We need a real life MacGyver to go in and take out all of these call centers.
إعجاب واحد (1)
This is not a Web InfoTech number, it’s an e-Global Soft Solutions number.
إعجاب واحد (1)
So now, there is a new domain involved:
the ww0.us links redirect to a directory on activation-support-tax-download.c0.world . Today no matter what browser user agent I declare, that site redirects to a google search page for the subdirectory term (e.g. “/uhc/”) But it looks like urlscan gets served the dummy info page, not a redirect to Google search but not a phishing payload either.
إعجاب واحد (1)
866-217-2243 is advertised again on the fake TurboTax error page today. A rare number recycling by this gang that seems to have an unlimited supply of toll-free numbers.
إعجاب واحد (1)
In addition to spamming sites.google.com, these scammers also regularly create spam repositories on Github e.g. GitHub - installturbotaxwithlicense-code/installturbotaxwithlicense-code.github.io: TurboTax software is a tax preparation tool that helps you prepare your taxes online. Turbotax software keeps getting updated to attract more users and avoid any hacking or malware functions. / https://installturbotaxwithlicense-code.github.io/
إعجابَين (2)
The same error page with the same toll-free number is produced on the new domain,
when using a Chrome/Android browser user-agent.
إعجاب واحد (1)
It looks like the fake TurboTax site, https://myefiling.online/ , isn’t checking browser user-agent at the moment. So you can go right there, enter some bogus info and get their latest toll-free scam number.
إعجاب واحد (1)
A new payload page and phone number for this scam!
setup your activate.uhc.com (only displays the phishing content if you navigate to it through the bait website using a normie consumer browser user-agent)
855-730-0290 new toll-free number! Say hi to Sam and Zakk. Zakk’s favorite color is black, but he refused to do one thing and be in front of his computer for me.
إعجاب واحد (1)
[1866-217-2243]
إعجاب واحد (1)
Gotta send Luigi over there too
إعجاب واحد (1)
They are picking up and I told them we are sending Luigi out of the bars to convert his sentence into taking out their call center
إعجاب واحد (1)
I found another sub-directory on their new site, complete with a new toll-free number.
error page https://w.wvvw.site/sling.com/contact-service.php
855-784-2136
And here’s another subdirectory. I suspect there are dozens, if not hundreds.
Error page and toll-free number: https://w.wvvw.site/lowes.syf.com/contact-service.php
855-386-4357
The “request a call from support” thing works on both sites. But be warned, they call from spoofed numbers.
Update: found another one! Feeder page https://amazonprimevideofreetrial.github.io/ links to Amazon MyTV Guide - Activate Prime Video at www.amazon.com/mytv via the trusty old ww0.us redirector site.
Which leads to the phishing form https://w.wvvw.site/amazon.com/log-in.php
and then of course the “error” page https://w.wvvw.site/amazon.com/contact-service.php
toll free number 855-730-0932.
Reverse image search for this odd “DG” logo reveals a few other feeder pages. Some of them are inactive and link to the legitimate website, instead of a phishing/scam imitator.
https://turbotax2024.hashnode.dev/install-turbotax-with-license-code-2024
(This one revels a new fake Turbotax redirect domain, again registered with VEBONIX/APPCRONIX: https://tx.platdir.com/ )
https://installturbotax2020.com/
New fake TurboTax number at https://ts.activatetax.pro/Installation-Error-Contact-Support.php?MjAyNS0wNS0wNCAyMDowNjo1Nw== : 855-730-0274.
That you, Mihir?
إعجاب واحد (1)
A new toll-free fake United Healthcare number today, on the same site: 855-316-5067.
New number today: 855-378-6176.
So as I have noted, most of these phishing sites follow a standard pattern – if they are accessed from a non-targeted referrer, user-agent or possibly IP address (?) they display a “dummy” page which looks like some “A.I.”-generated slop pretending to be a sort of wikipedia-ish description of the topic.
Today, on the dummy site for the fake Lowe’s credit card linked above, I noticed some URLs that looked like html-typos, seemingly accidentally left in the pile of blithering verbiage.
Some of them are to the official Lowe’s site. But others link to “feeder pages” for this group’s SEO-spamming campaigns:
- https://lowessyfcomactivate.nicepage.io/
- https://lowessyfcomactivate.github.io/
- Activate your new Lowe's card via Lowes syf.com activate
- https://lowessyfcomactivate.godaddysites.com/
These feeder sites link via a redirect through ww0.us to a new (to me) phishing domain, which I suspect has all the various subdirectories/camapigns of the other phishing domains I’ve discovered for this organization:
error page at https://pin.us2.my/lowes.syf.com/contact-service.php with the same phone number as before,
Confirmed. https://capitalonecomactivate.godaddysites.com/ links to Capital One Card Guide - Activate at capitalone.com/activate via Capital One Card Guide - Activate at capitalone.com/activate (the argument aHR0cHM6Ly9jYXBpdGFsb25lY29tYWN0aXZhdGUuZ29kYWRkeXNpdGVzLmNvbS8= is just the referring URL in base64.)
ww0.us really needs to be shut down. Update: here’s another domain that does the same redirecting trick as ww0.us: fm.ci
Seen in the wild here: https://capitalonecomactivate.github.io/
إعجاب واحد (1)
