Jump to content

Fake Tech Support websites

Recommended Posts

Do you catch "Fake Tech Support" websites as a malware or PUPs or "BADware". I know this description is very vague.
On my reading computer, in the kitchen, I use Norton and it actually catches the signature of these "Fake Tech Support" and blocks them.

On this computer (my workhorse in the dungeon) I use EMSIsoft and remember one such attempt where I killed Firefox from the task manager. I seem to remember clicking X on top right did not work. I searched my history and found the incident which occurred March 6, 2018.

It happened today with my "Norton" laptop so I immediately checked it out using Phantomjs. It did a screen capture and got the html code. It is the same image I remember from my "EMSI" computer; a big ominous red screen made to look like it came from Windows.com

Am not sure what to supply you for testing. What else would you need?

I took apart the URLs below:

Here is the Norton warning: This URL now does not produce the same output using Phantomjs as it did above.

Category: Intrusion Prevention
Date & Time,Risk,Activity,Status,Recommended Action,IPS Alert Name,Default Action,Action Taken,Attacker URL
2018-03-18 12:12:06,High,An intrusion attempt was blocked.,Blocked,No Action Required,Web Attack: Fake Tech Support Website 164,No Action Required,No Action Required,https: // ar2multimedia. com/iops/?c5aae9281817410ftfn1d5aae928181776=(888) 558-3089
Network traffic was detected that matches the signature of a known attack.  The attack was resulted from C:\Program Files (x86)\Mozilla Firefox\firefox.exe.

Previous to this blocked attack I see in my history: https: // getmediajobs. org/?pageid=15aae8fbc74559

On this PC from my history of March 6, 2018 I see: https: // avalon-webdesign. com/dsp/?gidvdata=15a9eed1b61543
which then went to: https: // 254ads. com/iops/?c5a9eed9b711720ftfn1d5a9eed9b711a8=(866)%20203-9964

I know it always comes from reading Yahoo News and on March 6, 2018 I was reading: https: // ca.style.yahoo. com/video/lucy-hale-shares-her-firsts-170000090.html


OK just read it was not only a Yahoo problem. Google was hit last Thursday the 16 by the same type of attack

search ZDNET for: Yet again, Google tricked into serving scam Amazon ads

Same difference for us EMSIsoft users

Edited by bobbonomo
more info
Link to comment
Share on other sites


We do block techsupport scams, however we do not use heuristics detection to do this as some other products do. The reason for this difference is that doing so would require us to actively filter/check all your browser activity. Not only is this a breach of your online privacy, it also brings security risks with it, which is why we opted not to do this.

While I completely understand how annoying/scary such fake techsupport scams can be, they are harmless to your computer; the worst that can happen is that you have to close the browser via the taskmanager (you can do it also via Emsisoft's Protection/Behavior Blocker tab).

I will check the data you provided and will add any undetected techsupport scams to our database.

Link to comment
Share on other sites

  • 2 weeks later...

Since then I have not seen this on the computer which has emsisoft on it.

But on my "reading" PC with Norton it has and they did not catch it so I put entries in my host file to disable the domain name which is the cause.

...and for me this usually happens when I read news from the Yahoo portal and now I have disabled js on that portal. Too bad for their ads. They need to get their spit together.

Link to comment
Share on other sites

  • 3 weeks later...

The Norton one. The fingerprint must have been different

The Emsisoft did miss a coin miner but I reported it in my coin miner thread and it was caught by Norton so I went to my other computer with Emsi to test just to see.  I always have a CPU meter on so I would notice a spike for a new coin miner.

Neither of these are dangerous so I don't worry much.

Link to comment
Share on other sites

  • 2 weeks later...


Here is a fake tech support which comes through: a red screen and audio (both emsi and norton)

https: // stfebwehgbewhew.info  /90t/?c5aeb99095434e0ftfn1d5aeb99095438a=(866)%20465-8113

It started as https: // stfebwehgbewhew.info /90t/?a=10012592&campid=46

from an ad from: adjustable .global. ssl. fastly. net

I have the screenshots and all

Link to comment
Share on other sites

This topic is now closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...