[anti-abuse-wg] Huge List of Domains Cloaking to Malware (5,000+)

Hi,

There is a huge amount of some type of fraud happening with .it, .pl, .xyz
and other domains being registered (see links below).

https://docs.google.com/document/d/159Sbik8CkO9WDbLjH_tqAhr-dkpODWS1kt4UULLLfk0/edit?usp=sharing

https://docs.google.com/document/d/1z43WugqqgyVjNy6-IPgON118YaE0HxrgRMKbVwW42NM/edit?usp=sharing

These links contain a list of over 5,000 domains that are currently
spamming search engines with spun text and then cloaking users to malware
that have the search engine referrer.

Most of the .it, .pl and .xyz domains have all been registered in the last
few weeks.

They are basically registering a new domain and it is immediately being
added into this spam operation.

Most of them are being registered through OVH, but trying to contact them
about this has been useless.

All of them are being hosted through Cloudflare and I have tried multiple
times to bring this to their attention. It has been unsuccessful and it is
allowing this spam operation to hide behind the cloudflare proxy.

There are also other domains that appear to be hacked taking part in this
and I have included the hacker script that has been found on two of the
servers that have disabled php to figure out how to remove the malware.

I hope that this is the right place to post this type of information and
hope that somebody can help with the fraud domain registrations.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </ripe/mail/archives/anti-abuse-wg/attachments/20210111/4a00dadc/attachment.html>