Software-piracy902-info.bid

The Software-piracy902-info[.]bid domain is blacklisted by most AV engines and Web filtering services because it is used to deliver misleading information to users and lead them to call a toll-free phone line such as 877-224-2895. The phone line on the Software-piracy902-info[.]bid messages have been added to the Microsoft’s technical support blacklist since November 2017. The Software-piracy902-info[.]bid domain is registered to the 104.27.136.144 IP address, and it is used to promote bogus technical support services. The Software-piracy902-info[.]bid phishing messages can be found on query-issued333-info[.]bid and digital-disk945-info[.]win, which correspond to the 104.27.129.94 and the 104.27.174.145 IP addresses. The following portals are blocked by Web browser vendors and AV engines:

h[tt]p://query-issued333-info[.]bid/actv-call-now-1-877-224-2895/
h[tt]p://software-piracy902-info[.]bid/AT-1-877-224-2895/
h[tt]ps://digital-disk945-info[.]win/AD-Tollfree-1-877-224-2895/

The Software-piracy902-info[.]bid notifications may list various phone lines among which are 202-956-4003, 877-224-2895 and 202-866-7291. These phone numbers are not managed by legitimate Microsoft Corp. employees despite what you might be suggested. Portals like query-issued333-info[.]bid, software-piracy902-info[.]bid, and digital-disk945-info[.]win are tailored to look like the Google Safebrowsing alerts, which are meant to protect users. Unfortunately, con artists are using modified screenshots of the Google Safebrowsing alerts, pop-up windows, and dialog boxes to offer the following notifications:

• Example 1:
  ‘https://software-piracy902-info.bid is requesting your username and password. The site says:
  Protected Page: Enter your Network username and password wrong
  password closed internet connection and ban your ISP
  call on @ 1-877-224-2895 (Toll Free)’
• Example 2:
  ‘***Do not ignore this alert***
  Please call us immediately at 1-877-224-2895 (Toll-free)
  If you close this page, your PC access will be disabled to prevent further damage to our network.
  Your PC has alerted us that it has been infected with a virus and spyware.
  The following information is being stolen…
  Facebook Login
  Credit Card Detail
  Microsoft Account Login
  Photos stored on this PC.
  You must contact us immediately so that our engineers can walk you through
  the removal process over the phone.
  Please call Microsoft within the next 5 minutes to prevent your PC from being disabled.’

It is recommended to report phishing pages and questionable content that you might find on the Internet. The information displayed on the pop-ups and dialog boxes associated with query-issued333-info[.]bid, software-piracy902-info[.]bid and digital-disk945-info[.]win should not be trusted. Use the Task Manager to force your Internet client to close it if you are unable to switch tabs, pen bookmarks and close the fake security warnings. Cybersecurity products might block connections to the 104.27.129.94, the 104.27.136.144 and the 104.27.174.145 IP addresses, as well as show the following detection names on your screen:

• JS:Trojan.Cryxos.1121 (B)
• Js.Troj.Cryxos!c
• Suspicious_GEN.F47V1110
• TrojWare.JS.FakeAlert.HG
• Trojan.FakeAlert!8.56B
• Win32/Trojan.0d9
• malware (ai score=83)