Scammer’s Number: +1-806-429-0271
Domains Used:
letsstartitagain-3.monster
n2medias.com
Extra Info:
Tech support popup redirects from a pornhub ad which goes to https://n2medias.com/index.php?key2=IlglFH&externalid=biStYQAAAAA9eAAASdP9O5EPN1tfaco7PXgAAD14AAAAAAAAVVNNRC1FbGxpY290dCBDaXR5AAAAAAAAAAAAAAAAAAAAAAAA&c1=0.600&c2=Pornhub&c3=1530335121&c4=1022829601&c5=zkkoswishAds132&c6=1006490441&c7=US&c8=Pornhub%20PC-%20Inplayer&aclid=biStYQAAAAA9eAAASdP9O5EPN1tfaco7PXgAAD14AAAAAAAAVVNNRC1FbGxpY290dCBDaXR5AAAAAAAAAAAAAAAAAAABAAAA and then it redirects to a popup with a url like https://letsstartitagain-3.monster/TJ/TJpool/nimdaUS-TFN1/CH/ but with the ip address and ipkey in the url so that only ip addresses that have reached the popup from the redirect can view it. The redirect redirects datacenter ips to a different website that isn’t the popup and only goes to a popup when visited from a residential ip. The popup and redirect both have their domain from namecheap but it is difficult to get namecheap to take down this popup due to the residential ip address check.
Since the scammers decided to use cloudflare, their ipkey system was broken so I was able to report to namecheap and get the popup taken down but the number may still be active.