ConnectWise scam domains list

ScammerRevolts · December 14, 2022, 7:22pm

Connect Wise Control is one of the worst software that scammers use to take remote access to victim’s computers in the sense that you can only close it through task manager and it always runs on your computer’s startup, there is no way to tell that this software is running other than in task manager. I want to make a list of these domains so we can report them and make victims aware of these horrible sites using this horrible software! If you have any of these domains that look like the image below using this software please reply with them here and I will add them to the list.

The current list, updated on 5/24/23:

https://ntcare247.live/
https://help247.us/
https://ntxdr.top/
https://fcare.cc/
https://medino.life/
https://healthcenter.live/
https://supportcare.pro/
https://247secure.info/
http://support01.us
https://support01.us/
https://support247.help/
https://shelp.cc/
https://assist247.info/
http://ihelps.us
http://passist.us
http://cscare.cc/
https://login08.info/
https://24789.org/
https://phelp.pro/
https://carehelp.live/
https://9001sup.org/
https://sfhelp.online/
https://sfhelpback.xyz/
https://kwbackend.xyz/
https://phelp247.us/
https://tassist.me/
https://ysupport.us/
https://ntcare247.us/
https://asorg.info/
https://win01.top
https://akpd.live/
https://fsupport.cc
https://nsworld.live
https://nsworld.live/
https://vfssupport.live/
https://lphelp.online/
http://gosys.us/
https://carehelp.live/
https://whelp.cc
https://dponline.pro
https://matry.top
https://kwsupport.live/
https://mcare.help/
http://123secure.org/
https://vhelp.info/
https://asorg.info/
https://ghelps.us/
https://control.ctrl10.pw
https://kcare.cc
https://rmpk.info
https://9117.org
https://mkpks.info
https://rhelps.us/
http://jassist.us
https://os123.org
https://sup2.supos123.org/guest.aspx
https://os123.org/
https://rcare.cc/
https://dhelps.us/
https://qcare.cc
https://kpmk.info/
https://vfsupport.live/
https://www.pcsupporthelp.com/
https://shelp.info/
https://pcsupport.life/
https://qassist.us
https://tcare.cc
https://os911.org
https://rmus.pro
https://www.cancelorder.net/

KinCryos · December 14, 2022, 8:32pm

many ConnectWise scam domains are simply load another page in an iframe. this can be discerned by a small blank border around the page. this is often because the scam call centers are running multiple scams and are using different domains to link to the same installation.

in ntcare247.live’s case, it simply loads https://ntxdr.top/guest.aspx

I’ll try to keep on top of what ConnectWise scam domain iframes to where, since those sites are the ones that need to be flagged.

another scam domain mentioned last week is https://fcare.cc which iframes https://medino.life/guest.aspx

another iframe target is https://healthcenter.live/guest.aspx but the reported site from August that iframes that one went down

Cali4niya · December 14, 2022, 10:18pm

https://supportcare.pro/

Not sure if it downloads ConnectWise…but it’s used by a scammer.

Elias_Ross · December 14, 2022, 11:36pm

https://help247.us/ is one site I went to yesterday

ScammerRevolts · December 15, 2022, 6:48am

Just updated the list with these domains being added

Elias_Ross · December 15, 2022, 5:06pm

https://support247.help/

KinCryos · December 15, 2022, 5:19pm

support01.us and help01.us don’t iframe anything (they used to iframe win01.top), but they now impersonate Norton and distribute ScreenConnect (labelled WinDesk) using win01.top as their server

other domains I found are win01.xyz, psupport.cc, and pccarelive.org

Jhawk · December 16, 2022, 8:09pm

Here’s another SR – https://247secure.info/

ScammerRevolts · December 20, 2022, 4:45am

Ok! I have updated the list with the active domains you guys have replied with, ty!

BasecordBaiting · December 20, 2022, 5:17pm

shelp.cc - It’s another one of these links that uses the dreaded ScreenConnect.

Jhawk · December 20, 2022, 5:49pm

@ScammerRevolts Not sure if this one falls into the criteria, but some chode just had me go to this one this morning…

ihelps.us In turn it downloaded support.client.jnlp

KinCryos · December 21, 2022, 5:09pm

ihelps.us iframes https://marian.ink/guest.aspx

BasecordBaiting · December 22, 2022, 4:38pm

cscare.cc - It is another one of these links that uses ScreenConnect.

KinCryos · December 22, 2022, 7:20pm

cscare.cc iframes https://login08.info/guest.aspx

FredFlintstone · December 22, 2022, 8:33pm

passist.us is the last one that came up for me.

animeknight99 · December 23, 2022, 12:22am

It would be nice if Microsoft Windows Defender could remove this. Maybe someone else could code a script where it Automatically removes ConnectWise on Windows

ScammerRevolts · December 25, 2022, 11:16pm

Ok, I have updated the list with the new links, thank you, everyone!

Cali4niya · December 30, 2022, 7:08pm

Another one
Wllbackend.xyz

ScammerRevolts · December 31, 2022, 1:33am

Not getting any response from this domain, are you sure it is typed correctly?

Cali4niya · January 2, 2023, 5:25pm

Yes. It worked when I posted it. Whois shows its registered with Namecheap.