Frustrating attempt to report ScreenConnect remote servers

General Discussion Scambaiting
1

Just wanted to share my miserable attempt to report the remote servers they host their cracked SC versions on.

The idea was:

  • find the host of the remote server
  • report abuse (describing why it’s illegal to host this, template below)
  • cross fingers they react/shut it down (so they’d need to create new ones)

I picked four examples from “Taking out ConnectWise sites” where @SouthernCulture_x and @everra always supply new CW sites (thanks for that!), downloaded the support.client.exe and used my “CW python script” to extract the remote servers.
So far so good after that it went downhill:

  1. dnet124.org ==> remote server: https://sup2.dmxz124.ru/
  • Whois: Initially showed Cloudflare which was wrong, by using URL query I found the IP and host.
  • IP / ASN / Host: 185.66.89.123 / #30860 Virtual Systems LLC.
  • Challenges: I reported to Virtual Systems LLC directly [email protected] but the report has to be in both Ukrainian and English, and according to their abuse handling policy include personal information (of course that’s none of their business so I didn’t), doubtful they even react.
  1. ighelp.top ==> remote server: https://samolatori.cyou/
  • Whois: Whois information led to Cloudflare and was reported through Cloudflare’s abuse process.
  • Challenges: Cloudflare might only be the proxy and MIGHT pass it on to the real host but you never get a feedback from them (so I would basically need to check if it still works over and over again).
  1. oxbgt-4s.top ==> remote server: http://oxbgt-4s.top/
  • Whois: Hosted on IP 37.221.64.118, registered with AlexHost.
  • Challenges: AlexHost does not accept abuse reports from individuals and would consider them as spam [WHAT THE FU**]. I made up some Bulgarian phone/address which is mandatory, doubt they even wake up.
  1. ptbhelp.top ==> remote server: https://ptbhelp.top/
  • Whois: Hosted on IP 194.59.30.146, registered with Virtuo Networks (AS399486).
  • Challenges: Virtuo Networks made it impossible to submit an abuse report, mails were rejected as Spam (I tried not to laugh if it wasn’t so serious), the online form was non-functional as well.

had to share my frustration and if the mods think I give too much info to the scummers here please delete it.
cheers
dubloox3

Template for reporting to the host:

Subject: Abuse Report – Hosting of Cracked ScreenConnect for Scam Operations

Dear [HOST] Abuse Team,

I am reporting a website utilizing your hosting services that is actively distributing a cracked version of ScreenConnect (ConnectWise Control), which is being used in refund scams to defraud victims.

Remote server hosting illicit files: [REMOTE SERVER HERE]
Related phishing/scam domain: XXXX.top
IP / ASN: 12345 / AS 12345 [HOST]

Description of the Scam:
This server is part of a larger refund scam operation. Victims receive fake invoices impersonating well-known companies such as PayPal, Microsoft, and Norton and are tricked into calling a scam call center. The scammers then guide victims to download a cracked version of ScreenConnect from the remote server above, allowing persistent unauthorized access to their computers for financial fraud and identity theft.

Evidence of Cracked ScreenConnect Installation:
The following files are hosted on the remote server and are known to be components of an unauthorized and modified ScreenConnect version:

/Bin/ScreenConnect.WindowsBackstageShell.exe  
/Bin/ScreenConnect.Windows.dll  
/Bin/ScreenConnect.WindowsClient.exe  
/Bin/ScreenConnect.Client.application  
/Bin/ScreenConnect.WindowsFileManager.exe  

This manipulated software allows scammers to conceal remote access from victims, ensuring they remain unaware of the ongoing intrusion.

Request for Action:
Since [HOST] provides hosting for this domain, I kindly request that you take immediate action to:

Investigate and suspend the domain [REMOTE SERVER HERE] to prevent further distribution of the malicious software.
Terminate any associated accounts involved in this fraudulent activity.
Please confirm receipt of this report and inform me of any actions taken. If additional information is required, feel free to contact me.

Thank you for your prompt attention to this matter.

Best regards
1 Like
2

Yup, welcome to my world :stuck_out_tongue:

I’ve yet to ever have Alexhost take down one, and Cloudflare would as soon stick their head in the sand and pretend their hands are clean. When Cloudflare DOES take one down - they often just move it to another IP.

In Alexhost’s case - I believe they are fully aware of what they are doing. Cloudflare I think is just too big to give a damn, not their monkey, not their circus.

I’ve sometimes had more luck going straight to the registrar - depending on who that is.

3 Likes
3

thanks a lot :nerd_face:

now that you mention the registrar as for other sites I report (fake banks, investment crap) I usually ignore the registrar and just report to the host (as in that case: registrar bans, they just buy another domain and link it to the host again)

they usually don’t give a flying-eff but IF they would react: would that break the download/installation of the additional CW files maybe?

abcd/Bin/ScreenConnect.WindowsBackstageShell.exe

if so, I could at least give it a try :thinking:

1 Like
4

Getting the download site gone does more damage than the frontend they send victim’s to.

I don’t know if it puts an end to that one, but it does slow them down for awhile.

5

I’ve had some luck (I think) reporting ConnectWise sites as phishing sites to Microsoft and Google:

https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en

They often show up as “suspicious” at least the day after or so. Which seems a bit too late, but it makes them at least spend time and $ registering a new domain.

Flooding ConnectWise sites works really well, but if they are proxied by CF it makes it impossible to flood more than 30 minutes or so with their bot blocking cookies. Sometimes they simply will ban your IP address. Having a VPN helps. Flooding isn’t a lot of traffic.

Microsoft (and Apple) (and Google) simply need to make remote access software very difficult to install. And remote access software on someone’s phone is a nightmare scenario as more and more people use devices for authentication.

1 Like
6

Goggle will mark them as unsafe.

Then the cockroches just pass that off as a ‘security check’ and instruct the victim to click through it. Cloudflare will also sometimes put up that same warning - these need to be DOWN.

Granted, every roadblock is a good one, even going down they’ll set up another, but it slows them a bit and costs them money.

1 Like