2017-06-09 - EITEST CAMPAIGN STILL PUSHING TECH SUPPORT SCAMS
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2017-06-09-EITest-tech-support-scam-traffic.pcap.zip 216.5 kB (216,481 bytes)
- 2017-06-09-EITest-tech-support-scam-traffic.pcap (278,231 bytes)
- 2017-06-09-EITest-tech-support-scam-files.zip 117.3 kB (116,251 bytes)
- 2017-06-09-fake-tech-support-site-US-audio.mp3 (196,608 bytes)
- 2017-06-09-fake-tech-support-site.txt (11,240 bytes)
NOTES:
- So this is still a thing...
- Sometime in the later part of April 2017, the EITest campaign began pushing tech support scams.
- I previously also found Rig EK from the EITest campaign, but now I'm only seeing injected script for these tech support scams.
Shown above: Current situation with the EITest campaign.
TRAFFIC
Shown above: Injected script in a page from the compromised website The highlighted URL leads to a tech support scam page.
Shown above: Traffic filtered in Wireshark.
Shown above: Screenshot of the tech support scam page.
Shown above: Screenshot of the tech support scam page with the notification pop-up.
ASSOCIATED DOMIAINS AND URLS:
- www.activaclinics[.]com - Site that's been compromised by criminals behind the EITest campaign
- 91.195.102[.]3 port 80 - gio.connecthome[.]top - GET /?bdsti=news
- 91.195.102[.]3 port 80 - help.reportgeek[.]gdn - GET /en/?id=MDgwMCAwODYtOTgyNw [redirects the same URL using HTTPS]
- 91.195.102[.]3 port 443 - help.reportgeek[.]gdn - GET /en/?id=MDgwMCAwODYtOTgyNw [HTTPS]
TECH SUPPORT SCAM PHONE NUMBER:
- 0800 086-9827
Click here to return to the main page.