Fake virus alert leads to Tech Support scam from compromised site
I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.
PCAP file of the infection traffic:
2017-11-07-Tech-Support-Scam-pcap.zip
ASSOCIATED DOMAINS AND IP ADDRESSES:
- stuffmotion.com – COMPROMISED SITE
- 5.149.253.19 – search.trafficexchanger.biz – GET /re.php?re=543673 – REDIRECT
- 162.244.35.33 – 5upp0rt30711123.tk – GET /index/?1641501770611 – REDIRECT
- 162.244.35.36 – h3lpsupp60711123456789.tk – GET /?number=888-797-9358 – TECH SUPPORT SCAM PAGE
IMAGES AND DETAILS OF INFECTION CHAIN:
Shown above: Network traffic associated with Fake virus alert and tech support scam from compromised site stuffmotion.com
Shown above: Fake virus alert and tech support page associated with compromised site stuffmotion.com – Call Microsoft Technical Department: 888-797-9358 (Tool Free)