bobbonomo

Fake Tech Support websites

Recommended Posts

Do you catch "Fake Tech Support" websites as a malware or PUPs or "BADware". I know this description is very vague.
On my reading computer, in the kitchen, I use Norton and it actually catches the signature of these "Fake Tech Support" and blocks them.

On this computer (my workhorse in the dungeon) I use EMSIsoft and remember one such attempt where I killed Firefox from the task manager. I seem to remember clicking X on top right did not work. I searched my history and found the incident which occurred March 6, 2018.

It happened today with my "Norton" laptop so I immediately checked it out using Phantomjs. It did a screen capture and got the html code. It is the same image I remember from my "EMSI" computer; a big ominous red screen made to look like it came from Windows.com

Am not sure what to supply you for testing. What else would you need?

I took apart the URLs below:

Here is the Norton warning: This URL now does not produce the same output using Phantomjs as it did above.

Category: Intrusion Prevention
Date & Time,Risk,Activity,Status,Recommended Action,IPS Alert Name,Default Action,Action Taken,Attacker URL
2018-03-18 12:12:06,High,An intrusion attempt was blocked.,Blocked,No Action Required,Web Attack: Fake Tech Support Website 164,No Action Required,No Action Required,https: // ar2multimedia. com/iops/?c5aae9281817410ftfn1d5aae928181776=(888) 558-3089
Network traffic was detected that matches the signature of a known attack.  The attack was resulted from C:\Program Files (x86)\Mozilla Firefox\firefox.exe.

Previous to this blocked attack I see in my history: https: // getmediajobs. org/?pageid=15aae8fbc74559

On this PC from my history of March 6, 2018 I see: https: // avalon-webdesign. com/dsp/?gidvdata=15a9eed1b61543
which then went to: https: // 254ads. com/iops/?c5a9eed9b711720ftfn1d5a9eed9b711a8=(866)%20203-9964

I know it always comes from reading Yahoo News and on March 6, 2018 I was reading: https: // ca.style.yahoo. com/video/lucy-hale-shares-her-firsts-170000090.html

 

OK just read it was not only a Yahoo problem. Google was hit last Thursday the 16 by the same type of attack

search ZDNET for: Yet again, Google tricked into serving scam Amazon ads

Same difference for us EMSIsoft users

Edited by bobbonomo
more info

Share this post


Link to post
Share on other sites

Hello,

We do block techsupport scams, however we do not use heuristics detection to do this as some other products do. The reason for this difference is that doing so would require us to actively filter/check all your browser activity. Not only is this a breach of your online privacy, it also brings security risks with it, which is why we opted not to do this.

While I completely understand how annoying/scary such fake techsupport scams can be, they are harmless to your computer; the worst that can happen is that you have to close the browser via the taskmanager (you can do it also via Emsisoft's Protection/Behavior Blocker tab).

I will check the data you provided and will add any undetected techsupport scams to our database.

Share this post


Link to post
Share on other sites

I am fairly sure those links I supplied have been taken down. I suspect they were compromised websites which have been "fixed".

Share this post


Link to post
Share on other sites

Yes, you are right. I checked them all, but (fortunately) none of the content reported did work (although I could see it had been there before). 

Share this post


Link to post
Share on other sites

Since then I have not seen this on the computer which has emsisoft on it.

But on my "reading" PC with Norton it has and they did not catch it so I put entries in my host file to disable the domain name which is the cause.

...and for me this usually happens when I read news from the Yahoo portal and now I have disabled js on that portal. Too bad for their ads. They need to get their spit together.

Share this post


Link to post
Share on other sites

> Just an update. Since then it has missed a coin miner and a fake site.

What is "it"?   The computer with Emsisoft, or the one with Norton?

Share this post


Link to post
Share on other sites

The Norton one. The fingerprint must have been different

The Emsisoft did miss a coin miner but I reported it in my coin miner thread and it was caught by Norton so I went to my other computer with Emsi to test just to see.  I always have a CPU meter on so I would notice a spike for a new coin miner.

Neither of these are dangerous so I don't worry much.

Share this post


Link to post
Share on other sites

FYI

Here is a fake tech support which comes through: a red screen and audio (both emsi and norton)

https: // stfebwehgbewhew.info  /90t/?c5aeb99095434e0ftfn1d5aeb99095438a=(866)%20465-8113

It started as https: // stfebwehgbewhew.info /90t/?a=10012592&campid=46

from an ad from: adjustable .global. ssl. fastly. net

I have the screenshots and all

Share this post


Link to post
Share on other sites

Thank you, I'll check it and detection will be added if necessary.

Share this post


Link to post
Share on other sites

Yes, when I checked it, it was taken down already (at least good that the hoster acted so quickly :)).

Share this post


Link to post
Share on other sites

I'm not so convinced. The name is still registered with namecheap and probably still operates (ping = OVH Poland) using different URL parameters. I never contacted the hoster OVH.

There will be others.

Share this post


Link to post
Share on other sites

I recommend don't visit https://howtoremove.guide that is a Malware Website and Makes Fraud Results and In formations...

I recommend try Visiting https://www.bleepingcomputer.com And www.emsisoft.com.. have a Nice Day :D

Edited by GT500
Made it so that "howtoremove.guide" was not a clickable link.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.