Complaint from a customer today about a popup when they were browsing the internet.
** YOUR COMPUTER HAS BEEN BLOCKED **
Error # 268D3
Please call us immediately at: 0-808-238-7541
Do not ignore this critical alert.
If you close this page, your computer access will be disabled to prevent further damage to our network.
Your computer has alerted us that it has been infected with a virus and spyware. The following information is being stolen…
> Credit Card Details
> Email Account Login
> Photos stored on this computer
You must contact us immediately so that our engineers can walk you through the removal process over the phone Please call us within the next 5 minutes to prevent your computer from being disabled.
Toll Free: 0-808-238-7541
A user name and password are being requested by http://theokalam.com. The site says. System Alert!! Your mozilla browser has been blocked to to suspicious behaviour from your IP address. Call microsoft security at 0-808-238-7541
Victims are being asked to call “0-808-238-7541” aka. 08082387541, +448082387541 or “0808 238 7541”
The start of the encoded “script:” in the page that obscures the real URL (a new trick, see here for the first time I saw it) says “winfirewallwarning.in” but isn’t the site currently being used.
This domain is currently showing as registered to..
Registrant Name: Tarun singh shekhawat
Registrant Street: 7/140, malviya nagar
Registrant City: jaipur
Registrant State/Province: Rajasthan
Registrant Postal Code: 302021
Registrant Country: IN
Registrant Phone: +91.8239555541
Registrant Email: firstname.lastname@example.org
The IP address the website is hosted on an IP which also hosts:
– kanikajewellers.com – A site seemingly containing some phishing code.
– radialrust.com – a website and app development company in India.
– techpcsolution.com – Now we are getting somewhere.. a tech support company showing a US address on their website and a US number ((855) 765-6710) but the whois shows an Indian address.
Please read the reply from radialrust here about how they came to be involved in the hosting of the bad pages..
Additionally the same “email@example.com” email address is associated with the following expired domains:
Even further the telephone number “91.856189109” is associated with:
winfirewallwarning.in [22.214.171.124] and also related winfirewallwarning1.in:
I’ve moved information about these scammers to their own page.