After confirming that the clone of Los Danieles (losdanieles{.}net) and the suspicious company HPS (hps.com{.}co) both were hosted in Priva60 as a part of the priva60.privatednsorg.com server network, we decided to take a closer look at Priva60. Our findings indicate that Priva60 is a haven for disinformation, trolling, phishing and other types of scam.
Priva60 – what are you up to?
To get an idea of what content Priva60 is serving, we searched for all websites associated to this hosting space in Server Central. To our surprise, just looking into five of all the domains hosted with Priva60, we could easily cluster more than 300 domains associated with the hidden hosting in Server Central.
We analyzed the domains (1) reputacion.guru (2) okso.co (3) redamiga.com (4) zerver.co (5) zozyal.co and (6) noticiasmanizales.com, and by analysing these domain names, we could trace the activity of this disinformation network back to 2008 and we can conclude that Priva60 has been used for malicious activities for no less than a decade.
# Hosting Servers 108.163.217.142 162.210.192.84 173.236.119 184.154.134.50 184.154.134.50 184.171.242.140 198.49.74.34 198.49.74.39 199.168.185.218 37.48.93.194 37.48.93.196 66.225.201 66.225.201.66 66.225.201.71 66.225.201.72 66.225.201.73 # Associated Domain names 45segundos.com noticiasmanizales.com redamiga.com reputacion.guru zerver.co zozyal.co # Email addresses brandco2014@gmail.com seothebest2015@gmail.com # SPF mailchannels.net
The earliest reference dates back to 2008 with nameserver pdns.redamiga{.}com.
Domain Name: REDAMIGA.COM
Registrar: GODADDY.COM, LLC
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS1.ZERVER.CO
Name Server: NS2.ZERVER.CO
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 10-feb-2014
Creation Date: 09-feb-2008
Expiration Date: 09-feb-2015
Most of the domains registered after 2014 are associated to the email addresses:
- brandco2014{@}gmail.com
- seothebest2015{@}gmail.com
- whois{@}okso.co
OKSO – a domain place holder
The domain okso.co (OKSO Limited) and the e-mail accounts whois@okso.co and okso.david@gmail.com were used between 2014-2017 to register dozen of domain names. Many of them were hosted in the IP address 37.48.93{.}196.
Image 1: Whois information of domain okso.co 
Image 2:
Reviewing the company registry in the UK, we found OKSO Limited, a company registered in 2011 and dissolved in 2014. The company was registered in April 2011 in the name of British national David John Hunt for the development of WordPress Web.
Historical data of several domains, shows that new domains were still being registered in the name of OKSO Limited although the company was already dissolved.
Image 3: 
Image 4:
A decade and hundreds of domain names
For more than a decade, more than 300 domains have been registered in the name of OKSO Limited to promote politicians, artists and sport celebrities. While reviewing the domains, we also found several fake websites designed to bully and trolling journalists and politicians. A common strategy seems to be to clone a media site and post articles with opposite views of the original news using the identities of the original authors. A full list of the 300+ domains names including their infrastructure signatures is available here.
Phishing domains
The domains do not only include websites for known politicians in Colombia and sites designed to spread disinformation and defamation, we also found two domain names designed to conduct phishing campaigns:
The first domain renders to twítter.com{.}co with an í (accented i) instead of a regular i. This is a Twitter phishing domain, created in 2017 that was still active until mid October 2020. The domain is still provisioned inside Priva60. According to historical records from Twitter, the phishing domain was already in use in 2017.
2017-10-20 22:52:35 -0000, 2018-02-17 19:45:45 -0000,verified.xn--twtter-4va.com.co. IN A 198.49.74.39, AS33182 HostDime.com, Inc., US, United States
2018-04-13 13:09:29 -0000, 2020-01-29 11:27:51 -0000,verified.xn--twtter-4va.com.co. IN A 173.236.119.36, AS32475 SingleHop, Inc., US, United States
2018-10-27 22:15:47 -0000, 2020-02-18 19:07:53 -0000,getverified.xn--twtter-4va.com.co. IN A 173.236.119.36, AS32475 SingleHop, Inc., US, United States
2018-10-27 22:16:00 -0000, 2019-11-08 01:40:01 -0000,www.getverified.xn--twtter-4va.com.co. IN A 173.236.119.36, AS32475 SingleHop, Inc., US, United States
2020-03-05 23:23:02 -0000, 2020-10-14 02:57:49 -0000,verified.xn--twtter-4va.com.co. IN A 66.225.201.71, AS23352 Server Central Network, US, United States
2020-04-23 12:45:23 -0000, 2020-09-28 16:04:12 -0000,www.getverified.xn--twtter-4va.com.co. IN A 66.225.201.71, AS23352 Server Central Network, US, United States
Image 5: Malicious Twitter Link 
Image 6: Fake twitter link under TLD .co 
Image 7: Phishing Twitter domain used in 2017.
The Robo-php script in the fake twitter get verified page is designed to steal the account passwords of the victims.
Another malicious domain hosted in the same servers “helpinstagrm.com”.
Who is behind priva60 and the fake domains and phishing websites?
After discovering that both fake websites lanuevaprensa{.}net and losdanieles{.}net were hosted in Server Central and one of them was hidden in the IP address 66.225.201{.}72 behind Cloudflare we found that twitter account @Dr__Fausto was amplifying the fake news and one of the domains he promotes hps.com{.}co was also hosted in the same servers.
The IP addresses 66.225.201{.}71,66.225.201{.}72 and 66.225.201{.}73 and the SSL certificate of tequieroperro{.}com helped us to link the hosting space (priva60.privatednsorg.com) to more than 300+ domain names associated to political campaigns, disinformation and defamation of political candidates and journalists.
The same hosting space hosts three phishing domain names xn--twtter-4va.com{.}co, xn--nstagram-b2a.com.co and helpinstagrm{.}com used to steal the passwords for twitter and instagram.
All the evidence points that the fake and phishing websites are linked to someone close to “Carlos Escobar” carlosarturoescobarmarin.me hosted a 37.48.93{.}196 with the rest of the zozyal.co, zerver.co and brandco2014 associated domains.
More digging – more disinformation
While investigating Priva60, Qurium discovered yet another website hosted at 66.225.201{.}71 that disseminates “fake news” in Colombia. The content is amplified in Twitter and Facebook to reach a larger audience. The site, called “Letra Menuda”, claims to be a portal specialized in investigations on corruption, but is nothing else than a website disseminating “fake news” and defamation.
