2016-08-23 - FAKE TECH SUPPORT POPUP

ASSOCIATED FILES:

  • 2016-08-23-fake-tech-support-popup-traffic.pcap   (379,740 bytes)
  • help-msg.mp3   (164,790 bytes)

 

NOTES:

 


Shown above:  Flowchart for this traffic.

 

TRAFFIC


Shown above:  Injected script from the pseudoDarkleech campaign in same page from the compromised site.

 


Shown above:  Traffic from the pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

IMAGES


Shown above:  Windows destkop that ran across this fake tech support popup.

 

How can you quickly deobfuscate the injected script that led to the gate?  Put the script in a separate HTML file (with the proper headers and footers, then change "eval" to "alert" as shown in the images below.


Shown above:  Put the script in a separate web page, then change the second "eval" to "alert".

 


Shown above:  Checking the page in a test environment shows the deobfuscated script.

 

FINAL NOTES

Once again, here is a ZIP archive of the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.