phishing page
URL starts with https://login.xfinity.com/ or customer.xfinity.comSuspicious, unrelated domain (often github.io, free hosting, or misspelled domains)
Shows a green lock icon and valid security certificateNo visible security indicators, or a certificate not issued to Comcast
Has “Forgot password?” or “Create an account” linksMissing standard account recovery options
Professional, consistent designSimple, stripped‑down design – often only the logo and a form
No “click here to continue” intermediate pageUses an unnecessary extra click to lower your guard

How to Protect Yourself

  1. Never click links in unexpected emails, SMS, or social media messages – even if they look official.
  2. Always type the address manually into your browser: xfinity.com or customer.xfinity.com.
  3. Check the URL carefully before entering any password. Look for misspellings (e.g., xfinity-login.xyz) or unusual domains.
  4. Enable two‑factor authentication (2FA) on your Xfinity account – it blocks attackers even if they have your password.
  5. If you already entered your credentials – go to the real Xfinity website immediately, change your password, and check for unauthorized changes to your account.

Share This Warning

Phishing pages like these are hosted on many different domains. If you see a page that looks like the screenshots above – do not enter any information. Instead, report it to Xfinity (Comcast) and help others by sharing this warning.

Banesco Phishing – Fake “Contigo” Login Page

This screenshot shows a phishing page impersonating Banesco, a major bank operating in Venezuela, Panama, and other Latin American countries. The page mimics the bank’s online login interface to steal customers’ usuario (username) and contraseña (password).

Threat Analysis: Banesco Phishing – Fake “Contigo” Login Page

How it works:
The victim receives a phishing email, SMS, or other message claiming a security alert, account issue, or the need to verify their information. The link leads to this fake Banesco login page. The victim is asked to enter:

  • Usuario (username)
  • Contraseña (password)

Options like “Recordarme” (remember me) and links for forgotten credentials are included to appear legitimate. After clicking “CONTINUAR,” the credentials are captured and sent to the attacker. The victim may then be redirected to the real Banesco website to reduce suspicion.

The goal:
The attacker steals online banking credentials to:

  • Log into the victim’s Banesco account
  • View balances, transfer funds, and make unauthorized payments
  • Commit fraud or identity theft

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain that is not the official Banesco domain (e.g., banesco.com or banesco.com.pa). Legitimate Banesco login pages are only on official bank domains.
  • Unsolicited login request: Banesco does not send links requiring customers to log in to resolve account issues. Always type the official URL directly.
  • Minimal design / missing security features: While the page uses the Banesco logo and color scheme, it lacks the full security notices, personalization, and multi‑step authentication (e.g., security image, captcha, or token requests) present on the real login page.
  • No personalization: A legitimate Banesco login may display a security image or partial account information after username entry – this page does not.

What to do if you encounter this:

  • Do not enter your username or password.
  • If you are a Banesco customer, always access online banking by typing the official URL directly (e.g., banesco.com or your country’s specific domain) or using the official mobile app.
  • If you have already entered your credentials, contact Banesco immediately to change your password and secure your account.
  • Report the phishing page to Banesco’s fraud department.

Protective measures:

  • Bookmark the official Banesco login page and use that bookmark.
  • Use a password manager – it will autofill only on legitimate domains.
  • Enable two‑factor authentication on your bank account if available.
  • Be suspicious of any unsolicited message that asks you to log in via a link.
  • Check the URL carefully – look for misspellings, extra words, or unusual top‑level domains.

The “Carte Vitale” Renewal Scam

This phishing method targets residents of France, but similar schemes are used globally to mimic national health insurance services. Scammers use fake websites like ameli-vitale.fr to steal your sensitive data.

1. The Hook (The “Urgency” Trick)

You receive an SMS (smishing) or an email claiming that your Carte Vitale (French health insurance card) has expired or needs to be updated. The message often includes a warning: “If you do not update your card, your healthcare reimbursements will be suspended.”

2. The Trap (The Fake Website)

The link leads to a professional-looking site that perfectly mimics the official Ameli portal.

  • Official Domain: The ONLY legitimate site is ameli.fr.
  • Fake Domains: Scammers use look-alike addresses such as ameli-vitale.fr, service-vitale-info.com, or renouvellement-vitale.net.

3. The Goal (Data & Money Theft)

Once you are on the fake site, the scammers ask for:

  • Personal Information: Full name, address, and Social Security number (to use for identity theft).
  • Credit Card Details: They claim you need to pay a small “shipping fee” (usually around €0.99) for your new card.
  • The Kill: After you enter your card details, they may also try to intercept your bank’s 2FA (SMS code) to authorize much larger fraudulent transactions.

How to Protect Yourself:

  • Carte Vitale never expires: In France, the physical card does not have an expiration date. You never need to pay to “renew” it online.
  • Trust only the official app: If you have doubts, log in directly through the official Compte Ameli mobile app or type ameli.fr manually in your browser.
  • Check the URL: If the domain contains extra words, hyphens, or ends in anything other than .fr, it is a scam.
  • Government agencies won’t text for money: Official health services will never ask for your credit card details via SMS or email.

Stay safe: If you receive a text about your health card—delete it immediately.

PayPal Phishing – Fake “New Device Detected” & Credential Harvesting

The two screenshots show a two‑step PayPal phishing attack. The first page impersonates a security alert, claiming a login from an unrecognized device. The victim is pressured to click a button to “remove” that device, which leads to a fake PayPal login page where the victim’s email and password are stolen.

Threat Analysis: PayPal Phishing – Fake “New Device Detected” & Credential Harvesting

How the scam works (two steps):

Step 1 – Fake Device Detection Alert (First Screenshot)


The victim receives an unsolicited email, SMS, or web pop‑up claiming that a new device has logged into their account. The message includes a fabricated location (e.g., Madrid, Spain), browser type (Android Chrome), and a recent date. It urges the victim to click a button to “remove the device” as a security measure.

Step 2 – Fake PayPal Login Page (Second Screenshot)


Clicking the button leads to a page that mimics the official PayPal login screen. The victim is asked to enter their email address and password. Once submitted, the credentials are sent directly to the attacker.

The goal:
The attacker steals the victim’s PayPal login credentials to:

  • Access the PayPal account and view balance/transaction history
  • Transfer funds or make unauthorized purchases
  • Link the stolen credentials to other platforms where the same email/password combination is used

Red flags to watch for:

  • Suspicious URL: The login page is hosted on a domain like kontakt.nl-digitale.me, not paypal.com. The first alert shares the same suspicious domain pattern.
  • Unsolicited security alert: PayPal never sends such alerts via random links. Real security notifications appear inside your PayPal account or come from official @paypal.com email addresses, and they never ask you to click a button to “remove” a device.
  • Threat / urgency: The message creates fear that an unauthorized device has accessed your account, pressuring you to act immediately without thinking.
  • Generic design / missing account‑specific details: A real alert would include partial information about the actual device or location from your login history – this one uses generic placeholders.
  • Copyright notice inconsistency: The footer shows “Copyright © 1999-2025”, but the alert itself uses a future year (2025) when the screenshot was taken earlier – a common sign of a templated phishing page.

What to do if you encounter this:

  • Do not click the “Apparaat verwijderen” (Remove device) button.
  • Do not enter your email or password on the following page.
  • If you have already clicked and entered your credentials, change your PayPal password immediately, enable two‑factor authentication, and review recent account activity for any unauthorized transactions.
  • Always access PayPal by typing paypal.com directly into your browser.
  • Forward the suspicious email to [email protected] and then delete it.

Protective measures:

  • Never click links in unsolicited security alerts – always go directly to the official website.
  • Use a password manager – it will not autofill on fake domains.
  • Enable two‑factor authentication on your PayPal account (using an authenticator app, not SMS).
  • Check the URL carefully – legitimate PayPal domains are paypal.com and paypal.nl (for the Netherlands). Look for misspellings, extra words, or unusual top‑level domains.
  • Be suspicious of any message that claims an unknown login and asks you to click a button to “fix” it.

Fake Secure Payment (Correos)

Phishing Alert: The “Fake Secure Payment” Scam

This screenshot illustrates a sophisticated phishing attack targeting sellers on classified ad platforms (like OLX, Vinted, or Wallapop). Here is how the scam works and how to stay safe:

1. The Setup

The scammer contacts a seller pretending to be a buyer. They claim they have already paid for the item through a “secure transaction” service provided by a well-known logistics company (in this case, Correos).

2. The Trap (Visual Red Flags)

  • Deceptive URL: Look at the address bar. The official website is correos.es, but the scammer uses a fake domain: correos.compr-verif.digital. Always check the domain before clicking!
  • The “Receive Funds” Hook: The page claims your item is paid and asks you to click a button (e.g., “Aceptar pago” / “Accept payment”) to receive your money.
  • Urgency & Social Engineering: It mentions that to get the shipping label, you must first “confirm the receipt of funds” following the chat assistant’s instructions.

3. The Goal

When the victim clicks the “Accept payment” button, they are redirected to a fake payment gateway. Instead of receiving money, the victim is asked to provide their:

  • Full credit/debit card details.
  • Bank account login credentials.
  • SMS verification codes (which allows scammers to authorize fraudulent transactions).

How to Protect Yourself:

  • Never leave the platform: Real marketplaces never ask you to go to a third-party link to receive payment. All transactions should stay within the official app or website.
  • Check the link: If the URL looks long, strange, or ends in .digital, .info, or .top, it is a scam.
  • No “Payment to Receive”: You should never have to enter your card’s CVV code or an SMS password to receive money.

Stay vigilant! If a buyer sends you a screenshot or a link claiming they’ve paid through an external service—it’s a scam.

Bazaraki Phishing – Fake Account Verification Scam

This screenshot shows a phishing page impersonating Bazaraki, a major classifieds platform in Cyprus. The page uses a fake account restriction notice to pressure victims into providing personal and financial information.

Threat Analysis: Bazaraki Phishing – Fake Account Verification Scam

How it works:
The victim receives a message claiming their Bazaraki account has been restricted and requires identity verification within 24 hours. The page includes a checkbox to agree to terms and a “Verify” button. A fake live chat window appears, with a supposed support assistant explaining that the user must verify their account to receive funds or customer orders.

Clicking the “Verify” button leads to a subsequent page (not fully shown) that likely asks for:

  • Full name and contact details
  • Credit/debit card information (card number, expiry, CVV)
  • Online banking credentials
  • Personal identification documents

The goal:
The attacker aims to steal:

  • Login credentials for the victim’s Bazaraki account
  • Payment card details for fraudulent transactions
  • Personal identity information for further scams or identity theft

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain that is not the official Bazaraki domain (bazaraki.com).
  • Threat of account restriction with a 24‑hour deadline: This is a classic fear tactic to rush victims into action without thinking.
  • Fake live chat support: The chat window is not a real help desk – it is a scripted message designed to make the page appear legitimate. A real support chat would not initiate contact with a pre‑written explanation about “the first stage of receiving funds”.
  • Request to “verify” before any details are entered: The current page only asks for a checkbox agreement, but the next page (after clicking “Verify”) will harvest sensitive data.
  • Unsolicited verification request: Bazaraki does not send links requiring users to verify their identity via external pages. All account-related actions are done within the official website after logging in normally.

What to do if you encounter this:

  • Do not click the “Verify” button or check the checkbox.
  • Do not interact with the fake chat or provide any information on subsequent pages.
  • If you are a Bazaraki user, always log in by typing bazaraki.com directly into your browser. Check your account status from the official dashboard.
  • If you have already clicked through and entered personal or card details, contact your bank immediately and change your Bazaraki password.
  • Report the phishing page to Bazaraki’s security team.

Protective measures:

  • Never click links in unsolicited messages claiming your account is restricted or needs verification.
  • Always type the official website URL directly into your browser.
  • Never trust a pop‑up support chat on a page you reached via a link – legitimate support chats appear only on official sites after you navigate there yourself.
  • Enable two‑factor authentication on your Bazaraki account and email.
  • Check the URL carefully – look for misspellings, extra words, or unusual top‑level domains.