Webroot Activation Scam

DemonKing · Octobre 3, 2025, 9:16

Scam Number:+1(805) 600-2139
Scammer’s Website or Email: Webroot SecureAnywhere Antivirus – Ewing Tech Inc
Additional information about this scam: Activation Scam with fake error, Clicking on activation or renewal takes you to a fake form when you fill you information you get a fake error then they call you take remote and try to charge you for fixing the issue generated by them.

SouthernCulture_x · Octobre 3, 2025, 9:52

Got a callback from, 805-702-2699 aka Eddie from Delhi.

"ip": "122.161.69.130",
    "security": {
        "vpn": false,
        "proxy": false,
        "tor": false,
        "relay": false
    },
    "location": {
        "city": "New Delhi",
        "region": "National Capital Territory of Delhi",
        "country": "India",
        "continent": "Asia",
        "region_code": "DL",
        "country_code": "IN",
        "continent_code": "AS",
        "latitude": "28.6327",
        "longitude": "77.2198",
        "time_zone": "Asia/Kolkata",
        "locale_code": "en",
        "metro_code": "",
        "is_in_european_union": false
    },
    "network": {
        "network": "122.161.0.0/16",
        "autonomous_system_number": "AS24560",
        "autonomous_system_organization": "Bharti Airtel Ltd., Telemedia Services"
    }

OfclyGoodenough · Octobre 3, 2025, 10:09

Carrier: Onvoy
Call Center Location: India
Answers as: “Suppoat”
Technician: “Sandy”
Callback Number: (805) 702-2699 (Onvoy), ‪(806) 696-7051‬ (Onvoy)
Remote Access Software: UltraViewer (ID: 117703718/SANDY, 117703125/CYRUS, 100905084/SAM-PATRICK, 116907694/WIN-U1T08L8FTU) or TeamViewer

{A4E05E61-D1C1-45C3-A144-96C98694FF21}

{2A9E28A1-B560-493F-A935-3FF62B53D18C}

{97421EE0-AA6E-412A-9E67-9CEE9293F7C8}

{CF31A77E-B933-4137-9E5B-07ECFFCA7945}

Once remotely connected to my virtual machine, “Sandy” attempted to download a fake Webroot extension and blamed it on my web browser getting infected.

“Sandy” then downloaded a .bat file designed to open the command prompt for a “Select Microsoft Scan,” and opened the System Configuration tool to falsely claim my firewall was deactivated by the “csrss.exe trojan”

{C4072EAF-0BF7-4D7C-80BF-672300E4D9D3}1150×865 65.4 KB
I was then asked to purchase an “individual validation certificate” with a Google form, then leave my virtual machine as it is and wait for a callback after “Sandy” ran the “sfc/scannow” command in the command prompt, viewed my browser history and went back to the fake Webroot activation page.
“Sandy” then attempted to log into my burner email account, but he was so stupid, he attempted to log into Microsoft Outlook instead of mail.com, had some of his co-workers remotely connect to my virtual machine and called me back to try and get me to log into my burner email.

{4B12FED3-CD1E-4AA1-A01E-C2EFBDED6026}441×438 12.4 KB
Since I refused to log into my baiter email account, “Sandy” wanted to create a new account for me before hanging up, pinging google.com, installing Adblock Plus and attempting to view my IP address with the “ipconfig” command (which I intercept by alt+f4ing it).
“Cyrus,” a co-worker who claimed to work from the billing team, said I provided the wrong card information and wanted me to correct it over the phone, but refused to “suppoat” after I told him the bank would freeze my account unless I provided the details on a “secure web form.”

DemonKing · Octobre 3, 2025, 10:38

Same thing, tried to charge me 699.99

DemonKing · Octobre 3, 2025, 11:30

I figured out these people are running ads on Google, I made a complaint to Google, but nobody seems to care about this. Is there no way to stop these people from running the ads and stopping from scamming others?

SouthernCulture_x · Octobre 4, 2025, 12:49

Another callback number for aka Jasmine. 628-268-3934, still active today.

DemonKing · Octobre 4, 2025, 1:27

I think Google is intentionally allowing them to run fake ads. Because I made a complaint and they are still running today. Did anyone find a way to stop them?

SouthernCulture_x · Octobre 4, 2025, 2:32

People are working on this atm. Hope to get it shut down today at some point.

drwat · Octobre 4, 2025, 2:38

Connaught Place, heart of New Delhi

DemonKing · Octobre 4, 2025, 4:07

same people with a different site.

DemonKing · Octobre 8, 2025, 5:08

Find two more, Is anybody doing anything about these?

DemonKing · Octobre 8, 2025, 5:08

copy of this site which i reported earlier

SouthernCulture_x · Octobre 8, 2025, 6:59

It’s very hard, they come up with slight variations as with ConnectWise sites.

The fool I had on my VM just now is from Kota India. the number I called is (855) 685-7003. It sounds like a very busy call center, we need people calling these scammers!

"ip": "103.158.140.87",
    "security": {
        "vpn": false,
        "proxy": false,
        "tor": false,
        "relay": false
    },
    "location": {
        "city": "Kota",
        "region": "Rajasthan",
        "country": "India",
        "continent": "Asia",
        "region_code": "RJ",
        "country_code": "IN",
        "continent_code": "AS",
        "latitude": "25.1843",
        "longitude": "75.8353",
        "time_zone": "Asia/Kolkata",
        "locale_code": "en",
        "metro_code": "",
        "is_in_european_union": false
    },
    "network": {
        "network": "103.158.140.0/23",
        "autonomous_system_number": "AS138277",
        "autonomous_system_organization": "Radinet Info Solutions Private Limited"
    }

DemonKing · Octobre 11, 2025, 7:55

After so many complaints to google or hosting provider nothing has been done, What a waste

ElmerFudde2020 · Mai 19, 2026, 8:48

Just got a call today from “Webroot” at the same number.

Update, another call from Jasmine at Webroot at the above number, who says that I am her customer.