2017-07-06 - EITEST CAMPAIGN PUSHES TECH SUPPORT SCAM

ASSOCIATED FILES:

• ZIP archive of the pcap:  2017-07-06-EITest-tech-support-scam-traffic.pcap.zip   306 kB (306,135 bytes)

• 2017-07-06-EITest-tech-support-scam-traffic.pcap   (348,274 bytes)

• ZIP archive of the artifacts:  2017-07-06-EITest-tech-support-scam-artifacts.zip   117 kB (194,671 bytes)

• 2017-07-06-page-from-skylogistics.com-with-injected-EITest-script.txt   (13,510 bytes)
• 2017-07-06-tech-support-scam-audio-from-instavape7.top.mp3   (262,144 bytes)
• 2017-07-06-tech-support-scam-page-from-instavape7.top.txt   (5,322 bytes)

 

NOTES:

• Since late April 2017, the EITest campaign switched to pushing tech support scams.
• The EITest campaign has continued pushing tech support scams/fake anti-virus pages since the last time I reported it on 2017-06-09.
• The EITest campaign stopped pushing Rig EK earlier this year as documented in my June 2017 Palo Alto Networks blog post titled: Decline in Rig Exploit Kit

Shown above:  Current situation with the EITest campaign.

 

TRAFFIC

Shown above:  Injected script in a page from the compromised website  The highlighted URL leads to a tech support scam page.

 

Shown above:  Traffic filtered in Wireshark.

 

Shown above:  Screenshot of the tech support scam page.

 

Shown above:  Screenshot of the tech support scam page with the notification pop-up.

 

Shown above:  There's a different telephone number when checking from a UK location.

 

ASSOCIATED DOMAINS AND URLS:

• www.skylogistics.com   -   Site compromised by criminals behind the EITest campaign
• 162.244.35.33 port 80 - additionarl.racing - GET /newantikas/?nbVykj   -   [redirect/gate]
• 104.27.145.239 port 80 - instavape7.top - GET /?number=1-888-778-1543   -   [fake anti-virus page when viewed from the US]
• 104.27.145.239 port 80 - instavape7.top - GET /?number=44-808-168-4952   -   [fake anti-virus page when viewed from the UK]

TECH SUPPORT SCAM PHONE NUMBERS:

• 1-888-778-1543 (US)
• 44-808-168-4952 (UK)

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2017-07-06-EITest-tech-support-scam-traffic.pcap.zip   306 kB (306,135 bytes)
• ZIP archive of the artifacts:  2017-07-06-EITest-tech-support-scam-artifacts.zip   117 kB (194,671 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.