EiTest Campaign Fake Virus Alert Tech Support Scam

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2018-01-26-EiTest-Fake-AV-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • call24wireless.com – COMPROMISED SITE
  • 204.155.28.5 – tfnfornow.bid GET /index/?MCPKV8 – REDIRECT TO FAKE AV PAGE
  • 185.159.83.48 – ispeak-a-little-english.tk GET /?number=888-791-9614 – FAKE AV PAGE

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic associated with the EiTest campaign and the fake virus alert tech support scam

 

Shown above: Redirect and pop-up associated with the EiTest campaign and the fake virus alert tech support scam