ConnectWise scam domains list

Connect Wise Control is one of the worst software that scammers use to take remote access to victim’s computers in the sense that you can only close it through task manager and it always runs on your computer’s startup, there is no way to tell that this software is running other than in task manager. I want to make a list of these domains so we can report them and make victims aware of these horrible sites using this horrible software! If you have any of these domains that look like the image below using this software please reply with them here and I will add them to the list.

Screenshot 2022-12-14 1112351920×1079 125 KB

The current list, updated on 2/7/23:

https://ntcare247.live/
https://help247.us/
https://ntxdr.top/
https://fcare.cc/
https://medino.life/
https://healthcenter.live/
https://supportcare.pro/
https://247secure.info/
http://support01.us
https://support01.us/
https://support247.help/
https://shelp.cc/
https://assist247.info/
http://ihelps.us
http://passist.us
http://cscare.cc/
https://login08.info/
https://24789.org/
https://phelp.pro/
https://carehelp.live/
https://9001sup.org/
https://sfhelp.online/
https://sfhelpback.xyz/
https://kwbackend.xyz/
https://phelp247.us/
https://tassist.me/
https://ysupport.us/
https://ntcare247.us/
https://asorg.info/
https://win01.top

many ConnectWise scam domains are simply load another page in an iframe. this can be discerned by a small blank border around the page. this is often because the scam call centers are running multiple scams and are using different domains to link to the same installation.

in ntcare247.live’s case, it simply loads https://ntxdr.top/guest.aspx

I’ll try to keep on top of what ConnectWise scam domain iframes to where, since those sites are the ones that need to be flagged.

another scam domain mentioned last week is https://fcare.cc which iframes https://medino.life/guest.aspx

another iframe target is https://healthcenter.live/guest.aspx but the reported site from August that iframes that one went down

https://supportcare.pro/

Not sure if it downloads ConnectWise…but it’s used by a scammer.

https://help247.us/ is one site I went to yesterday

Just updated the list with these domains being added

support01.us and help01.us don’t iframe anything (they used to iframe win01.top), but they now impersonate Norton and distribute ScreenConnect (labelled WinDesk) using win01.top as their server

other domains I found are win01.xyz, psupport.cc, and pccarelive.org

Here’s another SR – https://247secure.info/

Ok! I have updated the list with the active domains you guys have replied with, ty!

shelp.cc - It’s another one of these links that uses the dreaded ScreenConnect.

@ScammerRevolts Not sure if this one falls into the criteria, but some chode just had me go to this one this morning…

ihelps.us In turn it downloaded support.client.jnlp

ihelps.us iframes https://marian.ink/guest.aspx

cscare.cc - It is another one of these links that uses ScreenConnect.

cscare.cc iframes https://login08.info/guest.aspx

passist.us is the last one that came up for me.

It would be nice if Microsoft Windows Defender could remove this. Maybe someone else could code a script where it Automatically removes ConnectWise on Windows

Ok, I have updated the list with the new links, thank you, everyone!

Another one
Wllbackend.xyz

Not getting any response from this domain, are you sure it is typed correctly?

Yes. It worked when I posted it. Whois shows its registered with Namecheap.