CheckPhish Helps Uncover Venezuelan Government's Blatant Attempts to Hack Its Own Citizens

phishing Apr 11, 2020

Bolster has been actively monitoring reports of Venezuelan Government's apparent involvement in hacking its own citizens through phishing. Bolster's product CheckPhish.ai has been a key element in this investigation since the very beginning, when a security researcher Jose-Luis Rivas, broke the story via a series of tweets. Since then, the story has been picked up several news channels like Espacio Público (Venezuela) and Motherboard (US) providing more details.

CheckPhish Traffic Spike

CheckPhish noticed a huge spike in traffic as soon as Jose-Luis Rivas shared his research on Twitter.

While CheckPhish gets visitors from over 150 countries a week, this traffic spike from Venezuela was so big that it ranked second in most used sessions by country, as seen in the Google Analytics image below.

CheckPhish Traffic Spike By Country

It all started with a domain gmail[.]web[.]ve that went live on August 16, 2018. CheckPhish detected it as a phishing site when the creators attempted registering for SSL certification. Below is the original screenshot and details of that scan.

Screenshot of gmail.web.ve on August 16 2018

Screenshot of gmail[.]web[.]ve on August 16 2018

On Feb 13 2019, Jose-Luis Rivas published tweets with links from CheckPhish showing details of past phishing domains associated with IP address 159.65.65.194.

En este reporte, por ejemplo, del 16 de agosto de 2018, pueden ver cómo hay incluso una captura de pantalla donde se ve que imitan al sitio web de Gmail https://t.co/0FZHFvm8sS— Jose-Luis Rivas (@joseluisrivas) February 13, 2019

Associated with this IP address, voluntariovenezuela[.]com was the first phishing domain to be uncovered during the investigation by security researchers. This was targeting a site voluntariosxvenezuela.com, which was set up on February 4, 2019 for international humanitarian donations to Venezuela.

Following these events, CheckPhish identified additional hosts linked to franklopezsystem@gmail.com - the contact email listed in WHOIS records of all domains in these attacks.

Phishing domains associated with franklopezsystem@gmail.com

This research is ongoing and we'll be publishing more details on this blog post as we gather them.


CheckPhish is a free AI powered zero-day phishing and counterfeit website detection system. If you come across a suspicious links, we advise you to scan it through checkphish.ai before accessing it.

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.