Web InfoTech, LLC/WeConnect Soft Solutions Pvt Ltd/Garage2Global Ventures Pvt Ltd

FantasticsSnow · 2025年04月06日16:25

We need a real life MacGyver to go in and take out all of these call centers.

ElmerFudde2020 · 2025年04月06日16:45

This is not a Web InfoTech number, it’s an e-Global Soft Solutions number.

ElmerFudde2020 · 2025年04月06日17:04

So now, there is a new domain involved:

the ww0.us links redirect to a directory on activation-support-tax-download.c0.world . Today no matter what browser user agent I declare, that site redirects to a google search page for the subdirectory term (e.g. “/uhc/”) But it looks like urlscan gets served the dummy info page, not a redirect to Google search but not a phishing payload either.

ElmerFudde2020 · 2025年04月06日19:20

866-217-2243 is advertised again on the fake TurboTax error page today. A rare number recycling by this gang that seems to have an unlimited supply of toll-free numbers.

ElmerFudde2020 · 2025年04月07日02:20

In addition to spamming sites.google.com, these scammers also regularly create spam repositories on Github e.g. GitHub - installturbotaxwithlicense-code/installturbotaxwithlicense-code.github.io: TurboTax software is a tax preparation tool that helps you prepare your taxes online. Turbotax software keeps getting updated to attract more users and avoid any hacking or malware functions. / https://installturbotaxwithlicense-code.github.io/

ElmerFudde2020 · 2025年04月07日23:48

The same error page with the same toll-free number is produced on the new domain,

when using a Chrome/Android browser user-agent.

ElmerFudde2020 · 2025年04月10日01:15

It looks like the fake TurboTax site, https://myefiling.online/ , isn’t checking browser user-agent at the moment. So you can go right there, enter some bogus info and get their latest toll-free scam number.

ElmerFudde2020 · 2025年05月03日00:27

A new payload page and phone number for this scam!

setup your activate.uhc.com (only displays the phishing content if you navigate to it through the bait website using a normie consumer browser user-agent)

855-730-0290 new toll-free number! Say hi to Sam and Zakk. Zakk’s favorite color is black, but he refused to do one thing and be in front of his computer for me.

JusticeinTexas · 2025年05月03日01:00

[1866-217-2243]

FantasticsSnow · 2025年05月03日03:17

Gotta send Luigi over there too

FantasticsSnow · 2025年05月03日16:45

They are picking up and I told them we are sending Luigi out of the bars to convert his sentence into taking out their call center

ElmerFudde2020 · 2025年05月03日20:01

I found another sub-directory on their new site, complete with a new toll-free number.

error page https://w.wvvw.site/sling.com/contact-service.php

855-784-2136

And here’s another subdirectory. I suspect there are dozens, if not hundreds.

Error page and toll-free number: https://w.wvvw.site/lowes.syf.com/contact-service.php

855-386-4357

The “request a call from support” thing works on both sites. But be warned, they call from spoofed numbers.

Update: found another one! Feeder page https://amazonprimevideofreetrial.github.io/ links to Amazon MyTV Guide - Activate Prime Video at www.amazon.com/mytv via the trusty old ww0.us redirector site.

Which leads to the phishing form https://w.wvvw.site/amazon.com/log-in.php

and then of course the “error” page https://w.wvvw.site/amazon.com/contact-service.php

toll free number 855-730-0932.

ElmerFudde2020 · 2025年05月03日20:57

Reverse image search for this odd “DG” logo reveals a few other feeder pages. Some of them are inactive and link to the legitimate website, instead of a phishing/scam imitator.

https://turbotax2024.hashnode.dev/install-turbotax-with-license-code-2024
(This one revels a new fake Turbotax redirect domain, again registered with VEBONIX/APPCRONIX: https://tx.platdir.com/ )
https://installturbotax2020.com/

ElmerFudde2020 · 2025年05月04日14:40

New fake TurboTax number at https://ts.activatetax.pro/Installation-Error-Contact-Support.php?MjAyNS0wNS0wNCAyMDowNjo1Nw== : 855-730-0274.

gethaunted · 2025年05月05日04:40

That you, Mihir?

ElmerFudde2020 · 2025年05月06日01:44

A new toll-free fake United Healthcare number today, on the same site: 855-316-5067.

ElmerFudde2020 · 2025年05月06日01:56

New number today: 855-378-6176.

ElmerFudde2020 · 2025年05月07日01:18

So as I have noted, most of these phishing sites follow a standard pattern – if they are accessed from a non-targeted referrer, user-agent or possibly IP address (?) they display a “dummy” page which looks like some “A.I.”-generated slop pretending to be a sort of wikipedia-ish description of the topic.

Today, on the dummy site for the fake Lowe’s credit card linked above, I noticed some URLs that looked like html-typos, seemingly accidentally left in the pile of blithering verbiage.

Some of them are to the official Lowe’s site. But others link to “feeder pages” for this group’s SEO-spamming campaigns:

These feeder sites link via a redirect through ww0.us to a new (to me) phishing domain, which I suspect has all the various subdirectories/camapigns of the other phishing domains I’ve discovered for this organization:

error page at https://pin.us2.my/lowes.syf.com/contact-service.php with the same phone number as before,

ElmerFudde2020 · 2025年05月07日02:17

Confirmed. https://capitalonecomactivate.godaddysites.com/ links to Capital One Card Guide - Activate at capitalone.com/activate via Capital One Card Guide - Activate at capitalone.com/activate (the argument aHR0cHM6Ly9jYXBpdGFsb25lY29tYWN0aXZhdGUuZ29kYWRkeXNpdGVzLmNvbS8= is just the referring URL in base64.)

ww0.us really needs to be shut down. Update: here’s another domain that does the same redirecting trick as ww0.us: fm.ci

Seen in the wild here: https://capitalonecomactivate.github.io/

ElmerFudde2020 · 2025年05月10日14:31

They’ve switched numbers again, today it’s a rare recycled toll-free number