In April 2026, our threat research team identified a sprawling tech support scam network. What started as a single suspicious DNS resolution on a Domain Controller unraveled a masterclass in low-cost, high-velocity infrastructure abuse.
1. The “Home Row” Fingerprint
Subdomains were generated using human keyboard mashing rather than algorithms. We categorized three distinct operator styles based on character frequency analysis:
| Operator Style | Metric | Example |
|---|---|---|
| Home Row Dominant | >65% keys: A S D F J K L | gbukukkaksdjfkasj… |
| Top Row Dominant | >40% keys: Q W E R T Y | gityuiuyt66… |
| Bottom Row Dominant | >40% keys: Z X C V B N | nbvcxcghjmmn… |
2. Infrastructure Economics
The attackers utilized Laravel Forge to manage their scam sites. For just $12/month, they secured:
- Trusted HTTPS certificates via Cloudflare.
- Instant subdomain availability with zero reputation checks.
- Automated Git deployments to push templates to 96+ sites in seconds.
3. The Browser Lock “Trap Matrix”
The scam pages leverage multiple evasion parameters (ph0ne=, Anph=, bcda=) and browser-level APIs to prevent the victim from closing the tab, inducing panic through adult-content backgrounds and audio loops.
4. The RMM Hand-off
Crucially, the scam pages contain zero malware. The compromise occurs during a phone call or Tawk.to chat session, where the operator tricks the victim into installing remote access tools like ScreenConnect.
5. Key Findings & IOCs
Default Phone: 0800-088-4932
Parameters: ?ph0ne=, ?Anph=, ?bcda=, ?Kuph=
Infrastructure: Laravel Forge, Cloudflare CDN, Tawk.to
Conclusion
The strongest defense is behavioral. Monitor for internal servers resolving random hosting subdomains followed by the deployment of RMM tools from unauthorized relays. The tech is legitimate; the intent is fraud.
About Guardz
Guardz is on a mission to create a safer digital world by empowering Managed Service Providers (MSPs). Their goal is to proactively secure and insure Small and Medium Enterprises (SMEs) against ever-evolving threats while simultaneously creating new revenue streams, all on one unified platform.
About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.