Summary
Malicious schemas linked to online stores are on the rise in 2022. Criminal gangs from China have been using copies of online stores of popular brands to target users all over the world and thereby trick victims. The targets of this massive campaign are online stores geolocated in different countries, including Portugal, France, Spain, Italy, Chile, Mexico, Columbia, among others. The campaign has been active since late 2020 but gained momentum in early 2022, with thousands of victims affected. Furthermore, Portuguese Internet-end users have been impacted by criminals – the principal motivation for carrying out this research.
Figure 1: Active domains behind the malicious online stores at the time of analysis (21-03-2022). The shopping platforms are available on servers geolocated in the USA, The Netherlands, and Turkey (ZoomEye).
As observed in Figure 1, 617 active shopping platforms were identified worldwide, 562 created in 2022. The servers are located in three countries: the USA, The Netherlands, and Turkey. However, other servers and online stores were also identified during the research. The complete list of IoCs with more than 1k malicious entries is provided at the end of the article.
The high-level diagram of this campaign is presented below, with a graphical representation of the different steps and actions carried out by criminals.
Figure 2: High-level diagram of the malicious stores’ scam disseminated around the world and impacting thousands of victims.
A new campaign typically starts with the authors setting up the malicious domain at the top of Google search through digital ads (Google ads) – as shown in Figure 2 referring to the Lefties clothing store disseminated in Portugal in 2022. After some days, users are hit as the malicious URL appears at the top of searches. In specific cases, social Ads were also found on Instagram and Facebook social media platforms.
The content of the malicious websites – clones of the official stores – are based on a static Content Management System (CMS) and a PHP API that communicates with a MySQL cluster in the background. Some artifacts and development commits related to the static CMS can be found on a GitHub repository from criminals (analyzed towards the end of the article). In detail, criminals put some effort into developing a generic platform that could serve a mega operation at a large scale, where small tweaks of images and templates would allow the reuse of code for different online stores. Then, all the observed stores use the same code with different templates according to the target brand. As mentioned, the store is also equipped with an API that communicates with a MySQL database cluster where all the victims’ data is stored, including:
- Name (first and last)
- Complete address (street, zip-code, city, and country)
- Mobile phone
- Password
- Credit card information (number, date, and CVV); and
- Details about the order and tracking code of the package.
As usual, this Personally Identifiable Information (PII) can be utilized later by criminals to leverage other kinds of campaigns. In order to prevent this type of scenario, we provide a tool that allows you to validate if victims’ information is now in the wrong hands.
In addition, the middleware websites hosted on another domain receive the payment data during the payment process and try to complete the online transaction on several online payment systems such as Stripe. If the transaction is successfully completed, the response message from the payment system is sent to the middleware platform responsible for sending the “HTTP-response” back to the online store that is executing the payment transaction. After that, a tracking code is sent to the victims’ side in order to follow the package.
The package tracking platform is also created by criminals and it is embedded part of a legitimate platform: 17track.net. This whole process is aimed at creating a fully controlled scenario and very close to a legitimate system, but in the end, the victim will actually receive the package, not with clothes, but garbage.
Key-findings
- Criminals use Google, Facebook, and Instagram Ads to boost their scams.
- After a few days, malicious domains appear at the top of Google searches or on social media platforms.
- Victims are deceived.
- Home-made CMS is used to create all the malicious stores (with a PHP API and MySQL cluster).
- The middleware platform is responsible for establishing communication between the malicious store and the online payment platform during the payment transaction.
- The victim receives a package tracking code and is tricked into visiting a malicious website to track the order.
- The package can arrive, but no clothes inside, just garbage.
Technical details
Next, the details of this analysis are scrutinized below.
1. Bad Ads: slingshot the threat onto the top
The malicious chain starts with the acquisition of an Internet domain very similar to the legitimate one – a technique known as domain typosquatting. Although hundreds of malicious domains related to this mega campaign were collected (and also shared at the end of the article), we decided to focus this research only on the following pieces: “leftshop[.]ru” and the replica “leftionline.shop” – which intends to imitate the Lefties’ official store in Portugal. It should be noted that the modus operandi of the other campaigns are very similar, only changing the domains of the target stores and also the domain of the middleware platforms and online payment systems; randomly selected during the transaction process and target country.
As can be seen, the first domain belongs to the Russian TLD .ru, however, we have been observing an increasing use of this TLD and as well as servers geolocated in Russia to host malicious campaigns disseminated in Portugal. A trojan banker detected in the last month, the phishing campaign that targets banks in Portugal at least last 3 years, the Lampion trojan C2 server, and the Maxtrilha trojan are just some of the threats active in Portugal in 2022 and hosted on servers geolocated in Russia.
As mentioned, the success of these kinds of malicious movements relies on advertisement campaigns. Criminals are using this approach to put their scams on the top of the Google searches as observed in Figure 3 below.
Figure 3: Malicious advertising appears in the 1st place when searching by the specific clothing store in Google search engine.
As can be seen, the malicious Ad appears in the 1st position after a quick search, followed by the legitimate Ad and the official online store. This is a clear sign this modus operandi is working, and a few days later the victims will fall into the tentacles of cybercriminals.
2. Sniffing out the criminals’ steps
Taking the domain “leftshop[.]ru” as a basis for analysis, it was possible to conclude that the same server (185.150.2.52) geolocated in Turkey, Istanbul, hosted other pages operated by the same group. As mentioned in Figure 1, criminals are just using web servers geolocated in the USA, The Netherlands, and Turkey to host their malicious stores.
leftshop.ru kiplbolsos.online yamawomany.shop robesoldfr.online qituatt.com
Figure 4: Malicious web-server geolocated in Turkey and hosting more domains operated by the threat group.
By using the same approach on a large scale, we identified hundreds of domains copies or clones of legitimate online stores. These domains are used on a worldwide scale and disseminated in several countries, including Portugal, Spain, France, Italy, Chile, Columbia, Mexico among others.
Looking closely, it was possible to observe an email account associated with the domain’s SOA record RNAME. In detail, a DNS SOA record indicates who is responsible for that domain. The ‘RNAME‘ value here represents the administrator’s email address.
Figure 5: SOA RNAME email address found. No results were found.
For a promising beginning, nothing better than starting without results. However, using the same approach on other domains, an interesting email address is found. From this point, identifying hundreds of active malicious domains, the threat origin, the potential authors behind the scene as well as other IoCs was possible. As observed, Chinese references are found, namely a reference to the Hubei province in China, and the postal code associated with the Wuhan city. Take note of these indicators, as they will be an object of analysis later.
Registry Registrant ID: Not Available From Registry Registrant Name: lumou Registrant Organization: payyoo Registrant Street: dsadfadfdafg 604292528 Registrant City: hubeids Registrant State/Province: Hubei Registrant Postal Code: 430417 Registrant Country: CN Registrant Phone: +86.18695956630 Registrant Email: jerribbory@gmail.com Registry Admin ID: Not Available From Registry Admin Name: lumou Admin Organization: payyoo Admin Street: dsadfadfdafg 604292528 Admin City: hubeids Admin State/Province: Hubei Admin Postal Code: 430417 Admin Country: CN Admin Phone: +86.18695956630 Admin Email: jerribbory@gmail.com Registry Tech ID: Not Available From Registry Tech Name: lumou Tech Organization: payyoo Tech Street: dsadfadfdafg 604292528 Tech City: hubeids Tech State/Province: Hubei Tech Postal Code: 430417 Tech Country: CN Tech Phone: +86.18695956630 Tech Email: jerribbory@gmail.com
Figure 6: Details extracted from the RNAME record.
Depping into the last domain in Figure 6 (right side), we can see it is a web server with the CMS WordPress installed and with some suspicious pages available in the Portuguese language. By analyzing some domains of this scam, we found several servers with the same files’ structure and pages, including a simple shell also available in other analyzed domains as presented below (right side).
Figure 7: Suspicious domains and pages found in a large volume of servers.
At the first glance, a specific management page and plugin were found. Both the pages are in the Chinese language and developed by Chinese authors, but the server itself is hosted in the USA. As this software and the data extracted from the whois points out to Chinese references, we believe this could explain the origin of this campaign. Let’s confirm it later.
Figure 8: Specific management tool and plugin found in the Chinese language.
3. Home-made CMS artifacts found (Chinese xrefs again)
Taking a first look at the online store disseminated in Portugal in 2022, some pt/br words were found but with no sense. This can reveal that probably a non-Portuguese speaker translated these pages through an online translator without additional validation. “Socorro” is an attempt to translate the English word “Help” into Portuguese. The right word would be “Ajuda”.
Figure 9: Non-sense words found on the malicious template.
Digging into the source-code details, strain resources related to the “jeanniebalkwill6” user and a free and private CDN were found. This is a resource also observed on other active domains disseminated by this threat group. After a quick search, some publications and references on a GitHub page and referring the files are linked to malicious scams were found. In short, a private CDN via jsdelivr.com was created to dynamically distribute the content to the various malicious stores (CDN_URL/jeanniebalkwill6/webapp2.0).
At the time of analysis, the jsdelivr CDN security team had already blocked the malicious user: jeanniebalkwill6. More details can be seen below.
Figure 10: Malicious references to a CDN resource loaded on the malicious templates.
Digging into the details, this resource is shared on the source code of online stores since 2020. As presented below, another point of analysis was found on the jsdelivr’s GitHub repository, highlighting, thus, potentially malicious content. As observed, the used template is the same as seen in Figure 9 above; with minor changes only related to the target brand.
Figure 11: Malicious IoCs reported in August 2021 and linked to the ongoing campaign.
The home-made CMS used to support this mega campaign was found on GitHub. Two contributors can be identified: jeanniebalkwill6 and oophzh, and a lot of Chinese comments on the project commentaries. In fact, this can reveal the native language of the potential threat actors.
Figure 12: Homemade CMS found on GitHub and its developers.
Downloading and matching the local repository with the online stores, we found the files are the same. This is a clear sign this is, in fact, the homemade CMS used to carry out all the malicious operations. As observed below, the images found on the analyzed store match the local ones, including the JavaScript files among others.
Figure 13: Images available on the online stores match the files obtained from the GitHub repository.
As can be seen below, all JavaScript files and their structure were also identified on the online stores.
Figure 14: GitHub JavaScript files are the same found on the online stores.
It is also interesting to note the string files that will populate the HTML files. Part of the files with the strings in Portuguese and English are shown below. Also, the JSON file with the store available languages is presented.
Figure 15: String files and their content available on the GitHub repository.
Next, all the JavaScript responsible for orchestrating all the web page features are presented below.
Figure 16: Homemade CMS JavaScript files found on the GitHub repository.
4. The authors behind the stage
Regarding the two collaborators identified in the GitHub project, the “jeanniebalkwill6” handler is associated with the private CDN user account that dynamically distributed the files to the online stores. Taking a look at the “oophzh” user, the source code of soccer online stores and related to the “jeanniebalkwill6″ GitHub repository was observed.
Figure 17: Source-code of soccer stores is the same found on the first repository.
Once again, a thread on the jsdelivr GitHub repository is identified, announcing problems with a project created by oophzh. As can be noticed, “You are hosting fake e-shops and using jsDelivr to serve content. This is fake Pandora for example“; a clear sign this user is using the same modus operandi (see the used template below – very close to the one analyzed in this article).
Figure 18: Thread announcing the blocking of a malicious CDN user linked to the homemade CMS and fake online stores schema (doraide.]net and joyeriachile.]online).
Digging deeper, it is possible to identify some accounts associated with the handler and verify the primary yahoo email is linked to the Chinese TLD (.cn). In addition, the recovery email is also linked to a Chinese provider. As a way of corroborating the author’s origin, we can see the email accounts were leaked in different Chinese data breaches, potentially confirming the origin of this massive scam.
Figure 19: Threat actor email account and data breaches (IHaveBeenPwned).
Moreover, from the analysis of the exfiltrated details depicted towards the end of this article, it is possible to extract accounts and test orders potentially carried out by the threat author in order to test all the environment. From the data, some fields are highlighted below.
In detail, two residential IPs addresses were found and geolocated in China, Hubei. Both the orders are associated with the “Wuhan” city on the shipping address. The IP geolocation “27.16.214.34” is from “Hubei, Wuhan”; a clear sign that the IP addresses could be the real ones used by threat actors.
Figure 20: Potential details about the threat actor origin.
In order to corroborate this point of analysis, we decided to collect test accounts from several online stores. The approach is quite simple: just collecting test orders used by criminals before launching the online store in the target country. As observed below, from three different domains launched in different countries on August 2021, November 2021, and February 2022, the test emails used by threat actors are the same and the origin IP addresses are from Hubei, Wuhan.
Figure 21: Test accounts created by threat actors to test the online shopping website before starting the new campaign on the target country.
Going back in the analysis, and looking again at Figure 5 and the Whois details associated with the email “jerribbory@gmail.]com” – where we didn’t get any details before – the geolocation added by the registry admin is also the Hubei region/province.
Registry Admin ID: Not Available From Registry Admin Name: lumou Admin Organization: payyoo Admin Street: dsadfadfdafg 604292528 Admin City: hubeids Admin State/Province: Hubei Admin Postal Code: 430417 Admin Country: CN Admin Phone: +86.18695956630 Admin Email: jerribbory@gmail.com
By using the Postal Code above: 430417, it seems linked to the Wuhan city again, the place extracted from the residential IP addresses and also from the shipping addresses from the orders. In sum, this can be a strong indicator pointing out the origin of the threat actor under analysis.
5. The work-flow of the malicious stores
Returning to the online store itself, when the end-users visit the online store, they are faced with very attractive discounts – up to 79%. The shopping platform looks common store, and to acquire a new item the victim needs to create a new account, using an email and password combination.
Figure 22: Details about the online store and the authenticated portal.
Next, other details are required, namely the shipping and billing addresses in order to complete the order payment – a process very similar to legitimate stores. In addition, the victim will also find the status of their orders and the tracking code of the package on the personal area.
Figure 23: Shipping details required during the new order process.
A PHP API is used to control all the movements between the malicious environment, and to send and received data from a MySQL database cluster as well.
Figure 24: Details about the online store and its API requests.
6. The middleware system
After some steps, the payment page is exhibited. Here, the victim needs to add the payment details, namely the credit card number, date, and CVV code.
Figure 25: Landing page where the payment details are required.
From this point, the online stores communicate with an intermediary system that will handle sensitive information about the specific transaction. Figure 26 shows one of the interactions between the API and an external system geolocated in Hong Kong.
Figure 26: Transaction details sent to a specific endpoint during the payment process.
On the other hand, the middleware system is randomly and depends every time on the target store and country where the campaign is disseminated. The endpoint responsible for selecting the middleware endpoint is “api/payment“. The next images depict the described scenario.
Figure 27: API endpoint responsible for selecting the target middleware system depending on the target store and country.
We noticed that sometimes a request to the “api/tobank” endpoint occurs in different stores we analyzed. This request revealed some malicious addresses used by criminals and a webhook where a personalized callback is invoked; maybe a notification sent to the criminals’ side.
https://ssl.payment.imdpay.com/payment/api/getLuResp?tradeNo= http://8.214.107.195/ (tomcat) http://8.214.107.195:8099/core_trans/trans/purchaseNotify/P670002.do
Figure 28: Aditional endpoints extracted from the performed analysis.
At this point, the middleware system uses an online payment service to validate the credit card details and conclude the transaction. Some services are used, including Stripe, pay.aletapay.com, among others. In the case of Stripe (right-side below), specific resources and callbacks can be found on the page source code.
Figure 29: Target online payment system invoked by the middleware system.
6. The ‘tracking’ platform for package tracking
After a well-succeeded payment transaction, the victim receives a notification with the package tracking code. With this mechanism in place, criminals aim to make the process as legitimate as possible.
A specific and malicious platform (17orderstrack.com) was created to control all the tracking processes. This fake platform takes advantage of the 17track.net legitimate API to exhibit the tracking details as presented below.
Figure 30: Malicious tracking APP based on the 17track.net API.
As can be seen, the package is real, and tracking information is also available. The package is always sent from China, maybe from target cities selected by threat actors in advance.
In detail, the function that invokes the API of the legitimate tracking system: 17tracking.net can be observed on the page source-code.
Figure 31: Source-code responsible for invoking the legitimate tracking app – 17track.net).
By analyzing the page source code, we found an interesting URL as highlighted below (myordertrack.club). In detail, this piece is an exact replica of 17orderstrack.com used in campaigns of this line at the end of 2020.
Figure 32: Malicious page to track orders by abusing the 17track.net API (December 2020).
As explained, the package is sent by criminals to the target destination, but not clothes inside, only a lot of junk. Some images extracted from the PortaldaQueixa.com website (a Portuguese complaint portal) are presented below. The images are translated from Portuguese to English.
Figure 33: Screenshot of the Portuguese complaint portal with pieces of evidence from victims.
Another point of interest related to this scam are the complaints sent by victims to different online stores stating the packages never arrived, or when they do, they come with a different product that was not what the victims ordered.
Figure 34: Complaints sent by victims stating the packages never arrived.
6. Scam by numbers
Details were collected from the malicious stores available on the Internet between 20 and 25 March 2022. This point of analysis is crucial to learn about the number of victims caught in the scam – and a lot of stores still active worldwide (about 700 online stores).
In order to make users aware of the scam, print screens of some online stores and associated brands were collected. If you recognize one of these templates, then you may have been caught in the fraud.
[The complete list of screenshots with high-resolution can be accessed here.]
[The complete list of screenshots with high-resolution can be accessed here.]
In order to understand the potential damage of a simple online store of this line, we decided to analyze the details collected from the store under analysis: leftshop.ru. This malicious store has been disseminated in Portugal.
Figure 35: Part of the collected details from the leftshop.ru online store.
From the details extracted, we can see that 5.149 orders were completed in this specific domain. However, the number of affected users present in the database is only 2.593. We believe this can be a clear sign that several users have ordered products several times due to their low prices.
The total spent only on this single scam is brutal: 113.273 euros. Grouping victims by the Portuguese cities based on the orders’ addresses, we can see the most impacted cities: Lisbon with 541 victims, followed by Porto (433) and Braga (204).
Figure 36: Numer of orders, victims, and total paid on the leftshop.ru in Portugal.
The following geomap shows the distribution by country of the affected victims and that actually concludes the payment process (label: paid victims). The details were captured from a total of 227 active stores between 20 and 25 March 2022.
Geomap of victims by country
Regarding the data presented on the geomap, the most affected countries are: Italy (IT), Chile (CL), Portugal (PT), France (FR), Colombia (CO), Mexico (MX), and Spain (ES). The next graphs depict the volume of victims by country (1st graph) and the victims who finished the payment process and received the package tracking code.
Victims by country
Victims who finished the payment process
Looking at the “Victims who finished the payment process” graph, we can see the TOP of affected countries is composed of: IT with 45% from the total of victims, CL – 31.9%, FR – 9%, and PT 6.1%.
The next graph presents a relation between the “Total victims” vs “Paid victims“: who actually finished the payment process and spent a lot of money.
TOP of the total of victims grouped by country
The victims spent a total of 1 511 674 euros on this massive scam (only on 227 stores); grouped by country below. Notice that only the “paid/verified transactions” (paid victims label above) were taken into account for the next graph.
Total money spent and grouped by country
During this campaign, criminals captured sensitive data from thousands of users, at least in the 227 stores analyzed. In addition to full names and addresses, also their phone numbers, emails, and passwords were observed.
In this sense, we decided to compile all emails and phone numbers captured by criminals through this massive scam, and create a tool that allows users to validate if the data is now in the criminals’ tentacles.
https://tools.seguranca-informatica.pt/st0r3_sc4m_l34k_ch3ck3r/index.php
In reference to this tool, emails and phone numbers are not directly stored in raw format. Instead, a SHA256 hash is calculated for each record, thus guaranteeing data confidentiality principles.
Final Thoughts
Online scams related to stores are on the rise since the end of 2020, a trend probably related to the Covid-19 pandemic situation. In this sense, analyzing whether the online stores we visit are official and reliable by doing a simple search is the key for fraud detection early.
RTP – A Prova dos Factos – Páginas clonadas (malicious schema report from RTP Portugal)
Last but not least, all the malicious indicators were submitted to 0xSI_f33d – a feed that compiles malicious campaigns and an official VirusTotal ingestor.
Thank you to all who have contributed 😉
@RazoesSergio (In)
@DenunciaBurlas
Database tables diagram (MySQL 8.0)
Indicatores of Compromise (IoC)
Addition IoCs will be added to the 0xSI_f33d next few days.
172-105-152-27.ipv4.nknlabs.io 17ordertrack.com 198.144.177.83 8.214.107.195 abitiacquista.shop abitibimbi.online abitibimbo.online abitisetit.online abititalia.shop acshop.online adolot.shop alcotitonline.shop alcottabiti.online alcottit.online aleiasale.online alineaoutlet.online alveromaritshop.online alveromartiborse.online alviermartinit.online alviermartisaldi.shop alvieromartinishop.online amadsoldsfr.shop amemus.net amemus.shop amemusale.shop americajeans.shop americanin.shop ampcarteras.online amphoutlet.online armadventes.shop armandtsoldes.online arzapato.online asicourres.shop auth.baithub.me azamoda.online azamoda.shop baaobolsa.store baarhmtim.online babylisaldi.online babynegozio.online bambininegozio.online bambinitkids.website bambinitoutlet.ru bambinoutlet.com bameoutlet.online bassecopripium.shop bassetlsale.online bassttlenzuolo.website batait.online batasales.online batascarpe.online batofertas.online batzapatilla.online bebestienda.online benettonshop.online berksaloita.online berksalopt.ru bershoutlet.ru berslakoff.shop berxikaldi.online bimbaybolsa.shop biomecanicshop.online biozapatos.online blkidsonline.shop blubambina.online bluekidshop.online bluitchild.online blukidonline.shop blukidsaldi.online boboutlet.shop bocgevente.shop bogguomo.ru bolsogabes.online bolsosmoda.shop boom.shoes boostaudio.online borsesaldi.shop bostbuds.com bostines.shop bracciaborse.shop braccialegifts2019.it braccialepandorait.it brahaarco.store brahbotas.online brahtishop.online bramhaco.com brooksit.online brookspresa.online brumsaldi.online brumsshop.online brunorebajas.online bskrvendas.website buabmochilas.shop bubagsale.shop bvvabs.com bylbagoutlet.shop ca.etechcrafts.com cachaoutlt.online cachersodle.online cafenoit.online cafesaldi.online calzadonina.shop calzeonline.shop calzeoutlet.online calzeptonline.shop calzesoldes.online camavetements.shop camomsaldi.online cannonplumones.online carhartt-wipit.online carharttsaldi.co carharttvip.online carharttvip.shop carterasale.online casaideashop.online casaquecchia.it casasaldi.online casasale.online catzapatos.online catzapatos.ru cavalimalas.online cavalinbolsas.online charmcheese.com charmit.online charmsit.shop charmsnfansnz.com chiccoit.online chsyngsale.online cmausoldfr.online cmpoutdoor.online cmptrekking.online cmsandalias.shop cmshoes.online cmzapatos.shop coajanuary.shop coccinoutlet.online colikyoutlet.store colkyninos.online colokinfantil.online colokinfantil.shop colokychile.shop comprarwayuu.online cqmbag.com crocepromotion.shop crosiesandalias.shop cryzapatos.online daniellington.shop dataoutlet.online dczapatos.shop deborahagnello.it deitecl.com digitalepd.online dixiecappotti.shop dmartenshop.online dmitboots.website dmrbottes.online doitechile.shop doiteoutdoor.online doracl.co doraeit.com dorainz.co dorait.co dorait.ga doraitr.co doraitt.com doraitu.co doralit.net doraloveit.shop doraluk.net doraoit.shop doraoit.top dorasale.co dorauit.net dorauit.online dorauk.ru dorauks.shop doravit.co dotaoutlet.online doudounesale.store drmartensstore.online dunoutlet.online eastvente.online edredoesmx.online edredoneshop.online elisabesaldi.online eraremise.online esalbotas.online esmayoral.online estrekking.com etechcrafts.com feracheroupa.online fexcalzado.shop flexiszapato.online flipflopsdedo.online flipflopsvenda.online funmoda.co fursaldi.online fvsbag.com gabelcasa.online gabsbagshop.online gabsit.online gabsnuevas.shop gabssale.online gabsshop.online galesaldi.online garris.shop geoarkarredamenti.it geostore.shop geoxit.shop geoxoutlet.online geoxsapatos.ru geoxscarpe.ru gerstours.com giaccasaldi.online giacchesaldi.online giaccheshop.online giftsjewelrywatches.com gioielleriadora.co gioiellerialove.ru gioiellialove.com gioiellialove.shop gioiellieterna.online gioielliisaldit.zyrosite.com gioielliit.online gioiellionline.zyrosite.com gioiellioutlet.online gioiellisaldi.online gioszapatos.shop gobstore.online goldenrun.online gorrasoutlet.online gorrasoutlet.shop gorrasrebajs.online gotazapatos.online gottaoutlet.shop gottcareg.online gottines.online gottrebajas.shop goxsapato.shop goxscarpa.shop goxzapato.online gozscarpe.shop gssport.online guesaldi.online hanvciabatte.online havaianasit.ru havaianassale.online hdshop.online hgscarpeit.online hhoutdoor.online hhshop.online hhyropa.online hllehatie.online hokoutlet.online hokscarpe.shop homeostcolombia.online http://8.214.107.195:8099 http://ww1.myordertrack.club/ http://www.chanzapatos.online/ https://casaoutlets.online/ https://cdn.jsdelivr.net/gh/jeanniebalkwill6 https://kicfr.shop/ https://pay.aletapay.com/ https://quanitoni.online/ https://ssl.payment.imdpay.com https://www.catbotiens.online/ https://www.catmienfant.online/ https://www.gerstours.com/ https://www.kiplbolsos.online/ https://www.linvosgfr.shop/ https://www.lippioutlet.online https://www.myordertrack.club https://www.ossiroupa.ru/ https://www.sandaliasale.online https://www.tommioutlt.online/ https://www.veachausure.online hutboots.online igeaminiere.it igi.jszrsf.com igiecomoda.online igiecomoda.ru igisneakers.online iksvente.shop imhomeoutlet.website inbluit.online infraditosale.online innaitdit.online intimissaldi.online intimissioulet.online intimissioutlet.online intimissnisaldi.online invernoscapre.online ipanemaoutlet.shop itcheap.onlinesale2020.com iteastpaksaldi.co itflipflops.online itgeoxshop.online itregaloshop.online itsaucony.online itsuperga.shop ittabiti.online ittabiti.shop ittrekking.online jewelrydora.co jokchaussures.online joyasbaja.online joyeriavelo.online kasannaidi.online kasanvasaldi.online kasenavoutlet.online kazarsklep.online kelprofesseur.com kenkezaini.online kickeshoes.online kickeshoes.shop kidsbotas.online kiplgoutlt.online koakropa.online koalsaleco.online leftionline.shop leftshop.online leftshop.ru leonardoalimandi.it leonisoutlet.shop leouisales.online levinegozio.shop li2068-27.members.linode.com linvosgfr.shop lippicalzado.online lipplzapatillas.shop lippoutlet.shop lippoutlet.website liuborse.online liujoit.com liujoshop.top lollatravel.com lolleepups.com loreleycamp.com loveait.com lovedorait.shop lovefes.com loveitd.com loveoit.com lovepanfro.com lovepanite.com lpiplsport.shop luisabluse.online luisapull.online maisonoutlet.shop maisonsmeuble.shop maisonsoldes.online maisonsoutlet.online malasparfois.online marelabiti.online martens-portugal.com martinfr.shop martiniborsa.online martinsit.shop marypazapatos.online maxcabiti.online mayoralbebe.ru mayoralit.ru mb.amemus.net mb.amemus.shop mb.amemusale.shop mb.armandtsoldes.online mb.boom.shoes mb.boostaudio.online mb.bostbuds.com mb.ca.etechcrafts.com mb.charmcheese.com mb.charmsfans.com mb.charmsnfansnz.com mb.digitalepd.online mb.etechcrafts.com mb.ofinyonline.shop mb.uippioutdor.online mb.uootootech.online mb.vyaniteshop.online mdotoisddfr.shop melisassandali.shop melissashop.online meubleshop.online mganoutlt.online mizunosports.online mobilimaison.shop mochilrebajas.online modanuovo.online modasale.online mondeonline.shop mujersmoda.shop mussirebajas.online mxubag.com myroupadormir.shop mysneakerspt.shop nafnarobes.online nannashop.online napajacketsaile.shop naturalistashop.online nboutlets.online nbptzapatos.online nbscarpeshop.online nerogiacarpe.online nerogiardinit.shop nerogiardni.club nerogiardni.online nerogierdini.online nerogierdini.ru neroscarpe.online neroscarpe.shop neroscarpeit.online newbalancefr.online nloutlet.online nouveaupulls.online nuovascarpe.online oefmeib.com offertepandoragioielli.it ofinyonline.shop oltronline.shop oltroulet.online ompscarpe.online ossiroupa.ru outdorequipcl.online outlet.liujoit.com ovsshop.online pablosoutlet.online panamajacks.online pandora-outlet-italian.com pandora-store-outlet.net pandoracharmssitoufficiale.com pandoraciondoligifts.it pandoracollanegifts.it pandoracollaneprezzo.it pandorastoreitalia.com pandoraukscharms.com panfits.com panieo.com paninz.com panitl.com panitw.com panlit.com panlits.com panuit.com panvits.com panxit.com patchaussures.online patrizisaldi.shop pcharmsaldi.co pennydonna.online peperebajas.shop petibatianfr.shop petitkids.shop peutereyshop.online piazabbigliamento.online piquadrosite.online pittbotines.online poyesharghamaria.com pranainfinito.com primasales.online primigiit.online primigisaldi.online primigisaldi.ru primigisale.online primigiscarpe.online primigishop.online primisale.store primishop.shop priscarpe.co pullabiti.shop punbag.com pyramidenwerkstatt.com qyducf.online raffaninivetefisio.it reconditearmonie.it risantettit.shop rmlbag.com robesoldfr.online romaoutlet.online romashoes.online ropacama.online ropacorebaja.online ropainfantcl.online ropapolo.online ropastore.online ropastudio.shop roupasalept.online runchaussures.ru runningfun.ru runshoesnb.online sacchetto.online sacpakshop.online saldinapa.online saldipandora.com saldithunit.online saldithunly.shop sale.goodthenf.shop saleitwoutlet.online saleitwoutlet.shop salewitoutlet.online salomofr.shop salomoit.shop salomonden.online salomonit.shop salomonite.online salomoutlet.online samitesuitcase.shop samsonitedeals.online sandalibambini.online sandalivendita.online sandalosummer.online sauconyescarpe.online sauconyoit.online saucoscarpe.online scarpaestiva.online scarpebambini.ru scarpedonna.online scarpeestive.online scarpeoutlet.store scarpesuper.online scuolartemusica.it sdffrq.com sebastianjeffs.com sergentshop.online sergentvendre.shop sevenegozio.ru shoesupega.shop shopzaino.ru skbbag.com skeohersmy.online skescarpe.shop sktzapatos.online slhcil.com sonianadeau.com speedcrossit.online sportintimo.online stahnke.it stonefelpe.shop stoneislandshop.online stonesaldits.online stopjeasale.online strabiti.online stradiiver.shop stradionlin.shop stradivcoutlet.online stradivonline.shop stradivoutlet.shop stradivpt.online stradivpt.shop stradivrebajas.online stradivroupa.online stradivshopt.online stradivsoldesfr.online stradropas.online stradsales.online strajeans.online strasidvus.online studfashion.shop studionline.shop sun68outlet.online supegasaldi.shop supergait.co superganegozio.online superyuk.online suscarpeit.online szapatosk.online tasaitalia.it terraventure.tk tezenesuits.online tezenisaldi.store tezenisoldes.shop tezenitalia.shop thergvfoodster.com tiendzapatos.shop tiffportug.online tifonlene.online tifosiipt.online tifosioutlet.shop tifoutonlin.shop timberbottes.com timsbootsale.com toutiaotg.com triumoutlet.online tuffsalpt.online uippioutdor.online umbmoda.online umbmoda.shop umbulsas.online uootootech.online upimsale.online vertbaudetshop.online vestesoldes.website vesticonbi.online vestitibaby.online vestitibebe.online vestitibebe.shop vestitisaldi.online vetemenbebe.online vetemengo.online vetementfr.online vetementfrs.online vetementsbaby.shop vetementsvente.online vicolaoutlet.online vicolaoutlet.shop vicoloutlet.shop vidorzapatos.online vyaniteshop.online www.acshop.online www.adolot.shop www.alcottabiti.online www.alcottit.online www.aleiasale.online www.alineaoutlet.online www.alveromaritshop.online www.alveromartiborse.online www.amadsoldsfr.shop www.amemus.net www.amemus.shop www.amemusale.shop www.americanin.shop www.amphoutlet.online www.armadventes.shop www.armandtsoldes.online www.arturonline.shop www.arzapato.online www.asichoes.shop www.asicourres.shop www.azamoda.online www.azamoda.shop www.baarhmtim.online www.babylisaldi.online www.babynegozio.online www.bambinitkids.website www.bambinitoutlet.ru www.bambinoutlet.com www.bameoutlet.online www.bassetlsale.online www.batascarpe.online www.batazapatos.online www.batofertas.online www.batzapatilla.online www.beberopa.online www.bebesald.online www.bebesaldo.shop www.berksaloita.online www.berksalopt.ru www.bershoutlet.ru www.berxikaldi.online www.bimbaybolsa.shop www.bingohotmall.com www.blkidsonline.shop www.bluekidshop.online www.boboutlet.shop www.bogguomo.ru www.bolsogabes.online www.bolsosrebajascl.online www.boom.shoes www.boostaudio.online www.bossioutlet.online www.bostbuds.com www.bracciaborse.shop www.brahtishop.online www.brumsaldi.online www.bskrvendas.website www.buabmochilas.shop www.bylbagoutlet.shop www.cachersodle.online www.cafenoit.online www.calzeonline.shop www.calzeoutlet.online www.calzeptonline.shop www.calzesaldi.online www.calzesoldes.online www.camavetements.shop www.carharttvip.shop www.casaideashop.online www.casasale.online www.catbotiens.online www.catzapatos.online www.catzapatos.ru www.cavalimalas.online www.charmcheese.com www.charmsfans.com www.charmsnfansnz.com www.chaussuresconfort.online www.chsyngsale.online www.ckoutlets.shop www.cmptrekking.online www.cmrebajas.online www.cmshoes.online www.coajanuary.shop www.coccinoutlet.online www.cocinacolombia.moda www.colkyninos.online www.colkytiendas.shop www.colokinfantil.online www.colokinfantil.shop www.colokychile.shop www.comprarwayuu.online www.cqmbag.com www.crocepromotion.shop www.crocezapatopt.shop www.cryzapatos.online www.digitalepd.online www.dmitboots.website www.dogsmall.shop www.doiteoutdoor.online www.doracl.co www.doraeit.com www.dorainz.co www.doraloveit.shop www.doraluk.net www.dorauit.net www.dorauit.online www.dorauk.ru www.dorauks.shop www.drmartensstore.online www.dunoutlet.online www.eastvente.online www.edredoesmx.online www.edredoneshop.online www.elisabesaldi.online www.esalbotas.online www.esmayoral.online www.estrekking.com www.etechcrafts.com www.feracheroupa.online www.flipflopsvenda.online www.fvsbag.com www.gabelcasa.online www.gabsbagshop.online www.gabsnuevas.shop www.gabssale.online www.gaceloutlet.ru www.galesaldi.online www.garris.shop www.geoscarpe.store www.geosneakers.store www.gerstours.com www.giaccheshop.online www.gioszapatos.shop www.gorrasoutlet.online www.gorrasoutlet.shop www.gorrasrebajs.online www.gotazapatos.online www.gottines.online www.gottzapatos.shop www.goxsneakers.online www.goxzapato.online www.gssport.online www.guesaldi.online www.guuessaldi.online www.hanvciabatte.online www.havaianassale.online www.hgscarpeit.online www.hhoutdoor.online www.hhshop.online www.hhyropa.online www.hllehatie.online www.hokoutlet.online www.hokscarpe.shop www.hutboots.online www.igisneakers.online www.iksvente.shop www.imhomeoutlet.website www.innaitdit.online www.intimissioulet.online www.intimissioutlet.online www.itregaloshop.online www.ittabiti.online www.ittabiti.shop www.jewelrydora.co www.jewelrypro.online www.joyasbaja.online www.joyeriavelo.online www.jstarsale.online www.kasanoutlet.online www.kazarsklep.online www.kelprofesseur.com www.kidsbotas.online www.kipingbag.shop www.koakropa.online www.koalsaleco.online www.lecoqoutlet.store www.leftionline.shop www.leonisoutlet.shop www.levinegozio.shop www.linvosgfr.shop www.lippicalzado.online www.lipplzapatillas.shop www.lippoutlet.shop www.lippoutlet.website www.lollatravel.com www.loreleycamp.com www.lovedorait.shop www.lovefes.com www.lovepanfro.com www.lovepanite.com www.luisabluse.online www.maisonoutlet.shop www.maisonsmeuble.shop www.maisonsoutlet.online www.marelabiti.online www.martinfr.shop www.marypazapatos.online www.marysandalias.store www.mayoralbebe.ru www.mganoutlt.online www.mizuoutlet.online www.mobilimaison.shop www.modanuovo.online www.mondeonline.shop www.mussirebajas.online www.mxubag.com www.mycarbag.online www.myroupadormir.shop www.mysneakerspt.shop www.nannashop.online www.napajacketsaile.shop www.naturalistashop.online www.nbptzapatos.online www.neragiardinit.shop www.nerogiacarpe.online www.nerogiardinit.shop www.nerogiordni.shop www.neroscarpe.shop www.nloutlet.online www.nonmechaussures.online www.nouveaupulls.online www.ofinyonline.shop www.oltroulet.online www.ossiroupa.ru www.outdorequipcl.online www.pablosoutlet.online www.panamajacks.online www.panieo.com www.paninz.com www.pashoes.shop www.peperebajas.shop www.petibatianfr.shop www.petitkids.shop www.poyesharghamaria.com www.pranainfinito.com www.primasales.online www.primisale.store www.primishop.shop www.punbag.com www.pyramidenwerkstatt.com www.rinasoutlet.online www.risantettit.shop www.romashoes.online www.ropacorebaja.online www.ropainfantcl.online www.ropaoutletes.store www.ropapolo.online www.ropastore.online www.roupasalept.online www.runchaussures.ru www.runshoesnb.online www.saldithunly.shop www.saleitwoutlet.online www.saleitwoutlet.shop www.salewitaly.online www.salewitoutlet.online www.salomofr.shop www.salomonden.online www.samitesuitcase.shop www.samsobagcl.shop www.sandaliasale.online www.sandaliasrm.online www.sapatosport.shop www.saucoscarpe.online www.scarpesupega.shop www.sdffrq.com www.sebastianjeffs.com www.sergentshop.online www.shoesupega.shop www.skescarpe.shop www.sonianadeau.com www.sonnybob.online www.sportintimo.online www.sportzapatos.store www.stonesaldits.online www.stopjeasale.online www.strabiti.online www.stradiiver.shop www.stradionlin.shop www.stradivcoutlet.online www.stradivonline.shop www.stradivpt.shop www.stradivrebajas.online www.stradivshopt.online www.stradivsoldesfr.online www.stradsales.online www.strajeans.online www.studfashion.shop www.studionline.shop www.sunnybob.shop www.sunscarpe.shop www.supegasaldi.shop www.suscarpeit.online www.szapatosk.online www.tezenesuits.online www.tezenisonline.store www.thergvfoodster.com www.tiffportug.online www.tifonlene.online www.tifosiipt.online www.tifosioutlet.shop www.tifoutonlin.shop www.timberbottes.com www.timsbootsale.com www.todopieloutlet.online www.triumoutlet.online www.tuffsalpt.online www.uippioutdor.online www.umbmoda.online www.umbulsas.online www.uootootech.online www.upimsale.online www.uppioutdoor.shop www.vertbaudetshop.online www.vestesoldes.website www.vetemenbebe.online www.vetemengo.online www.vetementfr.online www.vetementfrs.online www.vetementsbaby.shop www.vicolaoutlet.online www.vicoloutlet.shop www.vidorzapatos.online www.vyaniteshop.online www.wamujer.store www.xdzbag.com www.xiaogongchan.com www.xjjmrl.com www.xmuichsales.online www.yamawomany.shop www.yeeglasses.online www.ymamyeit.online www.zapatillasfutbolsala.online www.zapatillasport.online www.zapatocro.shop www.zapatoplues.online www.zapatoschile.online www.zapatosrm.online www.zapatoutlei.shop xdzbag.com xiaogongchan.com xjjmrl.com xmuichsales.online xplaza.it yamastore.online yamawomany.shop yamcostumi.online yilmazlarinsaatemlakistanbul.com ymamyeit.online ynotborse.online yntborsetta.online yveniese.com zapatillasfutbolsala.online zapatillasport.online zapatocro.shop zapatoplues.online zapatoschile.online zapatosrebajaa.shop zapatosrm.online zapatoutlei.shop zeppascarpe.online zeppascarpe.ru skullivansisland.com/wp-payment.php gioiellilove.shop