Web of Tech Support Scam Domains

This is just a quick brain dump.

TL;DR: at least 2,102 tech support scam (TSS) domains.

Initial domain I came across: hXXp://ghryuiefdao{.}tk/?number=888-348-1742&bluer=1

TSS

2018-07-18 UPDATE:
Total Server Solutions has terminated service.
New host is Virtual Machine Solutions.

;; ANSWER SECTION:
ghryuiefdao{.}tk.		56	IN	A	107.174.221.209

https://whois.ext.cftools.net/get/107.174.221.209 --> Virtual Machine Solutions (virmach{.}com)

2018-07-07 UPDATE:
Leaseweb has terminated service.
New host is Total Server Solutions

;; ANSWER SECTION:
ghryuiefdao{.}tk.		60	IN	A	107.181.160.18

https://whois.ext.cftools.net/get/107.181.160.18 --> Total Server Solutions (totalserversolutions{.}com)

OLD HOST before 2018-07-07:

;; ANSWER SECTION:
ghryuiefdao{.}tk.		36	IN	A	172.241.166.101

https://whois.ext.cftools.net/get/172.241.166.101 --> Leaseweb

https://my.farsightsecurity.com/dnsdbui/ --> pivot off 172.241.166.101

Returned 3167 RRsets

List of domains (courtesy of Farsight's DNSdb):
Suspect Domains

Downloaded the DNSdb results as a JSON file. Removed obvious subdomains such as "www" to remove most of the duplicates. --> sed -i '' '/www/d' domains.json

ccTLD/TLD breakdown:

2,075 tk
172 com
22 bid
3 review
2 win
1 webcam
1 stream

Check if all these domains also trigger the same scareware page -- specifically find and output the phone # the scareware message references.

for i in $(cat domains.json | jq -r .rrname); do echo $i; curl -s "http://$i/?number=888-348-1742&bluer=1" | grep "text_short" | awk -F ":" '{print $3}'; done > out.txt

Here's the output file: output

This check will generate 3 lines per domain in this format:

alsayerkw{.}webcam.
888-348-1742 (Toll Free)";
##blank line here##

Get the line numbers: cat out.txt | wc -l and then divide by 3. It's not perfect obviously, but 2,102.6 domains out of the original 3,167 from the DNSdb file.

Random observation: The i.php file seems to be returning the current time.

curl -s "hXXp://ghryuiefdao{.}tk/i.php"
1530680348
curl -s "hXXp://ghryuiefdao{.}tk/i.php"
1530680350
curl -s "hXXp://ghryuiefdao{.}tk/i.php"
1530680351
curl -s "hXXp://ghryuiefdao{.}tk/i.php"
1530680352
curl -s "hXXp://ghryuiefdao{.}tk/i.php"
1530680353

Off to Leaseweb to get the origin server burned down, and then to Freenom to burn down the domains.