Another customer, another support caller scammer.. this time:
Did the standard connect, show them the event viewer with the “scary errors”, showed them the services list with lots of stopped services “scary!” and then a netstat showing “hackers connecting to their computer”.
OneSupport.me whos informatio is hidden by GoDaddy’s privacy service but the NameServers it references, NS2.PAGENIE.COM and NS2.PAGENIE.COM, seem to relate to a domain that was once used for Image Editing outsourcing work (twinned with tech support type businesses). The domain is also protected by the same GoDaddy whois privacy service. The two domains are also hosted on the same IP.
220.127.116.11 (“162-144-126-128.unifiedlayer.com”). This is also where the two nameserver hostnames point to.
paGenie once gave their contact details as +1 800 935 0798 / 18009350798 and did not list a postal address.
Their e-mail domain, thetechhelpline.co.uk, gives away more information.
Synthesis Business Park,Action Area-II
Registrant contact details validated by registrar on 10-Dec-2014
Namesco Limited [Tag = NAMESCO]
Registered on: 26-Oct-2013
Expiry date: 26-Oct-2016
Last updated: 10-Dec-2014
Their website doesn’t mention an address but they give their contact phone number as the one they also gave to my customer over the phone and the “Connect to Technician” link takes you to the above mentioned onesupport.me domain.
thetechhelpline.co.uk website also leaks another domain – resqnow.com also registered at GoDaddy and using the paginie nameservers but without whois privacy applied:
Registrant Name: Ty Freeborn
Registrant Organization: Multimedia Enterprises
Registrant Street: 177 Broken Putter Way
Registrant City: Las Vegas
Registrant State/Province: NV
Registrant Postal Code: 89148
Registrant Country: United States
Registrant Phone: +1.7024493025
Registrant Phone Ext:
Registrant Fax Ext:
Registrant Email: email@example.com
thetechhelpline.co.uk is hosted at 18.104.22.168 (no reverse dns) at HostGator. This same IP also has the following domains pointing to it.. most look very suspicious:
Lists a phone number of 1 800 878 2302 / 18008782302 and says the website is “under construction”.
askpcwizards.com – Just an under construction notice
Lists a phone number of 1 800 935 0714 / 18009350714 and no postal address. Uses LogMeIn Rescue to connect to victim computers.
myexpertfinance.com – Directory listing / No pages.
onlinepcsecure.com – Just an under construction notice
Lists a phone number of 1800 878 2302 / 18008782302, Uses LogMeIn Rescue to connect to victim computers, and a postal address…
Address : 9350 S. Cimarron Rd. #4104
City : Las Vegas
State : NV
Zip : 89178
pcgeniepro.com – Gives their phone number as 1 800 935 0798, same as the now-offline paGinie.com site used to. Doesn’t list a postal address. Does try to give you a PC cleanup program.
pcspeedy.com – Lists their phone number as 1 855 264 9273 / 18552649273 and doesn’t list a postal address. The Chat function takes you to a thetechhelpline.co.uk branded chat window.
resqnow.com – Lists their phone number as 1 844 567 7342 / 18445677342 and not postal address. See above for whois information.
supportsapiens.com – Almost a copy and paste version of the resqnow.com site, lists their phone number as 1 844 287 3437 / 18442873437, no postal address, uses a GoToAssist subscription branded as thetechhelpline.co.uk.
wizardrealty.in – An unrelated website or a “client’s” website? Real Estate company in Kolkata, India. Most of the site is holding text. Lists a phone number of +919230015140
http://www.qualitymaintenanceservices.co.uk – An unrelated website or a “client’s” website? A cleaning company in Coventry in the UK. The domain is registered under the name “Kamaljit Kaila” and points to the same HostGator account as the above domains.