Fake virus alert leads to Tech Support scam from compromised site

Thanks to EKTracker for sharing information on compromised site.

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-10-30-Tech-Support-Scam-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • castorriverfarm.ca – COMPROMISED SITE
  • 162.244.35.33 – thinkaboutnow.bid – GET /index/?MCPKV8 – REDIRECT TO TECH SCAM
  • 162.244.35.36 – techsupp6301012345678.tk – GET /?number=888-819-0368 – TECH SUPPORT SCAM PAGE

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic associated with a fake virus alert and tech support scam

 

Shown above: Injected script found on compromised site leading to redirect to Tech support scam page

 

Shown above: Fake virus alert along with fake suggested tech support options