Fake virus alert leads to Tech Support scam from compromised site

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-11-07-Tech-Support-Scam-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • stuffmotion.com – COMPROMISED SITE
  • 5.149.253.19 – search.trafficexchanger.biz – GET /re.php?re=543673 – REDIRECT
  • 162.244.35.33 – 5upp0rt30711123.tk – GET /index/?1641501770611 – REDIRECT
  • 162.244.35.36 – h3lpsupp60711123456789.tk – GET /?number=888-797-9358 – TECH SUPPORT SCAM PAGE

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic associated with Fake virus alert and tech support scam from compromised site stuffmotion.com

 

Shown above: Fake virus alert and tech support page associated with compromised site stuffmotion.com – Call Microsoft Technical Department: 888-797-9358 (Tool Free)