The FaintedHeartnessClub Tech Support Scam

OSINT Aug 13, 2019

I was casually browsing Scammer.info the other day, and I stumbled across a post about a fake pop up pushing the usual round of tech support scam. I did some poking around, and what I found was a vast network of popups enabling the perpetrators to scam their victims on a large-scale.

In this article, we publish the phone numbers associated with the call centre running the scam. As we see new fake ads and fresh phone numbers showing up each day, we also publish the IoCs associated with this campaign.

Our goal is to help the Scambaiting and Infosec community identify any future popups and phone numbers belonging to this particular group.

Lack of Attribution

The threat actors behind this campaign are yet to be identified. Until then, we call this group as FaintedHeartnessClub after one of the domain names hosting a fake pop up.

What connects the popups together is that they all claim that the computer was infected with a virus, and the victim has to call Apple or Microsoft to fix the non-existent problem.

The Machinery Behind the Popups

The scammers behind the campaign have registered dozens of domain names and phone numbers to ensure their campaign is continuous even if some of them are taken down.

Most of the domain names are registered under the new gTLDs introduced a few years ago, such as .club, .space and .site.

Phone Numbers:

  • +1 800 404 8453
  • +1 833 273 7078
  • +1 833 275 7106
  • +1 844 284 8623
  • +1 844 516 4597
  • +1 844 550 2646
  • +1 855 541 4348
  • +1 855 635 7796
  • +1 866 380 5162
  • +1 866 614 4470
  • +1 866 670 0656
  • +1 866 670 2474
  • +1 877 337 4804
  • +1 877 415 9017
  • +1 888 291 2703
  • +1 888 357 0413
  • +1 888 405 9781
  • +1 888 406 6714
  • +1 888 407 4054
  • +1 888 407 6521
  • +1 888 407 7898
  • +1 888 464 7172
  • +1 888 472 7985
  • +1 888 527 0471
  • +1 888 607 5144
  • +1 888 684 3605
  • +1 888 789 8122
  • +1 888 803 6072
  • +1 888 815 6016
  • +1 888 886 3810
  • +1 888 899 0628
  • +61 1800 581 484
  • +61 885 129 919

Domain Names:

  • adultsexvideos.site
  • agglutinogenic.site
  • analogmustang.top
  • anthropoidal.space
  • apptransfer.xyz
  • besomjunior.top
  • bnosc.ml
  • bravoleathers.info
  • campbellsville.xyz
  • certariate.com
  • chromatography.website
  • coessentiality.space
  • cosmopold.com
  • degenerateness.website
  • devolatilizing.space
  • differended.com
  • differentiated.website
  • disputatiously.host
  • dissault.com
  • diverticulitis.site
  • ec2-54-95-200-51.ap-northeast-1.compute.amazonaws.com
  • emphaticalness.xyz
  • exenteration.site
  • faintheartedness.club
  • freenofun.ml
  • glyceria-seleznyova.pw
  • incandescing.space
  • intensitometer.website
  • intercirculate.space
  • katar35.site
  • lemminglear.top
  • louverpaella.space
  • ludicrous-trowel.glitch.me
  • mswinscurruptfiles906.club
  • mswinscurruptfiles909.club
  • mswinscurruptfiles916.club
  • nhjk.njiuhbvgytfcdrxesz.ml
  • noncannibalistic.host
  • nonchannelized.pw
  • nonchaotically.site
  • nonconsumption.website
  • noncontroversial.icu
  • nondistillable.space
  • nonenlightened.space
  • nonextrinsical.pw
  • nonincreasable.site
  • nonspiritous.site
  • onlinewchatupport.online
  • operationalism.site
  • ostracizable.space
  • overgesticulated.icu
  • overpopulating.xyz
  • postdiagnostic.xyz
  • preengineering.pw
  • preobstruction.xyz
  • prestidigitation.host
  • protractedness.space
  • psychoanalysis.host
  • reproachableness.host
  • shanktiffin.space
  • skeptophylaxis.site
  • slave.ecomandap.com
  • subattenuation.xyz
  • subjudiciaries.site
  • sulphurously.site
  • superinscription.host
  • superoccipital.space
  • taskant.best
  • thermojunction.site
  • thirstlessness.site
  • ultradell.club
  • unbankableness.website
  • uncatholicised.host
  • uncircumcision.site
  • unisolationist.space
  • unoxygenized.space
  • unsuppressible.space
  • vasoconstrictionn.club
  • watcanyado.altervista.org
  • websocialpointxx.ga

IP addresses:

  • 104.18.50.173
  • 104.18.51.173
  • 104.27.172.40
  • 104.27.173.40
  • 104.27.186.152
  • 104.27.187.152
  • 104.31.90.251
  • 104.31.91.251
  • 104.31.92.22
  • 104.31.93.22
  • 107.180.25.122
  • 108.161.129.33
  • 108.161.133.2
  • 108.161.133.217
  • 108.161.134.138
  • 108.161.134.193
  • 108.161.134.95
  • 108.161.136.139
  • 108.161.136.8
  • 108.161.137.233
  • 165.22.33.68
  • 167.71.131.37
  • 167.71.153.252
  • 178.159.36.119
  • 198.187.31.221
  • 209.59.155.202
  • 216.119.148.9
  • 217.69.9.194
  • 34.196.195.31
  • 45.32.129.194
  • 45.63.84.77
  • 45.77.0.61
  • 54.165.156.139
  • 54.95.200.51
  • 68.169.46.190
  • 72.249.77.219
  • 78.129.205.55

File Hashes:

  • 935d308a79350b7db9582d8f94bcf43d06476756c38769b8f2834a8e661d53c5
  • fc59bbb18f923747b9cd3f3b23537ff09c5ad2fdfc1505a4800a3f269a234e65
  • 4aad68d82aded862b31145843cc32ef9a22df711fb037d3b65b89ec07f55dbcb
  • 8c1b8ce7a3367fd8d4f73c225e1f1bc6437da3516454e3763559d628f45a0426
  • 212ccb37b78f3912936983485d706a9eba59f6fe986cd113d8eada54dc6a298a
  • 0b6af8669bcb44139e6b60660b7b9adac600db2d7475cd97cf688e4eeaee2d2a
  • 4eddf6472278344f86b06f29abf5c4558573264129b46a62b403d8c2db401f44
  • 6ba55d0470741d4441a001e482f99264cbb3f4a43e4e98c958334839ee81ab0d
  • 03da9d07362b0fbe8afb7ee92933cb5fb09ecf1660d4285a50d3f48b1ea6a996
  • 8534415eb2e954341a5e1cf6d4dff503817a6a59868dc3762065c8d6b9e1382d
  • 312c6606235f1ba63b2141b812fef5398536390a76c85f5ab8bcc35a7aa8737e
  • 0589be7715d2320e559eae6bd26f3528e97450c70293da2e1e8ce45f77f99ab1
  • c362d950204cc8327016209a3246216efed7167cd92e02f754b963f49f793707

Google Analytics IDs:

  • UA-105553684-1
  • UA-134534485-1
  • UA-135188744-2
  • UA-141281465-1
  • UA-142663362-1
  • UA-77152316-11
  • UA-92855606-2

Background

The Federal Trade Commission (FTC) reports that people reported $55 million in loss to tech support scams in 2018. These scams usually start with a fake pop up or unsolicited phone call claiming that something is wrong with the victim's computer. The goal of the tech support scammers is to convince their victims to establish a remote desktop session with them. On these sessions, they diagnose non-existent computer problems, and each 'fix' costs hundreds of dollars to the victim. FTC says the mostly vulnerable group to tech support scams is the elderly.

To avoid tech support scams, FTC recommends to:

  • Not click on any links or call a number that pops up on your screen warning of a computer problem.
  • Hang up on unexpected calls from anyone who claims to be tech support.
  • Never give control of your computer or share passwords with anyone who contacts you.

Pawel Kowalczyk

Scam hunter. Mapping tech support scammers with OSINT. You can be my wingman any time.