Posted: March 20, 2016 by

Last updated:

Scammers devise a new ploy to trick users into thinking their own ISP is warning them about malware.

Update: 04/08/16

This campaign is still very active with a few more ISPs added to the list, as well as a new warning message:

If left unresolved, you may be subject to PERMANENT ACCOUNT SUSPENSION as well as possible fines for network damage.

Fraudulent domains hosted on: 190.97.163.85

att-support.com att-techsupport.com bt-techsupport.com charter-support.com cox-techsupport.com dominant-media.com ee-techsupport.com optimum-techsupport.com plusnet-support.com sky-techsupport.com talktalk-support.com tech-support-att.com tech-support-bellaliant.com tech-support-bellcanada.com tech-support-charter.com tech-support-cogeco.com tech-support-cox.com tech-support-eastlink.com tech-support-optimum.com tech-support-rogers.com tech-support-shaw.com tech-support-telus.com tech-support-timewarner.com tech-support-verizon.com tech-support-xfinity.com timewarner-support.com verizon-techsupport.com virginmedia-support.com xfinity-support.com

– –

Tech support scammers are investing a lot of efforts to attract new victims each day, and despite many takedowns, this is a highly profitable industry.

We uncovered a new tech support scam campaign pushed via malvertising which cleverly detects which Internet Service Provider (ISP) you are using (based on your IP address) and displays a legitimate looking page that urges you to call for immediate assistance.

The scam is quite sophisticated, with professional looking phishing pages and even custom audio messages for each ISP:

Our system scans have detected malicious spyware on your computer. Your personal photos, credit card information and passwords may be at risk. Contact our certified technicians for immediate assistance

The ISPs that were targeted in this campaign were mainly American and Canadian ISPs:

We called the number and were handled by a tech support company out of India that goes by the name of Credence Incorporation and operates a website at: support-samurai.com.

As always, the technician that took remote control of our machine found many “infected files”, using outrageous (for anyone tech savvy) tricks:



Many people won’t know the difference, but the above command is by no means a way to scan a system for malware. Sadly, this sales pitch will still prove effective and those crooks will be able to extort several hundred dollars for non existent computer problems.

At the time of writing this blog, we noticed that all the fraudulent websites had been shutdown. They had been registered under disguise with the following identity:

Registrant Name: Elizabeth Gonzalez Registrant Organization: Sky-IP Registrant Street: Addison House Plaza, street 57 Registrant City: Panama

As tech support scams are getting more and more clever, people need to up their guards. We are seeing attacks that go to great lengths to target victims using information collected from the browser (ISP, city, time zone, etc) which is used to make the scams more genuine.

For additional information on tech support scams, please visit our resource page.

IOCs:

Malvertising:

www.terraclicks.com/watch?key={redacted}

www.adnetworkperformance.com/a/display.php?r={redacted}

cliktrackr.com/321358bte3?zone=1008480&lang=EN&{redacted}

track.trackerpros.com/7a96d6b1-963f-4fb6-9077-5c0693e30554?zone=1008480&lang=EN&{redacted}

Fake webpages involved:

att-support.com

att-techsupport.com

bellaliant-support.com

bellcanada-support.com

bt-techsupport.com

charter-support.com

cogeco-support.com

cox-techsupport.com

cpsthisn.com

dominant-media.com

eastlink-support.com

ee-techsupport.com

optimum-techsupport.com

plusnet-support.com

rogerscable-support.com

shaw-support.com

sky-techsupport.com

talktalk-support.com

telus-support.com

timewarner-support.com

timewarner-techsupport.com

New campaign (03/24):