Another data sources

[kowith337]

This should be large company data sources that expose E-Mail address and sites, divided in each category.
https://googlegroups.com/group/itsenator/attach/e5bf4f790aa48e15/Prospect%20Audiences.xls?part=4+
from: https://groups.google.com/forum/#!forum/itsenator

[kowith337]

Note that TrueHits was already blocked because of this domain was flagged as Tracking, so I use the Google cache instead.

• http://webcache.googleusercontent.com/search?hl=en&q=cache%3Ahttp%3A%2F%2Ftruehits.net%2Fmodule%2Fstato.php%3FG_CODET%3Dp0026927%26t%3D2%26y%3D2016%26m%3D05%26Web%3Dwww.n-content.com%26cate%3D%26v%3D1%26dir%3Ddirectory%26order%3D444%26g%3D
• http://webcache.googleusercontent.com/search?q=cache:QJQpxE3vUzkJ:truehits.net/module/stato.php%3FG_CODET%3Dp0026927%26t%3D2%26y%3D2015%26m%3D12%26Web%3Dwww.n-content.com%26cate%3D%26v%3D1%26dir%3Ddirectory%26order%3D358%26g%3D+&cd=5&hl=en&ct=clnk&gl=th

[kowith337]

Need to lookup this report from Comodo

• https://www.comodo.com/ctrlquarterlyreport/Comodo-20Sept-2017-special-report-konica-copier-attack.pdf
• https://www.comodo.com/ctrlquarterlyreport/Comodo_IKARUSdilapidated_Special_Report_Part_II.pdf

[kowith337]

https://truehits.net/script/201812/rank_10.php

[kowith337]

This repo below contains some ThinkSmart domains
https://github.com/Tksm-Attaphon/dtacplay-github

[kowith337]

Incomplete lists related to Shinee (aka. AD Venture)

• https://www.google.co.th/search?num=100&no_sw_cr=1&pws=0&safe=off&hl=th&lr=lang_th&q=%22Girl+Clip%22+SMS+-site%3Afacebook.com+-site%3Apantip.com+-site%3Acommunity.*
• https://www.google.co.th/search?num=100&no_sw_cr=1&pws=0&safe=off&hl=th&lr=lang_th&q=022076805+OR+02-2076805+OR+02-207-6805+-site%3Afacebook.com+-site%3Apantip.com+-site%3Acommunity.*

[kowith337]

Conference data, I don't know...

http://mobile.shinee.com/01/rqf_v1.0/reqform/ReqForm_list.asp

Note: Username parameter are needed to view conference properly...

• http://mobile.shinee.com/01/rqf_v1.0/reqform/reqform_list.asp?usert=all&user=nadtinee
• http://mobile.shinee.com/01/rqf_v1.0/reqform/reqform_list.asp?usert=co&user=nadtinee
• http://mobile.shinee.com/01/rqf_v1.0/reqform/reqform_list.asp?usert=sp&user=nadtinee
• http://mobile.shinee.com/01/rqf_v1.0/reqform/reqform_list.asp?usert=rm&user=nithi

Edited note:
They're many types of user teams and also give different topics, only matched username and group team can browse those conversations.

[kowith337]

TrueHits Cache

http://webcache.googleusercontent.com/search?hl=en&q=cache%3Ahttps%3A%2F%2Ftruehits.net%2F2018%2Findex.php%3Fcateid%3D10

[kowith337]

ThinkSmart use ZeroPark to show ads and redirect traffics and/or web page to directly subscribe their services without any user-side confirmations!

https://www.bangkokbiznews.com/pr/detail/48072

With the picture above, expected that ThinkSmart use ZeroPark to serve ads, then redirect to the web page that hosted on CTrackz for performing quick subscribe!

[kowith337]

...

https://olimob.com/inc/ajax/offers_pubstat.php

A tool to generate full-width text to prevent URL clicking

https://lingojam.com/VaporwaveTextGenerator

[kowith337]

https://pantip.com/topic/39082267

Search with 025414xxx in this spreadsheet!

https://docs.google.com/viewer?url=http%3A%2F%2Fservices.totiti.net%2Fskl%2Fwp-content%2Fdocument%2FSME_Inactive%2FSMEs_Inactive_%25E0%25B8%25994.xlsx

[kowith337]

Update from #6 (comment)

...

http://mobile.shinee.com/01/rqf_v1.0/reqform/ReqForm_Detail.asp?user=nadtinee&usert=all&rq_id=5391&brqno=01201907220001

TMC = TeleInfo Media Co.,Ltd. (Thailand Yellow Pages)

[kowith337]

From https://pantip.com/topic/39093998

SumOne (aka. RakContent)

• https://www.google.co.th/search?num=100&no_sw_cr=1&pws=0&safe=off&hl=th&lr=lang_th&q=025592997+OR+02-5592997+OR+02-559-2997+OR+0-2559-2997+-site%3Afacebook.com+-site%3Apantip.com+-site%3Acommunity.*
• https://www.google.co.th/search?num=100&no_sw_cr=1&pws=0&safe=off&hl=th&lr=lang_th&q=025592913+OR+02-5592913+OR+02-559-2913+OR+0-2559-2913+-site%3Afacebook.com+-site%3Apantip.com+-site%3Acommunity.*

Spreadsheet Exposed, gotta find something more in there!

http://103.80.100.92/%E0%B8%82%E0%B9%89%E0%B8%AD%E0%B8%A1%E0%B8%B9%E0%B8%A5%20Business%20Guide%20All/BusinessAll.xls

[kowith337]

Relationship of company: HexCube

• 020179600
  • They use this number for automation calling to lure peoples who receive the call make subscribe their services.
  • After unintentionally subscribe their service, they will start sending SMS and show other service numbers.
  • See twitter report

---

• 026190882
  • Manager Online have a news article said about subscribing SMS news service to keep support specific political TV channel.

---

• 026199814
  • Many results also show this call center number related to GameLoft (Region)

[kowith337]

More interesting information

• https://pantip.com/topic/39095960
  • Operator holder company or name change to TrueMove-H Universal Communication
• https://www.pptvhd36.com/news/%E0%B8%9B%E0%B8%A3%E0%B8%B0%E0%B9%80%E0%B8%94%E0%B9%87%E0%B8%99%E0%B8%A3%E0%B9%89%E0%B8%AD%E0%B8%99/58422
  • News archive talking about spam call and said about SIP trunk number
  • The number 02917xxxx are the part of True Universal Convergence PCL

[kowith337]

Reference to e559c2a

• aston-trafficlog_1.log
• aston-trafficlog_0.log

[kowith337]

Todo: b8a735f

• view-source:https://gamehack.bid/v2/th/game/com.supercell.clashofclans-hack?referer=my.dek-d.com
• List all subdomains of bemobtrk.com as much as possible.

[NotRealPaz]

I think *****.bemobtrk.com is just a ad-tracker according to this website bemob.com

[kowith337]

Yes, it's deserve to blocked due to it's possible to redirecting to AOC supscription page, but they may have lots of random subdomains, however.

[NotRealPaz]

Then the file it's gonna be very large due to host file doesn't support wildcards. around 60 million lines of host file.

[kowith337]

Hmm, I don't think it's site will use 11111, aaaaa till zzzzz.

If they really do, their site and/or server might be large enough like a server farm, or have lots of virtual servers/containers?

[NotRealPaz]

They just point to same server. You can try to ping them. I think they are around 2-10 servers.

[kowith337]

That might still be return to a same point by adding randomized sub hosts, since this is a hosts file, not wildcard, direct DNS name block or top-level blocking or something.

Unless it have some possible ways, e.g.

• Add bemobtrk.com to your additional hosts list in pDNSF to ensure that everything from that domain will be blocked, regardless of any other subs.
• uBO (or Nano) and uMatrix are also block subdomains of them since the main of it's domain are listed and blocked already.

However, not everyone use any good tools, and any browsers than Chrome, either.

Because Chrome itself are able to bypass blocking and use their own built-in DNS, unless you've turn off this flag!

[kowith337]

About recent commit: 5df5b18 + https://pantip.com/topic/40352230

Found from TrueID news articles that have its promo banner, all links below are converted to Outline.

• https://outline.com/GCq5ge
• https://outline.com/gPHR7G
• https://outline.com/BMGDPE

So, it's clear that Truemove create subscription services by their own!

[kowith337]

New affiliate lists to check along with OilMob

https://leads.mengine.me/live-offers/index/per-page/100/page/7/order/ID/dir/desc

Trend Micro report of malware that written with Kotlin

https://www.trendmicro.com/en_us/research/18/a/first-kotlin-developed-malicious-app-signs-users-premium-sms-services.html
In images and extracted URL are pointed to GMPMobi