ConnectWise scam domains list

one to add to the list https://cyhelp.top

2 Likes

Looks like I have been behind on these for a bit, added:

https://pothelp.top/
https://token24.life/
https://drbm.info:8443/
https://swhelp.org/
http://ufshelp.live/
https://s3699.mukutukula.cyou:8443/guest
https://cyhelp.top/
https://ghbd.link:8443/
http://mnkd.info/

Some are down but seeing as these domains popup and go down all the time I have still added them all in.

1 Like

PayPal refund rvthelp.live

2 Likes

From https://pthelp.top/ - link to
https://g3699.jadonparod.cyou:8443/guest

http://ptrcare.live/ - branded as Microsoft, seems to time out quite a lot

2 Likes

https://pghelp.top/
Fake PayPal using this site today

1 Like

Added:

https://rvthelp.live/
https://pthelp.top/
https://pthelp.top/
https://g3699.jadonparod.cyou:8443/guest
http://ptrcare.live/
https://pghelp.top/

3 Likes

https://nfhelp.top/ https://kwhelp.top/

2 Likes

https://zhelp.top/ https://qhelp.top/

2 Likes

https://ms.help1.top/
Fake pop-up scammers using this site today.

2 Likes

add to you list pthelp.top

1 Like

https://pcnet121.org/ links to
https://sup2.pcn121.ru:9449/Services/PageService.ashx/GetLiveData

2 Likes

https://wvhelp.org/
Fake Mcafee scammers today

2 Likes

Added:

https://nfhelp.top/
https://kwhelp.top/
https://zhelp.top/
https://qhelp.top/
https://ms.help1.top/
https://pcnet121.org/
https://sup2.pcn121.ru:9449/Services/PageService.ashx/GetLiveData
https://wvhelp.org/

2 Likes

https://vghelp.top/ ConnectWise

As seen on Bull’s stream:

https://ppl.help1.top/

1 Like

Another from Bull’s

https://ayghelp.live/

1 Like

As seen on Funguy’s stream:

http://ufshelp.live/

1 Like

I reported https://ayghelp.live/ to Cloudflare, they use CF as a proxy to block/mitigate request flooding. CF may (or may not) take the site down, but it’s worth reporting anyway: https://abuse.cloudflare.com/phishing

If you examine the HTTP response headers you’ll see that cloudflare/cf is in the response.

nel
	{"success_fraction":0,"report_to":"cf-nel","max_age":604800}
report-to
	{"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GEqoqHkuMFC7ZN5PfcBON182hcOCLC0uFPf3XYzIPJAV1qx4lV9DsDHKHC54W6p88B6oVUgtSMGDDzWKxgrFFBQJNty3UVMp7tOSngU3F6%2Fwd3l1pJs%2F4wBHtCldfxc%3D"}],"group":"cf-nel","max_age":604800}
2 Likes

A lot of *.top domains for some reason:

https://bqhelp.top/
https://m.rqhelp.top
https://pjhelp.top/
https://phelp.top/

ConnectWise backend URLs:

https://b3966.madulitonla.icu:8443/Services/PageService.ashx/GetLiveData
https://bmck.us:8443/Services/PageService.ashx/GetLiveData
https://engajroker.cyou:8443/Services/PageService.ashx/GetLiveData
https://engajroker.icu:8443/Services/PageService.ashx/GetLiveData
https://gitokearist.cyou:8443/Services/PageService.ashx/GetLiveData
https://gitokearist.icu:8443/Services/PageService.ashx/GetLiveData
https://molatorila.cyou:8443/Services/PageService.ashx/GetLiveData
https://molatorister.icu:8443/Services/PageService.ashx/GetLiveData
https://phelp.top/Services/PageService.ashx/GetLiveData
https://sup2.pcn121.ru:8443/Services/PageService.ashx/GetLiveData
https://ttre987k.cfd/Services/PageServicex352.ashx/GetLiveData

1 Like

https://vshelp.tophttps://lamolatori.cyou:8443/Services/PageService.ashx/GetLiveData or https://molatoriup.cyou:8443/Services/PageService.ashx/GetLiveData

https://mlhelp.tophttps://molatoriline.icu:8443/Services/PageService.ashx/GetLiveData