Fake Tech Support websites

[bobbonomo]

Do you catch "Fake Tech Support" websites as a malware or PUPs or "BADware". I know this description is very vague.
On my reading computer, in the kitchen, I use Norton and it actually catches the signature of these "Fake Tech Support" and blocks them.

On this computer (my workhorse in the dungeon) I use EMSIsoft and remember one such attempt where I killed Firefox from the task manager. I seem to remember clicking X on top right did not work. I searched my history and found the incident which occurred March 6, 2018.

It happened today with my "Norton" laptop so I immediately checked it out using Phantomjs. It did a screen capture and got the html code. It is the same image I remember from my "EMSI" computer; a big ominous red screen made to look like it came from Windows.com

Am not sure what to supply you for testing. What else would you need?

I took apart the URLs below:

Here is the Norton warning: This URL now does not produce the same output using Phantomjs as it did above.

Category: Intrusion Prevention
Date & Time,Risk,Activity,Status,Recommended Action,IPS Alert Name,Default Action,Action Taken,Attacker URL
2018-03-18 12:12:06,High,An intrusion attempt was blocked.,Blocked,No Action Required,Web Attack: Fake Tech Support Website 164,No Action Required,No Action Required,https: // ar2multimedia. com/iops/?c5aae9281817410ftfn1d5aae928181776=(888) 558-3089
Network traffic was detected that matches the signature of a known attack.  The attack was resulted from C:\Program Files (x86)\Mozilla Firefox\firefox.exe.

Previous to this blocked attack I see in my history: https: // getmediajobs. org/?pageid=15aae8fbc74559

On this PC from my history of March 6, 2018 I see: https: // avalon-webdesign. com/dsp/?gidvdata=15a9eed1b61543
which then went to: https: // 254ads. com/iops/?c5a9eed9b711720ftfn1d5a9eed9b711a8=(866)%20203-9964

I know it always comes from reading Yahoo News and on March 6, 2018 I was reading: https: // ca.style.yahoo. com/video/lucy-hale-shares-her-firsts-170000090.html

 

OK just read it was not only a Yahoo problem. Google was hit last Thursday the 16 by the same type of attack

search ZDNET for: Yet again, Google tricked into serving scam Amazon ads

Same difference for us EMSIsoft users

Edited March 18, 2018 by bobbonomo
more info

[Elise]

Hello,

We do block techsupport scams, however we do not use heuristics detection to do this as some other products do. The reason for this difference is that doing so would require us to actively filter/check all your browser activity. Not only is this a breach of your online privacy, it also brings security risks with it, which is why we opted not to do this.

While I completely understand how annoying/scary such fake techsupport scams can be, they are harmless to your computer; the worst that can happen is that you have to close the browser via the taskmanager (you can do it also via Emsisoft's Protection/Behavior Blocker tab).

I will check the data you provided and will add any undetected techsupport scams to our database.

[bobbonomo]

I am fairly sure those links I supplied have been taken down. I suspect they were compromised websites which have been "fixed".

[Elise]

Yes, you are right. I checked them all, but (fortunately) none of the content reported did work (although I could see it had been there before). 

[bobbonomo]

Since then I have not seen this on the computer which has emsisoft on it.

But on my "reading" PC with Norton it has and they did not catch it so I put entries in my host file to disable the domain name which is the cause.

...and for me this usually happens when I read news from the Yahoo portal and now I have disabled js on that portal. Too bad for their ads. They need to get their spit together.

[McFarlandIT]

Well..it IS Norton.

[bobbonomo]

Just an update. Since then it has missed a coin miner and a fake site.

[JeremyNicoll]

> Just an update. Since then it has missed a coin miner and a fake site.

What is "it"?   The computer with Emsisoft, or the one with Norton?

[bobbonomo]

The Norton one. The fingerprint must have been different

The Emsisoft did miss a coin miner but I reported it in my coin miner thread and it was caught by Norton so I went to my other computer with Emsi to test just to see.  I always have a CPU meter on so I would notice a spike for a new coin miner.

Neither of these are dangerous so I don't worry much.

[bobbonomo]

FYI

Here is a fake tech support which comes through: a red screen and audio (both emsi and norton)

https: // stfebwehgbewhew.info  /90t/?c5aeb99095434e0ftfn1d5aeb99095438a=(866)%20465-8113

It started as https: // stfebwehgbewhew.info /90t/?a=10012592&campid=46

from an ad from: adjustable .global. ssl. fastly. net

I have the screenshots and all

[Elise]

Thank you, I'll check it and detection will be added if necessary.

[bobbonomo]

Seems to not respond any more. The registrar says so and so do my tests

[Elise]

Yes, when I checked it, it was taken down already (at least good that the hoster acted so quickly :)).

[bobbonomo]

I'm not so convinced. The name is still registered with namecheap and probably still operates (ping = OVH Poland) using different URL parameters. I never contacted the hoster OVH.

There will be others.