---
title: "Unmasking Global Phishing: Silent Push Exposes CDC Voucher Scammers"
slug: "silent-push-exposes-cdc-voucher-scammers"
updated: 2025-12-31T14:42:36Z
published: 2025-12-31T14:42:36Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://help.silentpush.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Unmasking Global Phishing: Silent Push Exposes CDC Voucher Scammers

In mid-2025, Singapore's Ministry of Defence discovered a sophisticated phishing operation impersonating CDC (Community Development Council) voucher redemption portals. Spread via hijacked Telegram channels and SMS blasts, these fake sites used urgent calls to action (“Claim Your Vouchers Now”) to steal citizens’ credentials.

Using only two initial domains, Silent Push helped MINDEF expose and dismantle a **688-domain global phishing ring** spanning Singapore, the UK, Indonesia, the UAE, and beyond, all in a single afternoon.

## Goal

Start from two suspicious .app domains and systematically uncover the full attack infrastructure, including dedicated IPs, shared phishing kits, cross-country targeting, and actor attribution, using layered SPQL queries, pivoting, and fingerprinting.

## Investigation Steps

### Broad Reconnaissance in Total View

Loaded the initial IoCs with Domain Wide View enabled. Immediately revealed massive abuse of the railway.app (550k+ A records) and zeabur.app (23k+ A records) — classic disposable phishing hosts.

### SPQL Pattern Matching (Web Scanner)

```plaintext
datasource = ["webscan"]
hostname ~= "^([a-z]{2,}\-){1,}[a-z]{1,}\.([a-z]{2,}\.){1,}app$"
hostname ~= ".*(sgp|redeem|voucher|cdc).*"
scan_date > "now-90d"
```

Surfaced hundreds of dash-heavy .app subdomains with Singapore-themed keywords → uncovered dedicated phishing IP 147.93.107.167 (Hostinger).

### IP Pivot

Pivoting on the IP revealed two additional hotspots (93.127.172.99 and 69.62.87.208) hosting CDC, UK grants, Indonesian bansos, and UAE job scams—final count: **688 high-confidence domains**.

### SHV + JARM + JS Fingerprinting

```plaintext
datasource = ["webscan"]
body_analysis.SHV = "3571eca0d0ba045825eb368b1d"
jarm = "2ad2ad16d2ad2ad00042d42d000000df133019600a83abfb096ff3e86cd79d"
body_analysis.js_sha256 = "var phoneinput *"
```

Instantly clustered **188 domains**. A follow-up Web Resources pivot on shared `home.css` expanded the cluster across five countries.

### WHOIS Attribution

Registrant email extracted from multiple cluster domains:

- `rindraabi22@gmail.com`

Strong indicator for takedown requests and future monitoring.

## Outcomes

- **688 malicious domains** identified and neutralized
- **3 dedicated IPs** flagged and blocked
- Campaign confirmed targeting **Singapore • UK • Indonesia • UAE • others**
- Actor email and full fingerprint dataset for ongoing defense

## Future Recommendations

- Block the exported domain/IP list at the ISP and firewall level
- Monitor `rindraabi22@gmail.com` in registrar abuse queues
- Run the SPQL pattern weekly for emerging government-aid phishing
- Re-run SHV/JARM fingerprints quarterly as kits evolve

*Use Case published November 2025 • Based on real MINDEF collaboration*