Investigating_1
===============

.. post:: Oct 08, 2025
   :tags:
   :category:


Beginning
---------

The initial contact was via text:

The URL: https[://]legalkp.com/XXX.php?p=bkXXXXX

On this page shows:

.. code:: html
          <head>
          <meta charset="UTF-8">
          <meta name="viewport" content="width=device-width, initial-scale=1.0">
          <title>Claim Your Settlement</title>
          <style>
          body {
          font-family: Arial, sans-serif;
          background-color: #f9f9f9;
          margin: 0;
          padding: 20px;
          display: flex;
          justify-content: center;
          align-items: center;
          min-height: 100vh;
          }
          .container {
          background: white;
          padding: 24px;
          width: 100%;
          max-width: 480px;
          border-radius: 16px;
          box-shadow: 0 10px 20px rgba(0, 0, 0, 0.08);
          text-align: center;
          }
          .headline {
          font-size: 1.5rem;
          font-weight: bold;
          color: #111;
          }
          .title {
          font-size: 1.8rem;
          font-weight: bold;
          margin: 12px 0;
          color: #111;
          }
          .subhead {
          font-size: 1rem;
          color: #444;
          margin-bottom: 24px;
          }
          .cta-wrapper {
          display: flex;
          justify-content: center;
          align-items: center;
          width: 100%;
          margin-bottom: 24px;
          }
          .cta-button {
          background-color: #ff4d2e;
          color: white;
          font-weight: bold;
          padding: 14px 24px;
          border: none;
          border-radius: 32px;
          font-size: 1.1rem;
          cursor: pointer;
          width: 320px;
          max-width: calc(100vw - 72px);
          box-shadow: 0 6px 12px rgba(255, 77, 46, 0.25);
          margin: 0;
          text-decoration: none;
          display: block;
          transition: all 0.3s ease;
          text-align: center;
          box-sizing: border-box;
          }
          .cta-button:hover {
          background-color: #e6432a;
          transform: translateY(-2px);
          box-shadow: 0 8px 16px rgba(255, 77, 46, 0.35);
          }
          .benefits {
          text-align: left;
          margin: 0 auto;
          max-width: 360px;
          }
          .benefit {
          margin: 10px 0;
          font-size: 1rem;
          display: flex;
          align-items: flex-start;
          }
          .benefit-icon {
          margin-right: 10px;
          font-size: 1.2rem;
          }
          .scarcity {
          color: #c00;
          font-weight: bold;
          margin-top: 24px;
          font-size: 1rem;
          }
          @media (max-width: 400px) {
          .title {
          font-size: 1.5rem;
          }
          .headline {
          font-size: 1.3rem;
          }
          .cta-button {
          font-size: 1rem;
          padding: 12px 20px;
          width: 280px;
          max-width: calc(100vw - 72px);
          }
          .benefit {
          font-size: 0.95rem;
          }
          .scarcity {
          font-size: 0.95rem;
          }
          }
          </style>
          
          </head>

If you click on this URL it will take you to another suspicious looking URL:

https[://]bailliny[.]com/wDuAqOTjETq3Eoj5Lk4ONddwWyZfmzU7MxfxNoWgYkjfaF9MPpzrQulMJptfRpoC8Y4PYYHUuesu9UJ0ae_Dag~~/jnXXXXX

.. note:: I used the tor browser behind a VPN and a browser sandbox in order to stay safe when investigating and you should too.

To see what was on this page (and to avoid any potential drive-by-dowloads) I ran this cURL command.

I also made sure to spoof my user-agent as any compotent malware developer would block a cURL user-agent.

This is the command I ran:

curl -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36" -X GET https[://]bailliny[.]com/wDuAqOTjETq3Eoj5Lk4ONddwWyZfmzU7MxfxNoWgYkjfaF9MPpzrQulMJptfRpoC8Y4PYYHUuesu9UJ0ae_Dag~~/jnXXXXX

Now this returns basic HTML:

.. code:: html
   
   <script type="text/javascript">
   window.location.href = "https[://]ablehast[.]com/AQXBgTb_Si5QB2idspWBA9MYrDLoWW38J2Z5M1AtnS8eOA-1E7rXobU-iF37BFeo04r8Eg2sEmYohZGuHCmRrQ~~/540359/494415125/jnXXXXX"
   </script>

Now lets see where this takes us, Ill run a similar cURL command to see what gets returned.

This gives us another link:

.. code:: html

          <script type="text/javascript">
          window.location.href = "https[://]benefit.benefitreliefs[.]com/l/tpl43/1/?wid=98fed6f9-0337-44e2-985b-0e6833cd941e&br=1&s1=540850&s2=494431184&s3=540850"
          </script>

.. note:: At this point I realized something interesting. Three of the URLs (starting after the first one) had the same string at the end: jnXXXXX. (partially censored) I also noticed the initial URL had a 'p' paramater which could have also been used to track each victem individually.