ITInfoCube, Tech Support Scammers

Shitload of phishing sites under the domain </s>supportsphonenumber.com<e>

List of subdomains

</s><i> </i>https://norton.supportsphonenumber.com https://office.supportsphonenumber.com https://webroot.supportsphonenumber.com https://webmail.supportsphonenumber.com https://cpanel.supportsphonenumber.com https://ftp.supportsphonenumber.com<i> </i><e>

Numbers

</s><i> </i>1-844-529-1977 (US/CA) 0808 280 8037 (UK) 1-800-681-750 (AUS)<i> </i><e>

FTP server also running

</s><i> </i>C:\Users\[redacted] » ftp supportsphonenumber.com Connected to supportsphonenumber.com. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220-You are user number 1 of 50 allowed. 220-Local time is now 03:29. Server port: 21. 220-This is a private system - No anonymous login 220-IPv6 connections are also welcome on this server. 220 You will be disconnected after 15 minutes of inactivity. User (supportsphonenumber.com:(none)):<i> </i><e>

~~I may have also made a script to spam them with fake information~~

[[41],[3,4,41]]

crt.sh | supportsphonenumber.com

A simple search of certificates reveals a fuck-ton more subdomains

</s><i> </i>http://supportsphonenumber.com/ https://avg.supportsphonenumber.com http://www.mcafee.supportsphonenumber.com http://www.norton.supportsphonenumber.com http://www.office.supportsphonenumber.com http://www.trendmicro.supportsphonenumber.com https://webroot.supportsphonenumber.com http://avast.supportsphonenumber.com http://www.avast.supportsphonenumber.com http://www.mcafeecustomersupports.supportsphonenumber.com http://mcafeecustomersupports.supportsphonenumber.com http://www.norton-activate.supportsphonenumber.com cpanel.supportsphonenumber.com cpcalendars.supportsphonenumber.com cpcontacts.supportsphonenumber.com mail.supportsphonenumber.com http://webdisk.supportsphonenumber.com https://webmail.supportsphonenumber.com<i> </i><e>

I also found some differently domains linked to `supportsphonenumber.com`

</s><i> </i>http://norton-activate.com http://mcafeecustomersupports.com https://avg.setupactivatepro.com &lt;- Subdomain of setupactivatepro.com https://webroot.setupactivatepro.com &lt;- Subdomain of setupactivatepro.com<i> </i><e>

With some more enumeration, I formed a list of more subdomains for `setupactivatepro.com`

</s><i> </i>http://setupactivatepro.com/ https://norton.setupactivatepro.com https://trendmicro.setupactivatepro.com https://avg.setupactivatepro.com/ https://mcafee.setupactivatepro.com/ https://webroot.setupactivatepro.com/ https://cpanel.setupactivatepro.com/ https://cpcalendars.setupactivatepro.com/ https://cpcontacts.setupactivatepro.com/ http://mail.setupactivatepro.com/ https://webdisk.setupactivatepro.com/ https://webmail.setupactivatepro.com/<i> </i><e>

Most of the subdomains of `setupactivatepro.com` eventually lead to `supportsphonenumber.com` after you press something like "Start Download" or "Continue".

I did a whois query to try and get any information about the registrant of the domain

</s><i> </i>Name: Neeraj Singh Address: Plot No 768 1st Floor City: Gurgaon State / Province: Haryana Postal Code: 122016 Country: India Phone: +91.8285138670 Email: [email protected]<i> </i><e>

A little bit more enum on the email leads me to `https://website.informer.com/email/[email protected]` and it turns out the lad works at ITinfoCube, `https://www.itinfocube.com/` and `https://www.glassdoor.co.uk/Reviews/ITinfoCube-Reviews-E508601.htm?filter.iso3Language=eng` reviews **claim** that this is a fraudulent company

>

Worst company. Full on cheaters. Scam their clients and employees. They hire people but dont give salary to them for months.

`https://www.facebook.com/ITinfoCube/`

CEO of company is Amarindra Singh

Here are domains linked to the email </s>[email protected]<e>

https://www.seoheights.com/
https://www.webservicesindia.in/

Subdomains of `seoheights.com`

``` cpanel.seoheights.com webdisk.seoheights.com webmail.seoheights.com www.seoheights.com ```

Subdomains of `webservicesindia.in`

</s><i> </i>cpanel.webservicesindia.in mail.webservicesindia.in webdisk.webservicesindia.in www.webservicesindia.in<i> </i><e>

Facebook account of Amarindra Singh: `https://www.facebook.com/amarindra.singh`

Also found a few additional domains, linked to the same address in Haryana, Gurgaon, with a slightly different email address ([email protected]) –

800tollfreenumber.net -- seems like a particularly shifty site, where they host their own couple of numbers as the "official" numbers for a lot of companies. googling the number they give (e.g., for MS Windows Support) provides a few more sites that seem to be hawking the same nonsense (this particular number shows up a lot as "Avast Support".

norton-activate.com -- similar deal. appears to be a site to activate your coverage, but if you google the number they list on the site, you get a ton of additional scam sites for mcafee, norton, avast, office 365, etc. support.

ltr321.com -- looks like the site they probably send victims to when downloading all sorts of remote software. they have links to download teamviewer, splashtop, zoho, logmein, ultraviewer (for windows - gotoassist for mac) and remotepc.

>

@underlink#186854 ltr321.com

![image itoverheadpng.png](https://tlscommunity.com/assets/2021-04-09/14:37:150-itoverheadpng.png)

even more digging:

https://www.customerservice-number.net -- pretty much any "support" you could think of, they have listed on their site, with an 800 number to call.

antivirusactivations.com -- plenty of subdomains for "support" (mcafee, webmail, mail, webdisk, cpanel, norton, trendmicro, webroot, cpcontacts, and avast)

activateyourproductskey.com - also riddled with subdomains (hpdeskjet3630, hpdeskjet4650, hpofficejet4650, hpoffice, trendmicro webroot, webdisk, cpanel, avg, mcafee, microsoftoffice, norton) - same 800 number for all of these sites, and is also found on 800tollfreenumber.net and customerservice-number.net several times.

@underlink#186870 https://www.customerservice-number.net/wp-content/uploads/2018/10/sec-2.jpg ah yes, because HTML is totally a virus…

@Zachinquarantine_#186877 :joy::joy::joy: please provide “support” for “internet”

Here are a list of emails associated with Neeraj Singh


</s><i> </i>[email protected] [email protected] [email protected] [email protected] [email protected] [email protected]<i> </i><e>

Even ✨m o r e ✨ websites owned by Neeraj Singh

</s><i> </i>askanyquery.com cpanel.askanyquery.com cpcalendars.askanyquery.com cpcontacts.askanyquery.com mail.askanyquery.com webdisk.askanyquery.com webmail.askanyquery.com<i> </i><e>

</s><i> </i>emibachao.com &lt;- Looks like a loan scam of sorts cpanel.emibachao.com cpcalendars.emibachao.com cpcontacts.emibachao.com mail.emibachao.com webdisk.emibachao.com webmail.emibachao.com<i> </i><e>

</s><i> </i>http://www.antivirusactivations.com (Subdomains impersonating brands redirect avg.antivirusactivations.com to a subdomain of `supportsphonenumber.com` trendmicro.antivirusactivations.com after pressing something like "Continue", avast.antivirusactivations.com "Setup", you get the idea) mcafee.antivirusactivations.com cpanel.antivirusactivations.com cpcalendars.antivirusactivations.com cpcontacts.antivirusactivations.com mail.antivirusactivations.com webdisk.antivirusactivations.com webmail.antivirusactivations.com<i> </i><e>

People who work at ITInfoCube


</s><i> </i>Niraj Singh https://www.instagram.com/i_nirajsingh/ https://twitter.com/nirajsinghji https://www.facebook.com/neeraj.arnav<i> </i><e>

```
Amarindra Singh (So called CEO and Founder)


Redirecting...
```

</s><i> </i>Shreya Walia (Manager) https://www.facebook.com/shreya.walia.716<i> </i><e>

</s><i> </i>Anshul Tayal https://www.facebook.com/anshul.tayal.5473 Can be seen in https://www.facebook.com/photo/?fbid=10226087107623466 and comments on picture (2nd guy from the left)<i> </i><e>

</s><i> </i>Sharukh Khan (SEO specialist) https://www.facebook.com/ssrk2112<i> </i><e>

```
Vikas Aggarwal


Can be seen in Redirecting... (Bald guy 2nd to the right)

```

Update: </s>https://supportsphonenumber.com/<e> and its subdomains are down, nice.

`http://norton-activate.com` is also down.

`setupactivatepro.com` and other subdomains are still up however, they just redirect to dead websites so ¯\_(ツ)_/¯

However, http://mcafeecustomersupports.com/ is still up, not nice and the company who registered the fraudulent websites, ITInfoCube is still in business.

ITinfoCube IT Services Pvt. Ltd. appears to be a legit web development company, right?? But, when you look closer at their site, you’ll notice they created a site called 800tollfreenumber.net.

![](upload://pFn3jsF0MMpFNwI6FlKjbNZYddz.png)![](upload://pFn3jsF0MMpFNwI6FlKjbNZYddz.png)

Visiting this site brings you to a nice Malwarebytes Browser Guard warning about it being a scam:

![](upload://uFhxgrdQeBYVAXoI4tANUpA0YP9.png)![](upload://uFhxgrdQeBYVAXoI4tANUpA0YP9.png)

Looking closer at any of their listings reveals that they run the average bogus support scam

![](upload://n7eQbIPDmO41zLVPBGvJS06hzTB.jpeg)![](upload://n7eQbIPDmO41zLVPBGvJS06hzTB.jpeg)

Now, their sites and numbers:

847-306-9989

888-993-9240

https://searchkarlo.com/

https://800tollfreenumber.net

https://www.itinfocube.com/

http://customerservicenumber.ca/

![](upload://bTTOpuerbdnSs4DBuOMDg4bXSgE.png)![](upload://bTTOpuerbdnSs4DBuOMDg4bXSgE.png)

Yeah, pretty sure Gurgaon isn't in Texas.

Just a few photos of the people behind the scams:

![](upload://ro9Lg2Hmwcn34P9ZEVrXMzjEIQa.jpeg)![](https://scontent.fyto1-1.fna.fbcdn.net/v/t1.6435-0/c0.26.206.206a/p206x206/125807825_3461670740549399_5928073029384417876_n.jpg?_nc_cat=105&ccb=1-3&_nc_sid=8bfeb9&_nc_ohc=aD7Y5loPYNcAX9WfEs6&_nc_ht=scontent.fyto1-1.fna&tp=27&oh=bf6c941a26351d4952115dddcd6e588d&oe=60C0F3C8)

![](upload://2Z1Mv8vVqHP9bQ2LMy9iKTUUA9x.jpeg)![](https://scontent.fyto1-2.fna.fbcdn.net/v/t1.6435-0/c6.0.206.206a/p206x206/58380545_2137374199645733_4402929334868770816_n.jpg?_nc_cat=109&ccb=1-3&_nc_sid=8bfeb9&_nc_ohc=Pvzi90yVmLUAX9vwm_r&_nc_ht=scontent.fyto1-2.fna&tp=27&oh=f20dc6bb242d8b955d5a675c405c9efc&oe=60C1F3D2)

The two names of people working here I could find are:

Amarinder K Singh and Neeraj Singh.

This is all I have, but y'all are welcome to dig up more!

Their Facebook page with tons of photos is: https://www.facebook.com/pg/ITinfoCube/photos/

Before they delete their Facebook page, here are a few of their photos:

![](upload://bZmPHxxDuNBbAxiF3JccVl3UhGr.png)![](upload://bZmPHxxDuNBbAxiF3JccVl3UhGr.png)

![](upload://9oHsjG0ohPRQlvRH0MrINXG7JMH.png)![](upload://9oHsjG0ohPRQlvRH0MrINXG7JMH.png)

![](upload://tU8mpiDa375zUOlQoAysCVrHZ2C.png)![](upload://tU8mpiDa375zUOlQoAysCVrHZ2C.png)

![](upload://moUXwLtj9W6a4UNo6xizsLa8qqZ.png)![](upload://moUXwLtj9W6a4UNo6xizsLa8qqZ.png)

![](upload://pty0JpcUWmE9AZSDRNoKWHebUES.png)![](upload://pty0JpcUWmE9AZSDRNoKWHebUES.png)

And before they can come along, remove 800tollfreenumber’s link from their site and claim they’re not related, here’s an archived copy of their site: https://web.archive.org/web/20210511143659/https://www.itinfocube.com/, just scroll down to the bottom, and you’ll clearly see the link there.

They also own https://searchkarlo.com/, suppoat for each and everything.

Oh, look, it's owned by Amarinder: https://web.archive.org/web/20210511144556/https://www.whois.com/whois/searchkarlo.com

@Zachinquarantine_#192436

Thank you. They are long time scammers

https://www.glassdoor.com/Reviews/ITinfoCube-Reviews-E508601.htm

ex-employee says "[Fake Organisation](https://www.glassdoor.com/Reviews/Employee-Review-ITinfoCube-RVW38912806.htm)

Dec 1, 2020 - SEO Executive in Gurgaon, Haryana, Haryana"

Someone's dad victimised

…Better tell your dad to not log in on his bank’s website anymore. If the services consisted of calling him and having him install a remote desktop application so they could fix his PC there and then, definitely a scam - wipe the system and reinstall from scratch

Fake …FAKE [Malwarebytes Customer Service Number 1-888-993-9240](https://www.800tollfreenumber.net/malwarebytes-customer-service-number/)

Fake AVAST http://customerservicenumber.ca/avast-customer-service-phone-number/

@Zachinquarantine_#192441

searchkarlo is English Hindi mix Karlo means "do it"

https://bobrtc.tel/phonebook/dial/18889939240

https://www.customerservice-number.net/mozilla-firefox/

Australia 1-800-681-750

UK 0-808-280-8037

i found this on their facebook page Delhi is in a state in India not Texas