2019-01-09 - FAKE AV PAGE/TECH SUPPORT SCAM POPUP
ASSOCIATED FILES:
- 2019-01-09-fake-AV-tech-support-scam-popup.pcap.zip 413 kB (413,145 bytes)
- 2019-01-09-fake-AV-page-HTML-and-audio.zip 310 kB (310,013 bytes)
Shown above: Flow chart for today's traffic.
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains, URLs, and partial URLs:
- hxxp://134.249.116[.]78/jquery.js
- sd5doozry8[.]com
- site.topwebsite4[.]xyz
- hxxp://68.183.175[.]204/?browser=IE_11.0&
- hxxp://68.183.175[.]204/pc-error-0xxxfrxx88/
TRAFFIC
Shown above: Traffic filtered in Wireshark.
TRAFFIC RELATED TO THE FAKE AV/TECH SUPPORT SCAM POPUP:
- 134.249.116[.]78 port 80 - 134.249.116[.]78 - GET /jquery.js
- 198.134.112[.]243 port 443 (HTTPS) - sd5doozry8[.]com - GET /ykwnsxwz29?key=9a98439e5dcdf4fd2a011f7cbc76b00d
- 174.137.155[.]139 port 80 - clk.verblife-3[.]co - GET /click?i=jwu9aD62G*M_0
- 104.27.184[.]14 port 443 - site.topwebsite4[.]xyz - GET /?browser=[long string of information]
- 68.183.175[.]204 port 80 - 68.183.175[.]204 - GET /?browser=[long string of information]
- 68.183.175[.]204 port 80 - 68.183.175[.]204 - GET /pc-error-0xxxfrxx88/
- 68.183.175[.]204 port 80 - 68.183.175[.]204 - GET /pc-error-0xxxfrxx88/img/bg-1.jpg
- 68.183.175[.]204 port 80 - 68.183.175[.]204 - GET /pc-error-0xxxfrxx88/img/bg-3.jpg
- 68.183.175[.]204 port 80 - 68.183.175[.]204 - GET /pc-error-0xxxfrxx88/img/defender.png
- port 443 - code.jquery[.]com - non-malicious traffic caused by fake AV page
- 68.183.175[.]204 port 80 - 68.183.175[.]204 - GET /pc-error-0xxxfrxx88/sound/err.mp3
- 68.183.175[.]204 port 80 - 68.183.175[.]204 - GET /pc-error-0xxxfrxx88/img/bg-2.jpg
- 68.183.175[.]204 port 80 - 68.183.175[.]204 - GET /pc-error-0xxxfrxx88/security.php
OTHER INFO
MALWARE FROM AN INFECTED WINDOWS HOST:
- Fake tech support phone number (United States): 1-888-727-1224
IMAGES
Shown above: Fake AV/tech support scam page without the popup windows.
Shown above: Fake AV/tech support scam page with the popup windows.
FINAL NOTES
Once again, here are the associated files:
- 2019-01-09-fake-AV-tech-support-scam-popup.pcap.zip 413 kB (413,145 bytes)
- 2019-01-09-fake-AV-page-HTML-and-audio.zip 310 kB (310,013 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.