Fake virus alert leads to Tech Support scam from compromised site
Thanks to EKTracker for sharing information on compromised site.
I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.
PCAP file of the infection traffic:
ASSOCIATED DOMAINS AND IP ADDRESSES:
- castorriverfarm.ca – COMPROMISED SITE
- 220.127.116.11 – thinkaboutnow.bid – GET /index/?MCPKV8 – REDIRECT TO TECH SCAM
- 18.104.22.168 – techsupp6301012345678.tk – GET /?number=888-819-0368 – TECH SUPPORT SCAM PAGE
IMAGES AND DETAILS OF INFECTION CHAIN: