2017-07-14 - ANOTHER TECH SUPPORT SCAM POPUP MESSAGE
ASSOCIATED FILES:
- Zip archive of the pcap: 2017-07-14-tech-support-scam-traffic.pcap.zip 618 kB (617,604 bytes)
- 2017-07-14-tech-support-scam-traffic.pcap (728,331 bytes)
- Zip archive of the artifacts: 2017-07-14-tech-support-scam-artifacts.zip 199 kB (199,478 bytes)
- 2017-07-14-audio-message-from-df-th-37.s3.amazonaws.com.mp3 (143,728 bytes)
- 2017-07-14-fake-microsoft-site-from-df-th-37.s3.amazonaws.com-index.txt (127,069 bytes)
- 2017-07-14-jquery.js-from-134.249.116.78.txt (2,698 bytes)
IMAGES
Shown above: Popup seen after trying to view the compromised website.
Shown above: Web page behind the popup.
TRAFFIC
Shown above: Traffic from this activity, filtered in Wireshark.
Shown above: HTTPS urls from the Internet Explorer cache.
ASSOCIATED DOMAINS AND URLS:
- 206.188.192.247 port 80 - www.rvdecor.com - GET /pages/ [legitimate site that kicks off this chain of events]
- 134.249.116.78 port 80 - 134.249.116.78 - GET /jquery.js
- 69.42.65.45 port 80 - www.cpm10.com - GET /watch?key=fe0a93971e993f059d7a78bf2fa5117a
- 69.42.65.45 port 80 - www.cpm10.com - GET /watch?shu=[long string of characters]
- 188.226.156.79 port 80 - ynqicmcf.top - GET /ts-red/?br=ie&lang=engauth&n=1-888-223-8246
- 52.216.81.72 port 443 - df-th-37.s3.amazonaws.com - GET /ts-ie-engauth/index.htm?n=1-888-223-8246&red=y [HTTPS]
- 188.226.156.79 port 443 - errorx00xe0xx-support.com - HTTPS/SSL/TLS traffic
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the pcap: 2017-07-14-tech-support-scam-traffic.pcap.zip 618 kB (617,604 bytes)
- Zip archive of the artifacts: 2017-07-14-tech-support-scam-artifacts.zip 199 kB (199,478 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.