BobRTC Direct Dial: https://bobrtc.live/phonebook/dial/18446878585
Just did a quick bait and this is what they did with me:
- scammer sent me to hxxps://www.support909.org (appears to be loading slowly right now) which automatically dloads alpmix.exe which is a remote access tool.
- once they connect they go to hxxps://www.support909.com (appears to also be loading slowly right now) and this automatically dloads teamviewer v11 which is an older version which allows then to block your keyboard/mouse input.
- they go to www.securemform.com/microsoft/refund-form/56 which is their fake refund form.
@AussieScamBuster#100279 Reported their sites to Google
http://www.support909.org
opens from an iFrame:
http://mysoft01.com/Soft/Soft1/Alpemix.exe
http://www.support909.com
opens from an iFrame:
http://mysoft01.com/Soft/Soft1/TeamViewer_Setup.exe
[quote]
Domain Name: mysoft01.com
Registry Domain ID: 2232867864_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.ascio.com
Registrar URL: http://www.ascio.com
Updated Date: 2019-01-28T01:36:22Z
Creation Date: 2018-02-27T00:00:00Z
Registrar Registration Expiration Date: 2020-02-27T00:03:57Z
Registrar: Ascio Technologies, Inc
Registrar IANA ID: 106
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone: +44.2070159370
Domain Status: OK https://icann.org/epp#ok
http://mysoft01.com is a fake dummy site to host the download files.
[quote]
Domain Name: SUPPORT909.COM
Registry Domain ID: 2196423037_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.tucows.com
Registrar URL: http://tucowsdomains.com
Updated Date: 2018-12-04T15:45:18
Creation Date: 2017-12-06T15:57:52
Registrar Registration Expiration Date: 2019-12-06T15:57:52
Registrar: TUCOWS, INC.
Registrar IANA ID: 69
Reseller: Hover
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Registry Registrant ID:
Registrant Name: Contact Privacy Inc. Customer 0150064891
Registrant Organization: Contact Privacy Inc. Customer 0150064891
Registrant Street: 96 Mowat Ave
Registrant City: Toronto
Registrant State/Province: ON
Registrant Postal Code: M6K 3M1
Registrant Country: CA
Registrant Phone: +1.4165385457
[quote]
Domain Name: SUPPORT909.ORG
Registry Domain ID: D402200000004433814-LROR
Registrar WHOIS Server: whois.tucows.com
Registrar URL: http://www.tucows.com
Updated Date: 2018-12-04T15:45:22Z
Creation Date: 2017-12-06T15:58:04Z
Registry Expiry Date: 2019-12-06T15:58:04Z
Registrar Registration Expiration Date:
Registrar: Tucows Inc.
Registrar IANA ID: 69
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone: +1.4165350123
I have been having lots of fun with this refund number. Sometime I call and get someones full voice mail. But other times I get the fake refund department. I started to play race car sounds when my computer is on. They don’t like that. Here are some recordings:
https://phone.firertc.com/calls/5d33444e6865637edd380000/recording
https://phone.firertc.com/calls/5d33437d6865632b56080000/recording
Also noticed this IP: 203.163.246.241 as they were connecting with Alpemix.exe
Would this be the scammers IP or the Alpemix server?
203.163.244.0 - 203.163.247.255 is an IPv4 range owned by Hathway IP Over Cable Internet and located in India ip detail India (IN) , (Kolkata , West Bengal )
Hathway.net is hosted in India Most likely the scammers IP
alpemix is located in Istanbul, Turkey and the only time the app connects to the servers is to update it to latest version. IP Address: 77.92.134.180
Its a peer to peer app.
active but hard to get through
Indiates “NO LONGER IN SERVICE”
Number no longer in service.
Can we somehow mark disconnected numbers on BobRTC?
@MKHNT#100290 *)% or so of the refund scammers are in Kolkata, India. Rest in Mumbai and Noida. Almost all Kolkata refund scammers operate in 4-8 Meyerbeer group in one room. Also I noticed that different refund scammer groups are either related to each other or are close friends.
Dead