Following changes beyond my control, I found myself thinking about my dependence, as a European citizen, on services and products made in the USA. This never used to bother me, but lately it has started to worry me. I therefore decided to start moving the services that are most important to my private and professional life to Europe.
It took me about a month to draw up a list of services, actions, and priorities. I started with the list of the most important services, but the more I thought about it, the longer the list grew: internet domains, email accounts, cloud storage. These were just the beginning.
I used to use GoDaddy to manage my internet domains, but I chose OVH as a European replacement and I must say that the migration was fairly painless.
The step that scared me the most was email: my main personal account was Gmail and I am gradually replacing it with my Proton account. I also decided to move my business accounts to Proton. These were previously on Office 365, which obviously offers many other services in addition to email. I didn’t use all of Office 365 services, so I was able to cover my needs with the Proton suite without any compromises: email, calendar, drive. The migration was fairly easy. To replace Microsoft Office, I chose Libre Office. I replaced Outlook with Proton Mail, and I must say that after some initial confusion, now, after about a month, I’m very happy with it.
Last weekend, I reinstalled Debian on almost all my computers and reset my iPhone.
You don’t realize how many services/applications you use until you start throwing stuff away and looking for replacements! I decided to start tidying up my phone, and I must say that I now have far fewer apps.
For now, I’ve decided to continue using iPhone and iCloud. Trying to change smartphones at this point could be fatal. Next year, I plan to buy a Jolla smartphone and maybe try to contribute to the project.
As for the browser, after many years, I decided to abandon Chrome and switch to Brave and DuckDuckGo instead of Google as my search engine.
As for work, many of the systems I use are local, and the rest are OVH and Hetzner machines. I have a few TB of storage on Azure with content produced by Matrix, which I’ll move in my spare time to cancel the subscription.
Clearly, this journey does not end here. To date, I have moved a lot of services to Europe and kept some in the US. For now, I wanted to be sure that no one could deactivate my email account without explanation, as happened with my Twitter account 🙂
Social networks are a great vehicle for sharing. Each user contributes by sharing their own experiences. Our smartphone has more information about us than our parents or our partner do. This allows us to create relationships and improve existing ones, enabling us to get to know others better.
One of the many drawbacks is that all the data we put on social networks is accumulated by companies that become its owners. These companies have a view of the world that is more comprehensive than anyone has ever had before. Knowing people’s tastes, orientations, thoughts, and moods allows them to be monitored, but above all, it enables them to be solicited, guided, and ultimately led.
This happens with social networks and with the lives of the people who participate in them. I won’t comment on who profits from this; there are journalists who deal with these things on a daily basis and are certainly more reliable than I am.
However, this mechanism does not work well with companies. Of course, by looking at a company’s website, we can see what it does. By looking at LinkedIn, we can understand who works there and possibly what they do and how they do it. It always remains at a high level; from the outside, we can peek in, but not much more. Typically, unless there is a leak, we know what a company wants us to know.
So how could someone from the outside really understand how a company works? How could someone understand the business processes, methodologies, and technologies used in a particular company?
The solution could be to create an assistant based on artificial intelligence!
Once this is done, it is advertised as the future, with speculation that it will allow anyone to do anything, and surely someone will find it convenient to share everything they would not even confide to their mother in a chatbot (about which they know nothing).
Because in exchange for their secrets, the chatbot gives users something they could not otherwise have (except through hard work and perhaps even study): the feeling of being autonomous. Even in contexts unknown to the user. No need to ask, no need for professionals, no need for culture and knowledge. Artificial intelligence does everything. Just pay and share. So you pay twice. Brilliant!
You don’t know how to use Photoshop but you want an image? There’s GenAI! You don’t know how to write code but you want to make an app? Long live Vibe Coding!
In the end, it doesn’t matter that you had to share your secrets with a stranger to get a solution, because the user thinks they did it all themselves in the silence of their office. Them and their computer.
It doesn’t matter where the information ended up because they got an answer in return. They did it all themselves. A kind of masturbation, live on TV.
After weeks of eBay stressing me because I don’t have a payment method associated, I decided to do as they ask and associate a payment method. I thought a credit card would be fine, but no, they want a bank account. I start the procedure: they ask me for the bank I use, a popup from my bank opens asking me for credentials, I enter them and here, rightly, the bank asks me to agree to provide authorizations to eBay. Here I notice two things that I don’t understand: first, the authorizations that eBay is asking me to grant are related, not only to the checking account, but also to a credit card. In addition to this, which already seems excessive to me, the list of authorizations includes: coordinates, balance and list of transactions.
I could also find a justification for these requests, but more easily I see a desire to mind my own business.
Searching for something else I found a notification for a malware detected months ago, the thing that struck me was the name of the file: FixInternet.exe
In the following article I talk about some approaches to mitigate the damage from a criminal attack. I am not sure if what I am talking about is legal in all countries, so do your research first. Or use a VPS in Russia 😀
Telegram is one of the main tools used by criminals to receive stolen information through various types of attacks, including of course phishing sites.
Below I outline some simple actions we can take to mitigate Telegram bot-based attacks. But first let’s see how to use a token.
For this post I will use a token identified in these hours within a kit distributed on different domains:
psyclum.org
lwonsio.org
peyssc.org
katjrig.org
katjriv.org
sorajfm.org
niondin.org
Analyzing the deployment methods of the kit, we can see how the criminal registered the various domains and only after several days installed the kit. This in an attempt to avoid being intercepted. Fortunately, Matrix also manages these situations 🙂
Let’s move on to the kit, as always it’s a piece of junk written in PHP. Inside we find the Telegram bot token to which stolen credentials are sent to unwary users.
Now let’s move on to the main topic of this article: we have a token, what do we do with it? First, let’s study. Here is the documentation on how to use bots: https://core.telegram.org/bots/api
Using VS Code and the amazing “REST Client” extension we can query bots and use it to mitigate criminal action. First, using the “getMe” method I check if the token is active. The 200 return code and the Json in response indicate that the token is active and therefore ready to receive information from clients, including the phishing site itself.
When the unwary user enters their credentials into the phishing site, it sends the information to the Telegram bot. Two things can happen here: if there is a registered webhook, the information is sent to the resource indicated as the webhook, otherwise the information is kept in the bot’s message queue to be consumed via the “getUpdates” method.
Using the “getWebhookInfo” method we check the bot status and the possible presence of a webhook. In this case the webhook is not registered and therefore we must use the “getUpdates” method to download any messages present in the queue.
By calling the “getUpdates” method we see that there are no messages in the queue. If there were any, our call would have returned them to us by deleting them from the queue.
As mentioned, we have several ways to handle this situation. The first is to register a resource of our own as a webhook that will then receive the stolen information, allowing us to act promptly. For example, you could implement an alert system for the user to warn him that his credentials have been stolen and perhaps even deactivate his account and credit cards. As an alternative to registering your own webhook, you can implement a polling mechanism to download the stolen information, removing it from the criminal’s reach, and use it to mitigate the threat: as mentioned above, you can block the account, warn the user, and explain to them that they need to be careful.
Another approach is token deletion. I personally don’t like this approach because it prevents us from intercepting compromised accounts and therefore deprives us of the ability to act on users.
Today I found an email with an SVG attachment in my secondary email account. The account is Office 365 and the email was not in spam, this is not good, especially considering how much 365 costs! Anyway, back to the email, it was clearly suspicious also considering the attachment, an svg file with the name “Your-to-do-List.svg” supposedly sent to me by itself.
I immediately downloaded the file and opened it with Notepad++ (all this without the antivirus having anything to say about it…), inside there was a script that through a simple algorithm made a redirect to a phishing site with the aim of stealing the credentials of the same Office 365 account.
The target URL is: hxxps://bzzrr[.]yiunwox[.]es/!7ijf9v9ehpNFEKt/$
When I tried to forward the message to my Gmail account, Google’s mail server correctly returns an error 🙂
As always, avoid downloading and opening attachments if you are not sure of the source.
In the last few weeks I have noticed that attacks on Correios are constant. I have studied the matter a bit: it is the Brazilian state company that manages shipments and payments related to them.
The scam is always the same, attackers write to users saying that a shipment is blocked and that a small payment is needed to unblock it. What is interesting about this attack is that the user by entering the CPF (Cadastro de Pessoas Físicas) gets his data displayed on the page and this certainly appears to the user as something reliable.
The domain used for the attack is cpf-pendente[.]co[.]ua and it was registered few hours ago.
The first curiosity is that the archive is a RAR instead of a ZIP. Someone hoped to make life difficult for Matrix but I love writing code and this allows Matrix to open different types of archives, including obviously RAR 🙂
Aside from the type of archive, my curiosity about this kit was given by the functionality of extracting user data starting from the CPF. I do not know the Brazilian law but that from a simple number you can extract personal data seems unsafe to me.
The kit uses an external service to resolve the client data. This service I assume is part of the attack and probably uses another service in turn, perhaps legitimate or a leak from who knows where. This service is available at the domain anonimobusca[.]online. It was registered one week ago.
Domain Name: ANONIMOBUSCA.ONLINE Registry Domain ID: D544101018-CNIC Registrar WHOIS Server: whois.namecheap.com Registrar URL: https://namecheap.com Updated Date: 2025-04-15T13:27:33.0Z Creation Date: 2025-04-15T13:27:28.0Z Registry Expiry Date: 2026-04-15T23:59:59.0Z Registrar: Namecheap Registrar IANA ID: 1068 Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant State/Province: Capital Region Registrant Country: IS Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: DAPHNE.NS.CLOUDFLARE.COM Name Server: IGNAT.NS.CLOUDFLARE.COM DNSSEC: unsigned Billing Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.9854014545 URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2025-04-23T07:20:24.0Z <<<
For more information on Whois status codes, please visit https://icann.org/epp
>>> IMPORTANT INFORMATION ABOUT THE DEPLOYMENT OF RDAP: please visit https://www.centralnicregistry.com/support/information/rdap <<<
The registration data available in this service is limited. Additional data may be available at https://lookup.icann.org
The Whois and RDAP services are provided by CentralNic, and contain information pertaining to Internet domain names registered by our our customers. By using this service you are agreeing (1) not to use any information presented here for any purpose other than determining ownership of domain names, (2) not to store or reproduce this data in any way, (3) not to use any high-volume, automated, electronic processes to obtain data from this service. Abuse of this service is monitored and actions in contravention of these terms will result in being permanently blacklisted. All data is (c) CentralNic Ltd (https://www.centralnicregistry.com)
Access to the Whois and RDAP services is rate limited. For more information, visit https://registrar-console.centralnicregistry.com/pub/whois_guidance.
To obtain the user information, the phishing kit, uses a specific resource exposed by the second domain
Another aspect is related to how payments are collected. The kit does not in fact collect itself he payment data. The user makes the payment using systems that manage transactions. The services used to perform the transactions are:
Both services have been active for a short time, they use cheap providers for domain management and have free certificates. In short, I would say that nothing seems to give trust to these services.
For more information on Whois status codes, please visit https://icann.org/epp
NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration.
TERMS OF USE: You are not authorized to access or query our Whois database through the use of electronic processes that are high-volume and automated except as reasonably necessary to register domain names or modify existing registrations; the Data in VeriSign Global Registry Services' ("VeriSign") Whois database is provided by VeriSign for information purposes only, and to assist persons in obtaining information about or related to a domain name registration record. VeriSign does not guarantee its accuracy. By submitting a Whois query, you agree to abide by the following terms of use: You agree that you may use this Data only for lawful purposes and that under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail, telephone, or facsimile; or (2) enable high volume, automated, electronic processes that apply to VeriSign (or its computer systems). The compilation, repackaging, dissemination or other use of this Data is expressly prohibited without the prior written consent of VeriSign. You agree not to use electronic processes that are automated and high-volume to access or query the Whois database except as reasonably necessary to register domain names or modify existing registrations. VeriSign reserves the right to restrict your access to the Whois database in its sole discretion to ensure operational stability. VeriSign may restrict or terminate your access to the Whois database for failure to abide by these terms of use. VeriSign reserves the right to modify these terms at any time.
The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars. Domain Name: paguesafe.com Registry Domain ID: 2805917900_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.rrpproxy.net Registrar URL: https://www.hostinger.com/contacts Updated Date: 2025-01-22T02:22:32Z Creation Date: 2023-08-14T19:17:29Z Registrar Registration Expiration Date: 2025-08-14T19:17:29Z Registrar: Key-Systems GmbH Registrar IANA ID: 269 Registrar Abuse Contact Email: abusereport@key-systems.net Registrar Abuse Contact Phone: +49.68949396850 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: Not Available From Registry Registrant Name: On behalf of paguesafe.com OWNER Registrant Organization: c/o whoisproxy.com Registrant Street: 604 Cameron Street Registrant City: Alexandria Registrant State/Province: VA Registrant Postal Code: 22314 Registrant Country: US Registrant Phone: +64.48319528 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: 20f3221829e93b3a03d0a4bba3bcdb0491e3ed52d42dd6bff0f8d15a0f6fc777@paguesafe.com.whoisproxy.org Registry Admin ID: Not Available From Registry Admin Name: On behalf of paguesafe.com ADMIN Admin Organization: c/o whoisproxy.com Admin Street: 604 Cameron Street Admin City: Alexandria Admin State/Province: VA Admin Postal Code: 22314 Admin Country: US Admin Phone: +64.48319528 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: 20f3221829e93b3a03d0a4bba3bcdb0491e3ed52d42dd6bff0f8d15a0f6fc777@paguesafe.com.whoisproxy.org Registry Tech ID: Not Available From Registry Tech Name: On behalf of paguesafe.com TECH Tech Organization: c/o whoisproxy.com Tech Street: 604 Cameron Street Tech City: Alexandria Tech State/Province: VA Tech Postal Code: 22314 Tech Country: US Tech Phone: +64.48319528 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: 20f3221829e93b3a03d0a4bba3bcdb0491e3ed52d42dd6bff0f8d15a0f6fc777@paguesafe.com.whoisproxy.org Registry Billing ID: Not Available From Registry Billing Name: On behalf of paguesafe.com BILLING Billing Organization: c/o whoisproxy.com Billing Street: 604 Cameron Street Billing City: Alexandria Billing State/Province: VA Billing Postal Code: 22314 Billing Country: US Billing Phone: +64.48319528 Billing Phone Ext: Billing Fax: Billing Fax Ext: Billing Email: 20f3221829e93b3a03d0a4bba3bcdb0491e3ed52d42dd6bff0f8d15a0f6fc777@paguesafe.com.whoisproxy.org Name Server: ns1.dns-parking.com Name Server: ns2.dns-parking.com DNSSEC: unsigned Whoisprivacy: 1 URL of the ICANN WHOIS Data Problem Reporting System: https://wdprs.internic.net/ >>> Last update of WHOIS database: 2025-04-23T07:20:56Z <<<
For more information on Whois status codes, please visit https://www.icann.org/epp
To contact the registered registrant please proceed to: https://www.domain-contact.org
Please register your domains at; https://www.hostinger.com/contacts This data is provided by for information purposes, and to assist persons obtaining information about or related to domain name registration records. does not guarantee its accuracy. By submitting a WHOIS query, you agree that you will use this data only for lawful purposes and that, under no circumstances, you will use this data to 1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via E-mail (spam) or 2) enable high volume, automated, electronic processes that apply to this WHOIS server. These terms may be changed without prior notice. By submitting this query, you agree to abide by this policy.
For more information on Whois status codes, please visit https://icann.org/epp
NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration.
TERMS OF USE: You are not authorized to access or query our Whois database through the use of electronic processes that are high-volume and automated except as reasonably necessary to register domain names or modify existing registrations; the Data in VeriSign Global Registry Services' ("VeriSign") Whois database is provided by VeriSign for information purposes only, and to assist persons in obtaining information about or related to a domain name registration record. VeriSign does not guarantee its accuracy. By submitting a Whois query, you agree to abide by the following terms of use: You agree that you may use this Data only for lawful purposes and that under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail, telephone, or facsimile; or (2) enable high volume, automated, electronic processes that apply to VeriSign (or its computer systems). The compilation, repackaging, dissemination or other use of this Data is expressly prohibited without the prior written consent of VeriSign. You agree not to use electronic processes that are automated and high-volume to access or query the Whois database except as reasonably necessary to register domain names or modify existing registrations. VeriSign reserves the right to restrict your access to the Whois database in its sole discretion to ensure operational stability. VeriSign may restrict or terminate your access to the Whois database for failure to abide by these terms of use. VeriSign reserves the right to modify these terms at any time.
The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars. Domain Name: atlaspagamentos.com Registry Domain ID: 2936397696_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.godaddy.com Registrar URL: https://www.godaddy.com Updated Date: 2024-11-22T15:48:06Z Creation Date: 2024-11-22T15:48:06Z Registrar Registration Expiration Date: 2025-11-22T15:48:06Z Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: abuse@godaddy.com Registrar Abuse Contact Phone: +1.4806242505 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Registry Registrant ID: Not Available From Registry Registrant Name: Registration Private Registrant Organization: Domains By Proxy, LLC Registrant Street: DomainsByProxy.com Registrant Street: 100 S. Mill Ave, Suite 1600 Registrant City: Tempe Registrant State/Province: Arizona Registrant Postal Code: 85281 Registrant Country: US Registrant Phone: +1.4806242599 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: https://www.godaddy.com/whois/results.aspx?domain=atlaspagamentos.com&action=contactDomainOwner Registry Tech ID: Not Available From Registry Tech Name: Registration Private Tech Organization: Domains By Proxy, LLC Tech Street: DomainsByProxy.com Tech Street: 100 S. Mill Ave, Suite 1600 Tech City: Tempe Tech State/Province: Arizona Tech Postal Code: 85281 Tech Country: US Tech Phone: +1.4806242599 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: https://www.godaddy.com/whois/results.aspx?domain=atlaspagamentos.com&action=contactDomainOwner Name Server: ARYA.NS.CLOUDFLARE.COM Name Server: BRETT.NS.CLOUDFLARE.COM DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2025-04-23T07:22:01Z <<< For more information on Whois status codes, please visit https://icann.org/epp
TERMS OF USE: The data contained in this registrar's Whois database, while believed by the registrar to be reliable, is provided "as is" with no guarantee or warranties regarding its accuracy. This information is provided for the sole purpose of assisting you in obtaining information about domain name registration records. Any use of this data for any other purpose is expressly forbidden without the prior written permission of this registrar. By submitting an inquiry, you agree to these terms and limitations of warranty. In particular, you agree not to use this data to allow, enable, or otherwise support the dissemination or collection of this data, in part or in its entirety, for any purpose, such as transmission by e-mail, telephone, postal mail, facsimile or other means of mass unsolicited, commercial advertising or solicitations of any kind, including spam. You further agree not to use this data to enable high volume, automated or robotic electronic processes designed to collect or compile this data for any purpose, including mining this data for your own personal or commercial purposes. Failure to comply with these terms may result in termination of access to the Whois database. These terms may be subject to modification at any time without notice.
**NOTICE** This WHOIS server is being retired. Please use our RDAP service instead.
To this I would like to add that the two graphical interfaces are practically the same.
Emiliano Carlesi's blog 
You must be logged in to post a comment.