Shopping trap: The online stores’ scam that hits users worldwide.

Summary

Malicious schemas linked to online stores are on the rise in 2022. Criminal gangs from China have been using copies of online stores of popular brands to target users all over the world and thereby trick victims. The targets of this massive campaign are online stores geolocated in different countries, including Portugal, France, Spain, Italy, Chile, Mexico, Columbia, among others. The campaign has been active since late 2020 but gained momentum in early 2022, with thousands of victims affected. Furthermore, Portuguese Internet-end users have been impacted by criminals – the principal motivation for carrying out this research.

Figure 1: Active domains behind the malicious online stores at the time of analysis (21-03-2022). The shopping platforms are available on servers geolocated in the USA, The Netherlands, and Turkey (ZoomEye).

As observed in Figure 1, 617 active shopping platforms were identified worldwide, 562 created in 2022. The servers are located in three countries: the USA, The Netherlands, and Turkey. However, other servers and online stores were also identified during the research. The complete list of IoCs with more than 1k malicious entries is provided at the end of the article.

The high-level diagram of this campaign is presented below, with a graphical representation of the different steps and actions carried out by criminals.

Figure 2: High-level diagram of the malicious stores’ scam disseminated around the world and impacting thousands of victims.

A new campaign typically starts with the authors setting up the malicious domain at the top of Google search through digital ads (Google ads) – as shown in Figure 2 referring to the Lefties clothing store disseminated in Portugal in 2022. After some days, users are hit as the malicious URL appears at the top of searches. In specific cases, social Ads were also found on Instagram and Facebook social media platforms.

The content of the malicious websites – clones of the official stores – are based on a static Content Management System (CMS) and a PHP API that communicates with a MySQL cluster in the background. Some artifacts and development commits related to the static CMS can be found on a GitHub repository from criminals (analyzed towards the end of the article). In detail, criminals put some effort into developing a generic platform that could serve a mega operation at a large scale, where small tweaks of images and templates would allow the reuse of code for different online stores. Then, all the observed stores use the same code with different templates according to the target brand. As mentioned, the store is also equipped with an API that communicates with a MySQL database cluster where all the victims’ data is stored, including:

- Name (first and last)
- Complete address (street, zip-code, city, and country)
- Mobile phone
- Email
- Password
- Credit card information (number, date, and CVV); and
- Details about the order and tracking code of the package.

As usual, this Personally Identifiable Information (PII) can be utilized later by criminals to leverage other kinds of campaigns. In order to prevent this type of scenario, we provide a tool that allows you to validate if victims’ information is now in the wrong hands.

In addition, the middleware websites hosted on another domain receive the payment data during the payment process and try to complete the online transaction on several online payment systems such as Stripe. If the transaction is successfully completed, the response message from the payment system is sent to the middleware platform responsible for sending the “HTTP-response” back to the online store that is executing the payment transaction. After that, a tracking code is sent to the victims’ side in order to follow the package.

The package tracking platform is also created by criminals and it is embedded part of a legitimate platform: 17track.net. This whole process is aimed at creating a fully controlled scenario and very close to a legitimate system, but in the end, the victim will actually receive the package, not with clothes, but garbage.

Key-findings

- Criminals use Google, Facebook, and Instagram Ads to boost their scams.
- After a few days, malicious domains appear at the top of Google searches or on social media platforms.
- Victims are deceived.
- Home-made CMS is used to create all the malicious stores (with a PHP API and MySQL cluster).
- The middleware platform is responsible for establishing communication between the malicious store and the online payment platform during the payment transaction.
- The victim receives a package tracking code and is tricked into visiting a malicious website to track the order.
- The package can arrive, but no clothes inside, just garbage.

Technical details

Next, the details of this analysis are scrutinized below.

1. Bad Ads: slingshot the threat onto the top

The malicious chain starts with the acquisition of an Internet domain very similar to the legitimate one – a technique known as domain typosquatting. Although hundreds of malicious domains related to this mega campaign were collected (and also shared at the end of the article), we decided to focus this research only on the following pieces: “leftshop[.]ru” and the replica “leftionline.shop” – which intends to imitate the Lefties’ official store in Portugal. It should be noted that the modus operandi of the other campaigns are very similar, only changing the domains of the target stores and also the domain of the middleware platforms and online payment systems; randomly selected during the transaction process and target country.

As can be seen, the first domain belongs to the Russian TLD .ru, however, we have been observing an increasing use of this TLD and as well as servers geolocated in Russia to host malicious campaigns disseminated in Portugal. A trojan banker detected in the last month, the phishing campaign that targets banks in Portugal at least last 3 years, the Lampion trojan C2 server, and the Maxtrilha trojan are just some of the threats active in Portugal in 2022 and hosted on servers geolocated in Russia.

As mentioned, the success of these kinds of malicious movements relies on advertisement campaigns. Criminals are using this approach to put their scams on the top of the Google searches as observed in Figure 3 below.

Figure 3: Malicious advertising appears in the 1st place when searching by the specific clothing store in Google search engine.

As can be seen, the malicious Ad appears in the 1st position after a quick search, followed by the legitimate Ad and the official online store. This is a clear sign this modus operandi is working, and a few days later the victims will fall into the tentacles of cybercriminals.

2. Sniffing out the criminals’ steps

Taking the domain “leftshop[.]ru” as a basis for analysis, it was possible to conclude that the same server (185.150.2.52) geolocated in Turkey, Istanbul, hosted other pages operated by the same group. As mentioned in Figure 1, criminals are just using web servers geolocated in the USA, The Netherlands, and Turkey to host their malicious stores.

leftshop.ru
kiplbolsos.online
yamawomany.shop
robesoldfr.online
qituatt.com

Figure 4: Malicious web-server geolocated in Turkey and hosting more domains operated by the threat group.

By using the same approach on a large scale, we identified hundreds of domains copies or clones of legitimate online stores. These domains are used on a worldwide scale and disseminated in several countries, including Portugal, Spain, France, Italy, Chile, Columbia, Mexico among others.

Looking closely, it was possible to observe an email account associated with the domain’s SOA record RNAME. In detail, a DNS SOA record indicates who is responsible for that domain. The ‘RNAME‘ value here represents the administrator’s email address.

Figure 5: SOA RNAME email address found. No results were found.

For a promising beginning, nothing better than starting without results. However, using the same approach on other domains, an interesting email address is found. From this point, identifying hundreds of active malicious domains, the threat origin, the potential authors behind the scene as well as other IoCs was possible. As observed, Chinese references are found, namely a reference to the Hubei province in China, and the postal code associated with the Wuhan city. Take note of these indicators, as they will be an object of analysis later.

Registry Registrant ID: Not Available From Registry
Registrant Name: lumou
Registrant Organization: payyoo
Registrant Street: dsadfadfdafg 604292528
Registrant City: hubeids
Registrant State/Province: Hubei
Registrant Postal Code: 430417
Registrant Country: CN
Registrant Phone: +86.18695956630
Registrant Email: [email protected]
Registry Admin ID: Not Available From Registry
Admin Name: lumou
Admin Organization: payyoo
Admin Street: dsadfadfdafg 604292528
Admin City: hubeids
Admin State/Province: Hubei
Admin Postal Code: 430417
Admin Country: CN
Admin Phone: +86.18695956630
Admin Email: [email protected]
Registry Tech ID: Not Available From Registry
Tech Name: lumou
Tech Organization: payyoo
Tech Street: dsadfadfdafg 604292528
Tech City: hubeids
Tech State/Province: Hubei
Tech Postal Code: 430417
Tech Country: CN
Tech Phone: +86.18695956630
Tech Email: [email protected]

Figure 6: Details extracted from the RNAME record.

Depping into the last domain in Figure 6 (right side), we can see it is a web server with the CMS WordPress installed and with some suspicious pages available in the Portuguese language. By analyzing some domains of this scam, we found several servers with the same files’ structure and pages, including a simple shell also available in other analyzed domains as presented below (right side).

Figure 7: Suspicious domains and pages found in a large volume of servers.

At the first glance, a specific management page and plugin were found. Both the pages are in the Chinese language and developed by Chinese authors, but the server itself is hosted in the USA. As this software and the data extracted from the whois points out to Chinese references, we believe this could explain the origin of this campaign. Let’s confirm it later.

Figure 8: Specific management tool and plugin found in the Chinese language.

3. Home-made CMS artifacts found (Chinese xrefs again)

Taking a first look at the online store disseminated in Portugal in 2022, some pt/br words were found but with no sense. This can reveal that probably a non-Portuguese speaker translated these pages through an online translator without additional validation. “Socorro” is an attempt to translate the English word “Help” into Portuguese. The right word would be “Ajuda”.

Figure 9: Non-sense words found on the malicious template.

Digging into the source-code details, strain resources related to the “jeanniebalkwill6” user and a free and private CDN were found. This is a resource also observed on other active domains disseminated by this threat group. After a quick search, some publications and references on a GitHub page and referring the files are linked to malicious scams were found. In short, a private CDN via jsdelivr.com was created to dynamically distribute the content to the various malicious stores (CDN_URL/jeanniebalkwill6/webapp2.0).

At the time of analysis, the jsdelivr CDN security team had already blocked the malicious user: jeanniebalkwill6. More details can be seen below.

Figure 10: Malicious references to a CDN resource loaded on the malicious templates.

Digging into the details, this resource is shared on the source code of online stores since 2020. As presented below, another point of analysis was found on the jsdelivr’s GitHub repository, highlighting, thus, potentially malicious content. As observed, the used template is the same as seen in Figure 9 above; with minor changes only related to the target brand.

Figure 11: Malicious IoCs reported in August 2021 and linked to the ongoing campaign.

The home-made CMS used to support this mega campaign was found on GitHub. Two contributors can be identified: jeanniebalkwill6 and oophzh, and a lot of Chinese comments on the project commentaries. In fact, this can reveal the native language of the potential threat actors.

Figure 12: Homemade CMS found on GitHub and its developers.

Downloading and matching the local repository with the online stores, we found the files are the same. This is a clear sign this is, in fact, the homemade CMS used to carry out all the malicious operations. As observed below, the images found on the analyzed store match the local ones, including the JavaScript files among others.

Figure 13: Images available on the online stores match the files obtained from the GitHub repository.

As can be seen below, all JavaScript files and their structure were also identified on the online stores.

Figure 14: GitHub JavaScript files are the same found on the online stores.

It is also interesting to note the string files that will populate the HTML files. Part of the files with the strings in Portuguese and English are shown below. Also, the JSON file with the store available languages is presented.

Figure 15: String files and their content available on the GitHub repository.

Next, all the JavaScript responsible for orchestrating all the web page features are presented below.

Figure 16: Homemade CMS JavaScript files found on the GitHub repository.

4. The authors behind the stage

Regarding the two collaborators identified in the GitHub project, the “jeanniebalkwill6” handler is associated with the private CDN user account that dynamically distributed the files to the online stores. Taking a look at the “oophzh” user, the source code of soccer online stores and related to the “jeanniebalkwill6″ GitHub repository was observed.

Figure 17: Source-code of soccer stores is the same found on the first repository.

Once again, a thread on the jsdelivr GitHub repository is identified, announcing problems with a project created by oophzh. As can be noticed, “You are hosting fake e-shops and using jsDelivr to serve content. This is fake Pandora for example“; a clear sign this user is using the same modus operandi (see the used template below – very close to the one analyzed in this article).

Figure 18: Thread announcing the blocking of a malicious CDN user linked to the homemade CMS and fake online stores schema (doraide.]net and joyeriachile.]online).

Digging deeper, it is possible to identify some accounts associated with the handler and verify the primary yahoo email is linked to the Chinese TLD (.cn). In addition, the recovery email is also linked to a Chinese provider. As a way of corroborating the author’s origin, we can see the email accounts were leaked in different Chinese data breaches, potentially confirming the origin of this massive scam.

Figure 19: Threat actor email account and data breaches (IHaveBeenPwned).

Moreover, from the analysis of the exfiltrated details depicted towards the end of this article, it is possible to extract accounts and test orders potentially carried out by the threat author in order to test all the environment. From the data, some fields are highlighted below.

In detail, two residential IPs addresses were found and geolocated in China, Hubei. Both the orders are associated with the “Wuhan” city on the shipping address. The IP geolocation “27.16.214.34” is from “Hubei, Wuhan”; a clear sign that the IP addresses could be the real ones used by threat actors.

Figure 20: Potential details about the threat actor origin.

In order to corroborate this point of analysis, we decided to collect test accounts from several online stores. The approach is quite simple: just collecting test orders used by criminals before launching the online store in the target country. As observed below, from three different domains launched in different countries on August 2021, November 2021, and February 2022, the test emails used by threat actors are the same and the origin IP addresses are from Hubei, Wuhan.

Figure 21: Test accounts created by threat actors to test the online shopping website before starting the new campaign on the target country.

Going back in the analysis, and looking again at Figure 5 and the Whois details associated with the email “jerribbory@gmail.]com” – where we didn’t get any details before – the geolocation added by the registry admin is also the Hubei region/province.

Registry Admin ID: Not Available From Registry
Admin Name: lumou
Admin Organization: payyoo
Admin Street: dsadfadfdafg 604292528
Admin City: hubeids
Admin State/Province: Hubei
Admin Postal Code: 430417
Admin Country: CN
Admin Phone: +86.18695956630
Admin Email: [email protected]

By using the Postal Code above: 430417, it seems linked to the Wuhan city again, the place extracted from the residential IP addresses and also from the shipping addresses from the orders. In sum, this can be a strong indicator pointing out the origin of the threat actor under analysis.

5. The work-flow of the malicious stores

Returning to the online store itself, when the end-users visit the online store, they are faced with very attractive discounts – up to 79%. The shopping platform looks common store, and to acquire a new item the victim needs to create a new account, using an email and password combination.

Figure 22: Details about the online store and the authenticated portal.

Next, other details are required, namely the shipping and billing addresses in order to complete the order payment – a process very similar to legitimate stores. In addition, the victim will also find the status of their orders and the tracking code of the package on the personal area.

Figure 23: Shipping details required during the new order process.

A PHP API is used to control all the movements between the malicious environment, and to send and received data from a MySQL database cluster as well.

Figure 24: Details about the online store and its API requests.

6. The middleware system

After some steps, the payment page is exhibited. Here, the victim needs to add the payment details, namely the credit card number, date, and CVV code.

Figure 25: Landing page where the payment details are required.

From this point, the online stores communicate with an intermediary system that will handle sensitive information about the specific transaction. Figure 26 shows one of the interactions between the API and an external system geolocated in Hong Kong.

Figure 26: Transaction details sent to a specific endpoint during the payment process.

On the other hand, the middleware system is randomly and depends every time on the target store and country where the campaign is disseminated. The endpoint responsible for selecting the middleware endpoint is “api/payment“. The next images depict the described scenario.

Figure 27: API endpoint responsible for selecting the target middleware system depending on the target store and country.

We noticed that sometimes a request to the “api/tobank” endpoint occurs in different stores we analyzed. This request revealed some malicious addresses used by criminals and a webhook where a personalized callback is invoked; maybe a notification sent to the criminals’ side.

https://ssl.payment.imdpay.com/payment/api/getLuResp?tradeNo=
http://8.214.107.195/ (tomcat)
http://8.214.107.195:8099/core_trans/trans/purchaseNotify/P670002.do

Figure 28: Aditional endpoints extracted from the performed analysis.

At this point, the middleware system uses an online payment service to validate the credit card details and conclude the transaction. Some services are used, including Stripe, pay.aletapay.com, among others. In the case of Stripe (right-side below), specific resources and callbacks can be found on the page source code.

Figure 29: Target online payment system invoked by the middleware system.

6. The ‘tracking’ platform for package tracking

After a well-succeeded payment transaction, the victim receives a notification with the package tracking code. With this mechanism in place, criminals aim to make the process as legitimate as possible.

A specific and malicious platform (17orderstrack.com) was created to control all the tracking processes. This fake platform takes advantage of the 17track.net legitimate API to exhibit the tracking details as presented below.

Figure 30: Malicious tracking APP based on the 17track.net API.

As can be seen, the package is real, and tracking information is also available. The package is always sent from China, maybe from target cities selected by threat actors in advance.

In detail, the function that invokes the API of the legitimate tracking system: 17tracking.net can be observed on the page source-code.

Figure 31: Source-code responsible for invoking the legitimate tracking app – 17track.net).

By analyzing the page source code, we found an interesting URL as highlighted below (myordertrack.club). In detail, this piece is an exact replica of 17orderstrack.com used in campaigns of this line at the end of 2020.

Figure 32: Malicious page to track orders by abusing the 17track.net API (December 2020).

As explained, the package is sent by criminals to the target destination, but not clothes inside, only a lot of junk. Some images extracted from the PortaldaQueixa.com website (a Portuguese complaint portal) are presented below. The images are translated from Portuguese to English.

Figure 33: Screenshot of the Portuguese complaint portal with pieces of evidence from victims.

Another point of interest related to this scam are the complaints sent by victims to different online stores stating the packages never arrived, or when they do, they come with a different product that was not what the victims ordered.

Figure 34: Complaints sent by victims stating the packages never arrived.

6. Scam by numbers

Details were collected from the malicious stores available on the Internet between 20 and 25 March 2022. This point of analysis is crucial to learn about the number of victims caught in the scam – and a lot of stores still active worldwide (about 700 online stores).

In order to make users aware of the scam, print screens of some online stores and associated brands were collected. If you recognize one of these templates, then you may have been caught in the fraud.

[The complete list of screenshots with high-resolution can be accessed here.]

In order to understand the potential damage of a simple online store of this line, we decided to analyze the details collected from the store under analysis: leftshop.ru. This malicious store has been disseminated in Portugal.

Figure 35: Part of the collected details from the leftshop.ru online store.

From the details extracted, we can see that 5.149 orders were completed in this specific domain. However, the number of affected users present in the database is only 2.593. We believe this can be a clear sign that several users have ordered products several times due to their low prices.

The total spent only on this single scam is brutal: 113.273 euros. Grouping victims by the Portuguese cities based on the orders’ addresses, we can see the most impacted cities: Lisbon with 541 victims, followed by Porto (433) and Braga (204).

Figure 36: Numer of orders, victims, and total paid on the leftshop.ru in Portugal.

The following geomap shows the distribution by country of the affected victims and that actually concludes the payment process (label: paid victims). The details were captured from a total of 227 active stores between 20 and 25 March 2022.

Geomap of victims by country

Regarding the data presented on the geomap, the most affected countries are: Italy (IT), Chile (CL), Portugal (PT), France (FR), Colombia (CO), Mexico (MX), and Spain (ES). The next graphs depict the volume of victims by country (1st graph) and the victims who finished the payment process and received the package tracking code.

Victims by country

Victims who finished the payment process

Looking at the “Victims who finished the payment process” graph, we can see the TOP of affected countries is composed of: IT with 45% from the total of victims, CL – 31.9%, FR – 9%, and PT 6.1%.

The next graph presents a relation between the “Total victims” vs “Paid victims“: who actually finished the payment process and spent a lot of money.

TOP of the total of victims grouped by country

The victims spent a total of 1 511 674 euros on this massive scam (only on 227 stores); grouped by country below. Notice that only the “paid/verified transactions” (paid victims label above) were taken into account for the next graph.

Total money spent and grouped by country

During this campaign, criminals captured sensitive data from thousands of users, at least in the 227 stores analyzed. In addition to full names and addresses, also their phone numbers, emails, and passwords were observed.

In this sense, we decided to compile all emails and phone numbers captured by criminals through this massive scam, and create a tool that allows users to validate if the data is now in the criminals’ tentacles.

https://tools.seguranca-informatica.pt/st0r3_sc4m_l34k_ch3ck3r/index.php

In reference to this tool, emails and phone numbers are not directly stored in raw format. Instead, a SHA256 hash is calculated for each record, thus guaranteeing data confidentiality principles.

Final Thoughts

Online scams related to stores are on the rise since the end of 2020, a trend probably related to the Covid-19 pandemic situation. In this sense, analyzing whether the online stores we visit are official and reliable by doing a simple search is the key for fraud detection early.

RTP – A Prova dos Factos – Páginas clonadas (malicious schema report from RTP Portugal)

Last but not least, all the malicious indicators were submitted to 0xSI_f33d – a feed that compiles malicious campaigns and an official VirusTotal ingestor.

Thank you to all who have contributed 😉
@RazoesSergio (In)
@DenunciaBurlas

Database tables diagram (MySQL 8.0)

Indicatores of Compromise (IoC)

Addition IoCs will be added to the 0xSI_f33d next few days.

172-105-152-27.ipv4.nknlabs.io
17ordertrack.com
198.144.177.83 
8.214.107.195
abitiacquista.shop
abitibimbi.online
abitibimbo.online
abitisetit.online
abititalia.shop
acshop.online
adolot.shop
alcotitonline.shop
alcottabiti.online
alcottit.online
aleiasale.online
alineaoutlet.online
alveromaritshop.online
alveromartiborse.online
alviermartinit.online
alviermartisaldi.shop
alvieromartinishop.online
amadsoldsfr.shop
amemus.net
amemus.shop
amemusale.shop
americajeans.shop
americanin.shop
ampcarteras.online
amphoutlet.online
armadventes.shop
armandtsoldes.online
arzapato.online
asicourres.shop
auth.baithub.me
azamoda.online
azamoda.shop
baaobolsa.store
baarhmtim.online
babylisaldi.online
babynegozio.online
bambininegozio.online
bambinitkids.website
bambinitoutlet.ru
bambinoutlet.com
bameoutlet.online
bassecopripium.shop
bassetlsale.online
bassttlenzuolo.website
batait.online
batasales.online
batascarpe.online
batofertas.online
batzapatilla.online
bebestienda.online
benettonshop.online
berksaloita.online
berksalopt.ru
bershoutlet.ru
berslakoff.shop
berxikaldi.online
bimbaybolsa.shop
biomecanicshop.online
biozapatos.online
blkidsonline.shop
blubambina.online
bluekidshop.online
bluitchild.online
blukidonline.shop
blukidsaldi.online
boboutlet.shop
bocgevente.shop
bogguomo.ru
bolsogabes.online
bolsosmoda.shop
boom.shoes
boostaudio.online
borsesaldi.shop
bostbuds.com
bostines.shop
bracciaborse.shop
braccialegifts2019.it
braccialepandorait.it
brahaarco.store
brahbotas.online
brahtishop.online
bramhaco.com
brooksit.online
brookspresa.online
brumsaldi.online
brumsshop.online
brunorebajas.online
bskrvendas.website
buabmochilas.shop
bubagsale.shop
bvvabs.com
bylbagoutlet.shop
ca.etechcrafts.com
cachaoutlt.online
cachersodle.online
cafenoit.online
cafesaldi.online
calzadonina.shop
calzeonline.shop
calzeoutlet.online
calzeptonline.shop
calzesoldes.online
camavetements.shop
camomsaldi.online
cannonplumones.online
carhartt-wipit.online
carharttsaldi.co
carharttvip.online
carharttvip.shop
carterasale.online
casaideashop.online
casaquecchia.it
casasaldi.online
casasale.online
catzapatos.online
catzapatos.ru
cavalimalas.online
cavalinbolsas.online
charmcheese.com
charmit.online
charmsit.shop
charmsnfansnz.com
chiccoit.online
chsyngsale.online
cmausoldfr.online
cmpoutdoor.online
cmptrekking.online
cmsandalias.shop
cmshoes.online
cmzapatos.shop
coajanuary.shop
coccinoutlet.online
colikyoutlet.store
colkyninos.online
colokinfantil.online
colokinfantil.shop
colokychile.shop
comprarwayuu.online
cqmbag.com
crocepromotion.shop
crosiesandalias.shop
cryzapatos.online
daniellington.shop
dataoutlet.online
dczapatos.shop
deborahagnello.it
deitecl.com
digitalepd.online
dixiecappotti.shop
dmartenshop.online
dmitboots.website
dmrbottes.online
doitechile.shop
doiteoutdoor.online
doracl.co
doraeit.com
dorainz.co
dorait.co
dorait.ga
doraitr.co
doraitt.com
doraitu.co
doralit.net
doraloveit.shop
doraluk.net
doraoit.shop
doraoit.top
dorasale.co
dorauit.net
dorauit.online
dorauk.ru
dorauks.shop
doravit.co
dotaoutlet.online
doudounesale.store
drmartensstore.online
dunoutlet.online
eastvente.online
edredoesmx.online
edredoneshop.online
elisabesaldi.online
eraremise.online
esalbotas.online
esmayoral.online
estrekking.com
etechcrafts.com
feracheroupa.online
fexcalzado.shop
flexiszapato.online
flipflopsdedo.online
flipflopsvenda.online
funmoda.co
fursaldi.online
fvsbag.com
gabelcasa.online
gabsbagshop.online
gabsit.online
gabsnuevas.shop
gabssale.online
gabsshop.online
galesaldi.online
garris.shop
geoarkarredamenti.it
geostore.shop
geoxit.shop
geoxoutlet.online
geoxsapatos.ru
geoxscarpe.ru
gerstours.com
giaccasaldi.online
giacchesaldi.online
giaccheshop.online
giftsjewelrywatches.com
gioielleriadora.co
gioiellerialove.ru
gioiellialove.com
gioiellialove.shop
gioiellieterna.online
gioielliisaldit.zyrosite.com
gioielliit.online
gioiellionline.zyrosite.com
gioiellioutlet.online
gioiellisaldi.online
gioszapatos.shop
gobstore.online
goldenrun.online
gorrasoutlet.online
gorrasoutlet.shop
gorrasrebajs.online
gotazapatos.online
gottaoutlet.shop
gottcareg.online
gottines.online
gottrebajas.shop
goxsapato.shop
goxscarpa.shop
goxzapato.online
gozscarpe.shop
gssport.online
guesaldi.online
hanvciabatte.online
havaianasit.ru
havaianassale.online
hdshop.online
hgscarpeit.online
hhoutdoor.online
hhshop.online
hhyropa.online
hllehatie.online
hokoutlet.online
hokscarpe.shop
homeostcolombia.online
http://8.214.107.195:8099
http://ww1.myordertrack.club/
http://www.chanzapatos.online/
https://casaoutlets.online/
https://cdn.jsdelivr.net/gh/jeanniebalkwill6
https://kicfr.shop/
https://pay.aletapay.com/
https://quanitoni.online/
https://ssl.payment.imdpay.com
https://www.catbotiens.online/
https://www.catmienfant.online/
https://www.gerstours.com/
https://www.kiplbolsos.online/
https://www.linvosgfr.shop/
https://www.lippioutlet.online
https://www.myordertrack.club
https://www.ossiroupa.ru/
https://www.sandaliasale.online 
https://www.tommioutlt.online/
https://www.veachausure.online
hutboots.online
igeaminiere.it
igi.jszrsf.com
igiecomoda.online
igiecomoda.ru
igisneakers.online
iksvente.shop
imhomeoutlet.website
inbluit.online
infraditosale.online
innaitdit.online
intimissaldi.online
intimissioulet.online
intimissioutlet.online
intimissnisaldi.online
invernoscapre.online
ipanemaoutlet.shop
itcheap.onlinesale2020.com
iteastpaksaldi.co
itflipflops.online
itgeoxshop.online
itregaloshop.online
itsaucony.online
itsuperga.shop
ittabiti.online
ittabiti.shop
ittrekking.online
jewelrydora.co
jokchaussures.online
joyasbaja.online
joyeriavelo.online
kasannaidi.online
kasanvasaldi.online
kasenavoutlet.online
kazarsklep.online
kelprofesseur.com
kenkezaini.online
kickeshoes.online
kickeshoes.shop
kidsbotas.online
kiplgoutlt.online
koakropa.online
koalsaleco.online
leftionline.shop
leftshop.online
leftshop.ru
leonardoalimandi.it
leonisoutlet.shop
leouisales.online
levinegozio.shop
li2068-27.members.linode.com
linvosgfr.shop
lippicalzado.online
lipplzapatillas.shop
lippoutlet.shop
lippoutlet.website
liuborse.online
liujoit.com
liujoshop.top
lollatravel.com
lolleepups.com
loreleycamp.com
loveait.com
lovedorait.shop
lovefes.com
loveitd.com
loveoit.com
lovepanfro.com
lovepanite.com
lpiplsport.shop
luisabluse.online
luisapull.online
maisonoutlet.shop
maisonsmeuble.shop
maisonsoldes.online
maisonsoutlet.online
malasparfois.online
marelabiti.online
martens-portugal.com
martinfr.shop
martiniborsa.online
martinsit.shop
marypazapatos.online
maxcabiti.online
mayoralbebe.ru
mayoralit.ru
mb.amemus.net
mb.amemus.shop
mb.amemusale.shop
mb.armandtsoldes.online
mb.boom.shoes
mb.boostaudio.online
mb.bostbuds.com
mb.ca.etechcrafts.com
mb.charmcheese.com
mb.charmsfans.com
mb.charmsnfansnz.com
mb.digitalepd.online
mb.etechcrafts.com
mb.ofinyonline.shop
mb.uippioutdor.online
mb.uootootech.online
mb.vyaniteshop.online
mdotoisddfr.shop
melisassandali.shop
melissashop.online
meubleshop.online
mganoutlt.online
mizunosports.online
mobilimaison.shop
mochilrebajas.online
modanuovo.online
modasale.online
mondeonline.shop
mujersmoda.shop
mussirebajas.online
mxubag.com
myroupadormir.shop
mysneakerspt.shop
nafnarobes.online
nannashop.online
napajacketsaile.shop
naturalistashop.online
nboutlets.online
nbptzapatos.online
nbscarpeshop.online
nerogiacarpe.online
nerogiardinit.shop
nerogiardni.club
nerogiardni.online
nerogierdini.online
nerogierdini.ru
neroscarpe.online
neroscarpe.shop
neroscarpeit.online
newbalancefr.online
nloutlet.online
nouveaupulls.online
nuovascarpe.online
oefmeib.com
offertepandoragioielli.it
ofinyonline.shop
oltronline.shop
oltroulet.online
ompscarpe.online
ossiroupa.ru
outdorequipcl.online
outlet.liujoit.com
ovsshop.online
pablosoutlet.online
panamajacks.online
pandora-outlet-italian.com
pandora-store-outlet.net
pandoracharmssitoufficiale.com
pandoraciondoligifts.it
pandoracollanegifts.it
pandoracollaneprezzo.it
pandorastoreitalia.com
pandoraukscharms.com
panfits.com
panieo.com
paninz.com
panitl.com
panitw.com
panlit.com
panlits.com
panuit.com
panvits.com
panxit.com
patchaussures.online
patrizisaldi.shop
pcharmsaldi.co
pennydonna.online
peperebajas.shop
petibatianfr.shop
petitkids.shop
peutereyshop.online
piazabbigliamento.online
piquadrosite.online
pittbotines.online
poyesharghamaria.com
pranainfinito.com
primasales.online
primigiit.online
primigisaldi.online
primigisaldi.ru
primigisale.online
primigiscarpe.online
primigishop.online
primisale.store
primishop.shop
priscarpe.co
pullabiti.shop
punbag.com
pyramidenwerkstatt.com
qyducf.online
raffaninivetefisio.it
reconditearmonie.it
risantettit.shop
rmlbag.com
robesoldfr.online
romaoutlet.online
romashoes.online
ropacama.online
ropacorebaja.online
ropainfantcl.online
ropapolo.online
ropastore.online
ropastudio.shop
roupasalept.online
runchaussures.ru
runningfun.ru
runshoesnb.online
sacchetto.online
sacpakshop.online
saldinapa.online
saldipandora.com
saldithunit.online
saldithunly.shop
sale.goodthenf.shop
saleitwoutlet.online
saleitwoutlet.shop
salewitoutlet.online
salomofr.shop
salomoit.shop
salomonden.online
salomonit.shop
salomonite.online
salomoutlet.online
samitesuitcase.shop
samsonitedeals.online
sandalibambini.online
sandalivendita.online
sandalosummer.online
sauconyescarpe.online
sauconyoit.online
saucoscarpe.online
scarpaestiva.online
scarpebambini.ru
scarpedonna.online
scarpeestive.online
scarpeoutlet.store
scarpesuper.online
scuolartemusica.it
sdffrq.com
sebastianjeffs.com
sergentshop.online
sergentvendre.shop
sevenegozio.ru
shoesupega.shop
shopzaino.ru
skbbag.com
skeohersmy.online
skescarpe.shop
sktzapatos.online
slhcil.com
sonianadeau.com
speedcrossit.online
sportintimo.online
stahnke.it
stonefelpe.shop
stoneislandshop.online
stonesaldits.online
stopjeasale.online
strabiti.online
stradiiver.shop
stradionlin.shop
stradivcoutlet.online
stradivonline.shop
stradivoutlet.shop
stradivpt.online
stradivpt.shop
stradivrebajas.online
stradivroupa.online
stradivshopt.online
stradivsoldesfr.online
stradropas.online
stradsales.online
strajeans.online
strasidvus.online
studfashion.shop
studionline.shop
sun68outlet.online
supegasaldi.shop
supergait.co
superganegozio.online
superyuk.online
suscarpeit.online
szapatosk.online
tasaitalia.it
terraventure.tk
tezenesuits.online
tezenisaldi.store
tezenisoldes.shop
tezenitalia.shop
thergvfoodster.com
tiendzapatos.shop
tiffportug.online
tifonlene.online
tifosiipt.online
tifosioutlet.shop
tifoutonlin.shop
timberbottes.com
timsbootsale.com
toutiaotg.com
triumoutlet.online
tuffsalpt.online
uippioutdor.online
umbmoda.online
umbmoda.shop
umbulsas.online
uootootech.online
upimsale.online
vertbaudetshop.online
vestesoldes.website
vesticonbi.online
vestitibaby.online
vestitibebe.online
vestitibebe.shop
vestitisaldi.online
vetemenbebe.online
vetemengo.online
vetementfr.online
vetementfrs.online
vetementsbaby.shop
vetementsvente.online
vicolaoutlet.online
vicolaoutlet.shop
vicoloutlet.shop
vidorzapatos.online
vyaniteshop.online
www.acshop.online
www.adolot.shop
www.alcottabiti.online
www.alcottit.online
www.aleiasale.online
www.alineaoutlet.online
www.alveromaritshop.online
www.alveromartiborse.online
www.amadsoldsfr.shop
www.amemus.net
www.amemus.shop
www.amemusale.shop
www.americanin.shop
www.amphoutlet.online
www.armadventes.shop
www.armandtsoldes.online
www.arturonline.shop
www.arzapato.online
www.asichoes.shop
www.asicourres.shop
www.azamoda.online
www.azamoda.shop
www.baarhmtim.online
www.babylisaldi.online
www.babynegozio.online
www.bambinitkids.website
www.bambinitoutlet.ru
www.bambinoutlet.com
www.bameoutlet.online
www.bassetlsale.online
www.batascarpe.online
www.batazapatos.online
www.batofertas.online
www.batzapatilla.online
www.beberopa.online
www.bebesald.online
www.bebesaldo.shop
www.berksaloita.online
www.berksalopt.ru
www.bershoutlet.ru
www.berxikaldi.online
www.bimbaybolsa.shop
www.bingohotmall.com
www.blkidsonline.shop
www.bluekidshop.online
www.boboutlet.shop
www.bogguomo.ru
www.bolsogabes.online
www.bolsosrebajascl.online
www.boom.shoes
www.boostaudio.online
www.bossioutlet.online
www.bostbuds.com
www.bracciaborse.shop
www.brahtishop.online
www.brumsaldi.online
www.bskrvendas.website
www.buabmochilas.shop
www.bylbagoutlet.shop
www.cachersodle.online
www.cafenoit.online
www.calzeonline.shop
www.calzeoutlet.online
www.calzeptonline.shop
www.calzesaldi.online
www.calzesoldes.online
www.camavetements.shop
www.carharttvip.shop
www.casaideashop.online
www.casasale.online
www.catbotiens.online
www.catzapatos.online
www.catzapatos.ru
www.cavalimalas.online
www.charmcheese.com
www.charmsfans.com
www.charmsnfansnz.com
www.chaussuresconfort.online
www.chsyngsale.online
www.ckoutlets.shop
www.cmptrekking.online
www.cmrebajas.online
www.cmshoes.online
www.coajanuary.shop
www.coccinoutlet.online
www.cocinacolombia.moda
www.colkyninos.online
www.colkytiendas.shop
www.colokinfantil.online
www.colokinfantil.shop
www.colokychile.shop
www.comprarwayuu.online
www.cqmbag.com
www.crocepromotion.shop
www.crocezapatopt.shop
www.cryzapatos.online
www.digitalepd.online
www.dmitboots.website
www.dogsmall.shop
www.doiteoutdoor.online
www.doracl.co
www.doraeit.com
www.dorainz.co
www.doraloveit.shop
www.doraluk.net
www.dorauit.net
www.dorauit.online
www.dorauk.ru
www.dorauks.shop
www.drmartensstore.online
www.dunoutlet.online
www.eastvente.online
www.edredoesmx.online
www.edredoneshop.online
www.elisabesaldi.online
www.esalbotas.online
www.esmayoral.online
www.estrekking.com
www.etechcrafts.com
www.feracheroupa.online
www.flipflopsvenda.online
www.fvsbag.com
www.gabelcasa.online
www.gabsbagshop.online
www.gabsnuevas.shop
www.gabssale.online
www.gaceloutlet.ru
www.galesaldi.online
www.garris.shop
www.geoscarpe.store
www.geosneakers.store
www.gerstours.com
www.giaccheshop.online
www.gioszapatos.shop
www.gorrasoutlet.online
www.gorrasoutlet.shop
www.gorrasrebajs.online
www.gotazapatos.online
www.gottines.online
www.gottzapatos.shop
www.goxsneakers.online
www.goxzapato.online
www.gssport.online
www.guesaldi.online
www.guuessaldi.online
www.hanvciabatte.online
www.havaianassale.online
www.hgscarpeit.online
www.hhoutdoor.online
www.hhshop.online
www.hhyropa.online
www.hllehatie.online
www.hokoutlet.online
www.hokscarpe.shop
www.hutboots.online
www.igisneakers.online
www.iksvente.shop
www.imhomeoutlet.website
www.innaitdit.online
www.intimissioulet.online
www.intimissioutlet.online
www.itregaloshop.online
www.ittabiti.online
www.ittabiti.shop
www.jewelrydora.co
www.jewelrypro.online
www.joyasbaja.online
www.joyeriavelo.online
www.jstarsale.online
www.kasanoutlet.online
www.kazarsklep.online
www.kelprofesseur.com
www.kidsbotas.online
www.kipingbag.shop
www.koakropa.online
www.koalsaleco.online
www.lecoqoutlet.store
www.leftionline.shop
www.leonisoutlet.shop
www.levinegozio.shop
www.linvosgfr.shop
www.lippicalzado.online
www.lipplzapatillas.shop
www.lippoutlet.shop
www.lippoutlet.website
www.lollatravel.com
www.loreleycamp.com
www.lovedorait.shop
www.lovefes.com
www.lovepanfro.com
www.lovepanite.com
www.luisabluse.online
www.maisonoutlet.shop
www.maisonsmeuble.shop
www.maisonsoutlet.online
www.marelabiti.online
www.martinfr.shop
www.marypazapatos.online
www.marysandalias.store
www.mayoralbebe.ru
www.mganoutlt.online
www.mizuoutlet.online
www.mobilimaison.shop
www.modanuovo.online
www.mondeonline.shop
www.mussirebajas.online
www.mxubag.com
www.mycarbag.online
www.myroupadormir.shop
www.mysneakerspt.shop
www.nannashop.online
www.napajacketsaile.shop
www.naturalistashop.online
www.nbptzapatos.online
www.neragiardinit.shop
www.nerogiacarpe.online
www.nerogiardinit.shop
www.nerogiordni.shop
www.neroscarpe.shop
www.nloutlet.online
www.nonmechaussures.online
www.nouveaupulls.online
www.ofinyonline.shop
www.oltroulet.online
www.ossiroupa.ru
www.outdorequipcl.online
www.pablosoutlet.online
www.panamajacks.online
www.panieo.com
www.paninz.com
www.pashoes.shop
www.peperebajas.shop
www.petibatianfr.shop
www.petitkids.shop
www.poyesharghamaria.com
www.pranainfinito.com
www.primasales.online
www.primisale.store
www.primishop.shop
www.punbag.com
www.pyramidenwerkstatt.com
www.rinasoutlet.online
www.risantettit.shop
www.romashoes.online
www.ropacorebaja.online
www.ropainfantcl.online
www.ropaoutletes.store
www.ropapolo.online
www.ropastore.online
www.roupasalept.online
www.runchaussures.ru
www.runshoesnb.online
www.saldithunly.shop
www.saleitwoutlet.online
www.saleitwoutlet.shop
www.salewitaly.online
www.salewitoutlet.online
www.salomofr.shop
www.salomonden.online
www.samitesuitcase.shop
www.samsobagcl.shop
www.sandaliasale.online
www.sandaliasrm.online
www.sapatosport.shop
www.saucoscarpe.online
www.scarpesupega.shop
www.sdffrq.com
www.sebastianjeffs.com
www.sergentshop.online
www.shoesupega.shop
www.skescarpe.shop
www.sonianadeau.com
www.sonnybob.online
www.sportintimo.online
www.sportzapatos.store
www.stonesaldits.online
www.stopjeasale.online
www.strabiti.online
www.stradiiver.shop
www.stradionlin.shop
www.stradivcoutlet.online
www.stradivonline.shop
www.stradivpt.shop
www.stradivrebajas.online
www.stradivshopt.online
www.stradivsoldesfr.online
www.stradsales.online
www.strajeans.online
www.studfashion.shop
www.studionline.shop
www.sunnybob.shop
www.sunscarpe.shop
www.supegasaldi.shop
www.suscarpeit.online
www.szapatosk.online
www.tezenesuits.online
www.tezenisonline.store
www.thergvfoodster.com
www.tiffportug.online
www.tifonlene.online
www.tifosiipt.online
www.tifosioutlet.shop
www.tifoutonlin.shop
www.timberbottes.com
www.timsbootsale.com
www.todopieloutlet.online
www.triumoutlet.online
www.tuffsalpt.online
www.uippioutdor.online
www.umbmoda.online
www.umbulsas.online
www.uootootech.online
www.upimsale.online
www.uppioutdoor.shop
www.vertbaudetshop.online
www.vestesoldes.website
www.vetemenbebe.online
www.vetemengo.online
www.vetementfr.online
www.vetementfrs.online
www.vetementsbaby.shop
www.vicolaoutlet.online
www.vicoloutlet.shop
www.vidorzapatos.online
www.vyaniteshop.online
www.wamujer.store
www.xdzbag.com
www.xiaogongchan.com
www.xjjmrl.com
www.xmuichsales.online
www.yamawomany.shop
www.yeeglasses.online
www.ymamyeit.online
www.zapatillasfutbolsala.online
www.zapatillasport.online
www.zapatocro.shop
www.zapatoplues.online
www.zapatoschile.online
www.zapatosrm.online
www.zapatoutlei.shop
xdzbag.com
xiaogongchan.com
xjjmrl.com
xmuichsales.online
xplaza.it
yamastore.online
yamawomany.shop
yamcostumi.online
yilmazlarinsaatemlakistanbul.com
ymamyeit.online
ynotborse.online
yntborsetta.online
yveniese.com
zapatillasfutbolsala.online
zapatillasport.online
zapatocro.shop
zapatoplues.online
zapatoschile.online
zapatosrebajaa.shop
zapatosrm.online
zapatoutlei.shop
zeppascarpe.online
zeppascarpe.ru
skullivansisland.com/wp-payment.php
gioiellilove.shop