Fake virus alert leads to Tech Support scam from compromised sites

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-11-04-Tech-Support-Scam1-pcap.zip
2017-11-04-Tech-Support-Scam2-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • www.bgglobal.com – COMPROMISED SITE
  • 185.159.82.2 – go.dancewithme.biz GET /red.php?somet=dsfsdg4g2353 – REDIRECT
  • 162.244.35.33 – onsupport3031112.tk GET /index/?1641501770611 – REDIRECT
  • 162.244.35.36 – bestsupport603111234.tk GET /?number=888-797-9358 – TECH SUPPORT SCAM PAGE

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 24punjabnews.com – COMPROMISED SITE
  • 5.149.253.19 – search.trafficexchanger.biz GET /re.php?re=543673 – REDIRECT
  • 162.244.35.33 – onsupport30311123.tk GET /index/?1641501770611 – REDIRECT
  • 162.244.35.36 – bestsupport6031112345.tk GET /?number=888-797-9358 – TECH SUPPORT SCAM PAGE

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic associated with Fake virus alert and tech support scam from compromised site www.bgglobal.com

 

Shown above: Network traffic associated with Fake virus alert and tech support scam from compromised site 24punjabnews.com

 

Shown above: Inject script found on index page of compromised site www.bgglobal.com

 

Shown above: Redirect to fake virus alert and tech support scam page

 

Shown above: Redirect to fake virus alert and tech support scam page

 

Shown above: Fake virus alert and tech support page associated with compromised site www.bgglobal.com – Call Microsoft Technical Department: 888-797-9358 (Tool Free)

 

Shown above: Fake virus alert and tech support page associated with compromised site 24punjabnews.com – Call Microsoft Technical Department: 888-797-9358 (Tool Free)