Interesting url

TheSecurityDev · September 15, 2019, 2:36am

Lookee what I found

https://support.247techies.com/files/

also, a login page at https://support.247techies.com/login

These scammers have made their own tools, versions of teamviewer, etc., which make it easier for them, and harder for us.

YoungAlcoholic · September 16, 2019, 7:22pm

well it doesn’t matter since if they do do it I would pull up a fake bank so Ill just waste there time or Ill be like were is it, is this a virus this is my work PC etc. so no the end of the world.

Natarior · September 22, 2019, 7:51pm

I promise you if I knew how to take down these types of web pages so easily I joyfully would, In the meantime I’m gonna look at it for a while learn, plan, take recon and try my best to end this.

Patriotic · September 22, 2019, 11:11pm

24/7 techies is a real tech support company. Not a very good one but still legit. https://www.microsoft.com/en-us/solution-providers/partnerdetails/247-techies-private-limited_490f6e88-0318-47a2-96f0-608fd9aa168e/df5e7a54-5b8a-412c-b587-13ac0c7baa33
I also checked certificate and it is also legit.

ScammerRevolts · September 22, 2019, 11:19pm

Anybody can “Partner” with Microsoft, scammers do it all the time. These guys are scammers and unless they do a full 3rd party audit to verify then I will always see them as the scum that they are.

Natarior · September 23, 2019, 7:37am

Wait, What!!! they really don’t look legit to me.

Cyberdragon · September 24, 2019, 1:11am

You might be able to get the login info from one of the scammer’s computers either in their files or through a RAT (much harder). Once you’re in it’s game over.

TheSecurityDev · September 24, 2019, 2:36pm

What I’ve discovered is the login page is for the (legit) remote access tool that they are using (Bomgar, made by BeyondTrust, which is legit). If you want to experiment yourself, you can create a free trial, where you can login to trial.bomgar.com/login, which is identical to the scammer’s login. So I’m assuming when you buy the software for your company, you can make a page in your own website or something for the login portal. The remote control is done in a web browser, unless you download the client software. In the trial, the username is your email address, but I think that non-trial users get their own isolated login database, so hopefully they use easy to guess usernames, rather than emails. I’m thinking maybe their support name is actually their username, because when you connect to the trial, it shows that [email protected] wants to connect, unless there is a way to change your display name.

Since this was a free trial for me, I was warned about connecting to an untrusted user, but the scammers aren’t using the trial, so there is no warning. Also, when the scammers do it, there is no confirmation that the user wants to use the command shell, file browser, or screen sharing, unlike when I tested.

One way to foil them would be to take ownership of the cmd.exe in your system32 folder, and then rename it to cmd2.exe. Then they can’t use the command shell in the remote software, which I think they do to check for Virtual Machines, etc.

Maybe we could report to Bomgar/BeyondTrust that scammers are using their software, and maybe they could cancel their service.