- The Initial Finding: A Suspicious DNS Resolution
- What is 'on-forge.com?'
- Keyboard Mashing
- Pulling the Thread with Malicious Subdomains
- Inside the Scam Page with the Trap Mechanisms
- Endpoint Angle
- Vishing Phone Numbers
- The Bridge Between Web and RMM
- Why Laravel Forge? The $12/Month Scam Platform
- The 522 Graveyard
- Sequential Numbering
- Key Findings
- IOC's
- Conclusion
Dissecting hundreds of Domain Tech Support Scam Built on Laravel Forge, RMM, and more.
Our threat research team tracks dozens of active campaigns every week. We monitor phishing trends, credential harvesting operations, and abuse infrastructure patterns across hundreds of managed environments. Some of what we find follows familiar playbooks, but others are very malicious. But every once in a while, a single data point opens a thread that unravels something much bigger. This is one of those threads.
During a routine telemetry sweep across our managed fleet, one query caught our attention. A Windows domain controller at a specific customer site had resolved the domain name hssp://ikdnknskfjnsnflsjnfljsdls-uynmyovf.on-forge[.]com. A 36-character random subdomain, resolved by a domain controller.
What followed was a deep dive into a sprawling tech support scam operation that ran dozens of phishing domains, rotated vishing phone numbers, employed five URL evasion variants, and had a confirmed ScreenConnect compromise on a production domain controller. All of it is hosted on Laravel Forge for $12/month.
This is the full technical breakdown. All IOCs, domains, phone numbers, and attack infrastructure are published as found. Customer identifiers and device names have been anonymized.
The Initial Finding: A Suspicious DNS Resolution
We run continuous threat hunts across our SentinelOne Deep Visibility telemetry. One of our standing queries monitors endpoints that resolve subdomains on hosting platforms commonly abused for phishing. The query that triggered this investigation:
| Field | Value |
| Timestamp | 2026-04-XXXXXX |
| Agent | [REDACTED] (Windows Domain Controller) |
| Organization | [REDACTED] (Customer XXX) |
| DNS Request | ikdnknskfjnsnflsjnfljsdlsjd-uynmyovf.on-forge.com |
| Resolved IPs | 104.18.11.251, 104.18.10.251 (Cloudflare) |
A domain controller resolving a random subdomain on a hosting platform. That alone warranted a deeper look. We had seen on-forge.com appear in other campaigns we track, but never from a DC.
What is ‘on-forge.com?’
Our first assumption was about C2. The subdomain pattern, 36 random characters, looked like DNS tunneling or C2 beaconing. But on-forge.com is actually a legitimate service domain owned by Laravel Forge, a popular PHP server management platform.
Every site created on Forge gets a free <name>.on-forge.com subdomain with automatic HTTPS via Cloudflare. The documentation confirms:
“Forge provides every site with a free on-forge.com domain. These vanity domains are automatically available as soon as a site is created and receive free HTTPS encryption.”
So the domain is legitimate infrastructure. But the subdomain, ikdnknskfjnsnflsjnfljsdlsjd-uynmyovf, is not a typical developer staging site. We had already been tracking abuse of Forge subdomains in our campaign database. Time to correlate.
Keyboard Mashing
We pulled every on-forge.com subdomain we could find across our threat feeds with our CTI platforms. We collected 45 unique malicious subdomains on different campaigns and ran character frequency analysis across all 845 alphabetic characters:
79.5% of all characters are home row keys (expected random: 38%). The top 5 characters, D(122), J(110), K(106), A(79), F(72), are all home row keys. This is not a random string generator. This is a human resting their hands in a home position and smashing keys.
We have seen this pattern in other campaigns we track. Keyboard mashing is a reliable operator fingerprint. In this case, we classified three mashing styles, possibly indicating multiple operators or multiple keyboard sessions:
| Style | Prevalence | Example |
| Home Row Dominant (>65% home) | ~80% | gbukukkaksdjfkasj32axxxxxx |
| Top Row Dominant (>40% top) | ~10% | gityuiuyt66xxxxxxx |
| Bottom Row Dominant (>40% bottom) | ~5% | nbvcxcghjmmnxxxxxxx |
The forensic profile, a single right-handed QWERTY keyboard operator, deploying sites at high velocity without caring about URL aesthetics. This matches operator behavior we have observed in several other tech support scam campaigns across our tracking portfolio.
Pulling the Thread with Malicious Subdomains
We correlated our findings with our internal threat intelligence, open-source feeds, and historical campaign data. The picture expanded dramatically.
No Slack account needed.
What Our Research Revealed
By sweeping DNS records, scanning live pages, and cross referencing historical phishing data in our tracking databases, we identified unique malicious on-forge.com subdomains across a 30 days campaign window. At least 15 pages were titled “Microsoft Security”, all serving identical scam content from the same template.
The real discovery was the five distinct URL pattern variants, each using a different parameter name for the phone number to evade detection:
| Variant | Phone Param | Path | Evasion Technique |
| A | ph0ne= | /index.html | Leet zero in “ph0ne” |
| B | Anph= | /w2i4n234rjnkeferf/index.html | Obfuscated “phone” |
| C | bcda= | /whelpxxx/index.html | Alphabetic substitution |
| D | Kuph= | /win01help01/index.html | Another obfuscation |
| E | Anph= | /Wi0nHelpSh0errc0de030/index.html | Leet encoded path |
Each variant uses a different URL structure to defeat pattern matching blocklists. If you block ph0ne=, the attacker switches to Anph=. Block that, they rotate to bcda=. Five variants means five detection rules needed. This level of evasion rotation is something we have been seeing more frequently across the campaigns we track in 2026.
Inside the Scam Page with the Trap Mechanisms
We captured a few live pages, like the hxxp://gbukukkaksdjfkasj32amsfn004.on-forge[.]com, downloading all 15 files (1.1 MB total) before it could be taken down. Our research team analyzed every file, every line of code, and every resource request. Here is what we found inside.
The Bait: Explicit Content
The page loads bg.png (530 KB), a screenshot of an adult website thumbnail grid. This is the first thing the victim sees. The purpose is pure social engineering because the victim believes their computer has been infected with malware that is displaying pornography.
The Trap: Fake Microsoft Alert
Overlaid on the explicit content is a fake “Do you want to close this site?” dialog. Both the No and Yes buttons trigger the real trap:
Plus six more traps in the CSS and HTML:
| # | Trap | Effect |
| 1 | Fullscreen hijack | Browser goes fullscreen, no URL bar, no tabs, no close button |
| 2 | Keyboard Lock API | Escape key captured, cannot exit fullscreen |
| 3 | Key prevention | ALL keyboard shortcuts blocked (Ctrl+W, Alt+F4, etc.) |
| 4 | Dual audio loop | beep1.mp3 alarm + alert-en.wav voice loop simultaneously |
| 5 | Hidden cursor | cursor: none !important, mouse pointer invisible |
| 6 | beforeunload | Browser “Leave page?” confirmation if navigation attempted |
| 7 | Pulsing animation | Blue warning box scales 110% every 4 seconds, demands attention |
| 8 | Explicit background | Pornographic content creates shame and panic |
| 9 | Tawk.to live chat | Real time scammer communication channel |
Nine traps fire simultaneously. The victim is locked in a fullscreen fake Microsoft Security alert with alarms blaring, no keyboard shortcuts working, no visible mouse cursor, and a phone number displayed in three locations. Across all the campaigns we track, this is one of the most aggressive browser-lock implementations we have documented.
Endpoint Angle
The Phone: Dynamic Injection
The phone number is never hardcoded in the deployed template. Instead, index.html contains a TreeWalker function that scans every text node in the DOM and replaces a default number (0800-088-4932) with whatever value is in the ph0ne URL parameter:
One template with unlimited phone numbers. Each phishing email gets a unique URL with a different number and a unique tracking ID. This is operationally elegant: the attacker deploys the template once and generates unlimited campaign URLs without touching the server.
Vishing Phone Numbers
This operation rotates 23 unique vishing numbers across UK freephone (0808/0800) and US toll free (833/844/855/866/877/888) prefixes. The numbers are never hardcoded in the scam page. Instead, they are injected dynamically via URL parameters (ph0ne=, Anph=, bcda=, Kuph=), allowing a single deployed template to serve unlimited numbers.
The largest cluster, 833-926-XXXX (7 numbers), was purchased as a block from one VoIP provider and serves as the primary US call center line. UK numbers use the 0808 prefix, which is free to call from all mobiles and landlines, removing the financial barrier for victims. The attacker also deploys an (0101) obfuscation format that regroups US numbers with an international prefix to defeat phone regex detection. Two geographic numbers (917 NYC, 574 Indiana) break the toll-free pattern, suggesting VoIP assigned local presence targeting. The total phone infrastructure cost is approximately $23 to $115 per month.
The Bridge Between Web and RMM
Here is the critical finding that our research team wants to highlight: the scam page contains zero references to ScreenConnect. No download links, .exe or .msi URLs, and no hidden iframes. We verified this across all captured files, all HTTP requests observed during page load, and the full DOM capture.
The ScreenConnect installation happens entirely during the phone call. Two delivery methods:
Method A, Verbal: The scam operator dictates a URL: “Go to screenconnect.com and enter code XXXXXX.”
Method B, Tawk.to Chat: The scam page embeds a live chat widget (Tawk.to property 69cd421fb8aa781c3b30ed16). The operator sends the ScreenConnect installer link through the chat. This is why the chat widget is embedded in a page that has no legitimate support function.
By keeping the page free of RMM references, the scam evades automated scanners that look for remote access tool delivery. URL scanners see a phishing page with audio tricks, not a malware dropper. The actual compromise happens on a separate channel.
This is where the investigation shifted from campaign tracking to active incident response. A few days after the managed customer domain controller resolved the scam domain, we ran a targeted hunt on that specific endpoint:
Why Laravel Forge? The $12/Month Scam Platform
Laravel Forge is a legitimate server management tool. But its feature set is almost purpose-built for this attack model:
| Forge Feature | Scam Benefit |
| Custom subdomains | Type any name, keyboard mash accepted, no validation |
| Instant availability | Site live in 30 seconds, zero DNS setup |
| Free HTTPS | Google Trust Services cert via Cloudflare, padlock icon for free |
| Cloudflare CDN | Real IP hidden behind trusted CDN infrastructure |
| Unlimited sites | All plans ($12/month Hobby) allow unlimited sites |
| Git deployment | Same scam template deployed to 96+ subdomains with one git push |
| REST API | Script mass site creation programmatically |
| Easy teardown | Delete flagged site, create replacement in 60 seconds |
The attacker cost: $12/month, plus a disposable email and a prepaid card. For that, they get unlimited scam pages with trusted HTTPS, global CDN, and 60-second rotation capability. We are seeing similar patterns of platform abuse across Vercel, Netlify, and Cloudflare Pages in other campaigns we track.
The 522 Graveyard
We found 27+ subdomains returning an HTTP 522 (Connection Timeout) response. These are “DNS ghosts”. Cloudflare wildcard DNS (*.on-forge.com) continues resolving all subdomains even after the Forge site is deleted. The TLS handshake completes, but the origin is gone.
These ghosts are forensic evidence of previous campaign waves. Each 522 subdomain was once a live scam page. Our team uses these ghosts to reconstruct campaign timelines.
Sequential Numbering
The attacker appends numeric suffixes for campaign tracking:
| Base (mashed) | Variants Seen | Implication |
| kasdjfkasjd8uawkjnmzmnvmdsfhj27jajak | 03, 52 | ~49 variants between, most undiscovered |
| asdlifjdsakdsljdafskj32773akjkjfdkjfdjk | 006, 007 | Consecutive deployments |
| gbukukkaksdjfkasj32amsfn | 004 | At least 3 prior variants existed |
The gap between jajak03 and jajak52 suggests at least 49 deployments from that single base string that we have not found. This kind of volume tracking helps us estimate the true scale of campaigns that are only partially visible through any single data source.
Key Findings
- 833-926-XXXX is the core call center block. 7 numbers from one VoIP account, highest campaign frequency. This single block is the backbone of the US operation.
- Phone numbers map to URL variants. ph0ne= carries UK+US (oldest variant, both markets). bcda= is US only. Anph= uses (0101) obfuscation exclusively. This indicates a single developer progressively building evasion layers, not multiple independent operators.
- The (0101) obfuscation is sophisticated. It regroups 1-833-926-2512 as (0101)-83392-62512, merging the area code and exchange into a single block with an international prefix. Standard phone regex cannot match this format. It only appears with the Anph= variant, confirming coordinated design.
- Two non toll free numbers (917 NYC, 574 Indiana) are outliers. Geographic numbers in a toll-free scam suggest VoIP number pool exhaustion or intentional local targeting.
- The hardcoded 0800-088-4932 is the highest value IOC. It is baked into the HTML template as the default, meaning it works even without the URL parameter. This is the attacker’s persistent “home number.”
- Total phone cost: ~$23 to $115/month. Combined with $12/month for Forge, the entire operation runs under $130/month while potentially generating thousands of dollars per victim through wire transfers and gift card payments.
IOC’s
- Domain: on-forge.com and its random sub-domains.
- Phone: Toll-free and Freephone numbers.
- URL Convention: https?://[a-z0-9\-]{5,60}\.on-forge\.com/.+\?(ph0ne|Anph|bcda|Kuph)=
To the full IOC’s list – IOC Package: OnForge – Tech Support Scam Campaign
Conclusion
Our threat research team tracks dozens of campaigns at any given time. Most follow predictable patterns. This one stood out because it connected three things we were tracking separately: Laravel Forge infrastructure abuse, tech support scam pages with evolving URL evasion, and ScreenConnect deployment from nonstandard relays. The DNS hit from a managed customer domain controller was the thread that tied them together.
The campaign exploits a chain of legitimate services: Laravel Forge for hosting, Cloudflare for CDN and TLS, Tawk[.]to for live chat, and ScreenConnect for remote access. Each is used within its terms of service, but chained together for fraud.
The attacker’s operational cost is minimal, with $12/month for unlimited scam pages with trusted HTTPS and global CDN. The victim cost is everything: banking credentials, identity, and, in the case we investigated, potentially an entire Active Directory domain.
The strongest defense against this attack chain is not to block individual domains, because the attacker generates new ones every 60 seconds. It is detecting the behavioral pattern: an endpoint resolving a random subdomain on a hosting platform, followed by the installation of an RMM tool from a nonstandard relay. That is the signal in the noise. That is what our team hunts for every day.
