–I’ve since come across these people again in August 2015!—
While investigating a “Whats App” phishing campaign going around today I came across the following site:
It lists the phone number as (0800)-051-3311 (or in other formatting 08000513311 or +448000513311) provided by Vodafone Ltd (C&W).
When called at 10pm UK time I was greeted with a handy message with the company name, and then a very helpful offshore “emergency support” call center who clarified the company name.
Which means the number being advertised in the scam advert is for…
I do not know if they are the people running the scam advert with their phone number. It is either their own scam advert or they have an affiliate scheme which encourages such fraudulent practices.
Given that the easytechy site lists a different number (0800 016 3909 – allocated to BT) I presume the fraudulent advert number is an affiliate’s number that generates them commission when someone signs up to have their computer “fixed”.
The domain, pc-errors-500.com, is hosted on 18.104.22.168 “n8250h134.sprintdatacenter.net”.
This IP also reports as host.myerror-online1a.com. The host doesn’t resolve but the domain does exist and is registered, once again, using a privacy service. The nameservers (ns1.pc-errors-500.com and ns2.pc-errors-500.com) resolve (22.214.171.124) but don’t respond to DNS requests. The pc-errors-500 domain has been registered since 11th May and the myerror domain since the end of April so this is a fairly new scam.
The 126.96.36.199 and 188.8.131.52, 184.108.40.206, 220.127.116.11 and other nearby IPs appear to be on the same physical computer.
inetnum: 18.104.22.168 – 22.214.171.124
descr: “Sprint” S.A.
The pc-errors-500 domain leaks a fake address of “email@example.com” but does allow a reverse lookup of other potentially spammy / scammy domains that the same operation is running or has run in the past:
-myerrors-notice5a.com (http://techfix-alerted.com/Alert2a-Warning-PC-Problems-UK/ has the same scam page)
-myerrors-noticehere1.com (http://myerrors-noticehere1.com/Alert2a-Warning-PC-Problems-UK/ has the same scam page)
-news-5onlineweb.com (doesn’t really fit the bill.. the domain is registered by someone in china yet points to the ns1.myerror-online1a.com nameserver)
-myerror-online10b.com (Nameservers in the 126.96.36.199 range)
The IP ranges announcing as the host.myerror-online1a.com server are:
Which used domains similar to:
The first time the phishing link is clicked it gives you a screen saying that your sign in has expired and asks you for your email password.. (stealing your credentials).
If you then re-visit the site.. the first time you get sent to a page that looks like youtube and plays a video. Any further visits give you some acacia berry spam / marketing site.
The phishing domain, scdsmail.com, is registered with a whois privacy service. The site is hosted on IP 188.8.131.52..
Net Range 184.108.40.206 – 220.127.116.11
Parent GLOBAL-FRAG-SERVERS (NET-104-148-0-0-1)
However somehow while investigating the above domain I got forwarded to the fake virus warning page.