Skip to content

Block Labor Day Free 51GB Phishing domains #10046

Closed
Closed
Block Labor Day Free 51GB Phishing domains#10046
Assignees
hagezi
Labels
denyDeny domain(s)malicious/scam/phishingDenylist request for malicious/scam/phishing domains
@jasongodev

Description

@jasongodev
jasongodev
opened on May 1, 2026

Prerequisites

  • I use the current version of the lists.
  • I have blocked the domains in my network for several days now, and the blocking has not caused any disruptions or limitations.

Which blocklist(s) do you use?

Multi ULTIMATE, Threat Intelligence Feeds

Which category do the domain(s) to be blocked belong to?

Malware/Badware/Phishing/Scam

Which domain(s) should be blocked?

1gc2r.top
5b8tv.top
879cv.top
bt8rc.top
c1b2f.top
dihg.top
dquj.top
dzou.top
eujn.top
ezno.top
f1453.top
fvmk.top
gr12x.top
h1ttv.top
hy2238.top
hy7322.top
ij7gv.top
iokd9.top
iwrf.top
jaui.top
jcs11.top
levu.top
ljuf.top
nurc.top
omiw.top
ozpu.top
slru.top
syfo.top
t87bb.top
tcxv8.top
tiyp.top
vsxd.top
woex.top
xcv9r.top
y8699.top
yfav.top

Which website or app accesses the domain(s)?

Facebook
FB Messenger
Various social media

Why should these domain(s) be blocked?

Various phishing posts are being shared and circulated online, most notably on Facebook and FB Messenger, on May 1, 2026 during the Labor Day event in the Philippines. The posts and the malicious websites claim to provide free mobile data credits in exchange of the user's mobile number.

Image

The malicious websites are designed to mimic a Philippine telecommunications company, DITO dito.ph, complete with design elements and fake Facebook comments. It also mentions the other Philippine telcos such as Globe and Smart.

Image

In tests the websites seem not to send any information to any server at all.

Screenshot_20260502_053657

It shows a fake progress bar and fake comment input field.

Screenshot_20260502_055250 Screenshot_20260502_053730

Interacting with the website causes many JavaScript errors.

Screenshot_20260502_054013

It also uses cookies and local storage to store benign data.

Screenshot_20260502_054634 Screenshot_20260502_054701

The share buttons and links redirect to fb-messenger://share/?link= protocol

Inspecting the source code reveals various comments in Russian.

Screenshot_20260502_063910

It also loads an external script single.php which contains ads redirection codes:

Screenshot_20260502_064045

The ads redirection routine leads to go.php which then redirects to random ads. As of this writing it redirects to cdn.lcwss.com. Notice that it tracks the IP address of the user.

Screenshot_20260502_055520

The usual subdomain used for these malicious domains are labor-day-51gb-free1 and labor-day-51gb-free8. However, any random subdomain is an alias to the same malicious content.

Image

External References

https://urlscan.io/result/019de5e9-f17d-774c-9aac-64638f44c3a4/related/
Phishing-Database/phishing#1145

Not listed as of this reporting

Ultimate: 2026.0501.1841.53
TIF: 2026.0501.1734.00

Confirmation

  • I have verified that no existing issue explains why the domain(s) were previously unblocked or why the blocking request was declined.
  • I have verified that the domain(s) is/are not already blocked.
  • I have verified that the domain(s) is/are active and not inactive (dead).
  • I have provided sufficient details to justify the need for blocking the domain(s).
  • I did not answer truthfully to any of the above checkboxes.

Terms

  • I confirm that the request does not contain any sexually explicit material or private/sensitive information.

Metadata

Metadata

Assignees

Labels

denyDeny domain(s)malicious/scam/phishingDenylist request for malicious/scam/phishing domains

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions