2017-06-09 - EITEST CAMPAIGN STILL PUSHING TECH SUPPORT SCAMS

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-06-09-EITest-tech-support-scam-traffic.pcap.zip   216.5 kB (216,481 bytes)

• 2017-06-09-EITest-tech-support-scam-traffic.pcap   (278,231 bytes)

• 2017-06-09-EITest-tech-support-scam-files.zip   117.3 kB (116,251 bytes)

• 2017-06-09-fake-tech-support-site-US-audio.mp3   (196,608 bytes)
• 2017-06-09-fake-tech-support-site.txt   (11,240 bytes)

 

NOTES:

• So this is still a thing...
• Sometime in the later part of April 2017, the EITest campaign began pushing tech support scams.
• I previously also found Rig EK from the EITest campaign, but now I'm only seeing injected script for these tech support scams.

Shown above:  Current situation with the EITest campaign.

 

TRAFFIC

Shown above:  Injected script in a page from the compromised website  The highlighted URL leads to a tech support scam page.

 

Shown above:  Traffic filtered in Wireshark.

 

Shown above:  Screenshot of the tech support scam page.

 

Shown above:  Screenshot of the tech support scam page with the notification pop-up.

 

ASSOCIATED DOMIAINS AND URLS:

• www.activaclinics[.]com   -   Site that's been compromised by criminals behind the EITest campaign
• 91.195.102[.]3 port 80 - gio.connecthome[.]top - GET /?bdsti=news
• 91.195.102[.]3 port 80 - help.reportgeek[.]gdn - GET /en/?id=MDgwMCAwODYtOTgyNw     [redirects the same URL using HTTPS]
• 91.195.102[.]3 port 443 - help.reportgeek[.]gdn - GET /en/?id=MDgwMCAwODYtOTgyNw     [HTTPS]

TECH SUPPORT SCAM PHONE NUMBER:

• 0800 086-9827

 

Click here to return to the main page.