Fake virus alert leads to Tech Support scam from compromised site

Nov 07, 2017 by Analysis in Tech Support Scam

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-11-07-Tech-Support-Scam-pcap.zip

ASSOCIATED DOMAINS AND IP ADDRESSES:

stuffmotion.com – COMPROMISED SITE
5.149.253.19 – search.trafficexchanger.biz – GET /re.php?re=543673 – REDIRECT
162.244.35.33 – 5upp0rt30711123.tk – GET /index/?1641501770611 – REDIRECT
162.244.35.36 – h3lpsupp60711123456789.tk – GET /?number=888-797-9358 – TECH SUPPORT SCAM PAGE

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic associated with Fake virus alert and tech support scam from compromised site stuffmotion.com

Shown above: Fake virus alert and tech support page associated with compromised site stuffmotion.com – Call Microsoft Technical Department: 888-797-9358 (Tool Free)

Tagged with: Fake Virus Alert, Indicator's of Compromise, Malware analysis, Malware Research, Microsoft Tech Support Scam, New York