According to Microsoft, tech support scams (TSS) are a growing problem with 2 out of 3 consumers reporting that they’ve encountered them in recent years. As somebody who often captures malvertising chains I can tell you that I too have seen a big uptick in redirects leading to tech support scam pages. A lot of the times these pages are using subdomains or domains that attempt to look like legitimate Microsoft domains. For example, microsoftsupport.com-prtscrhelp18[.]us:
However, I’ve also been seeing a lot of numeric domains being used by these tech support scammers recently.
One example of this was finding numerous domains resolving to 5.9.86.131 (Network 5.9.0.0/16 – ASN 24940) being used to redirect users to tech support scam pages. Some of these domains include:
- ItalyGirls.mobi (Created on 11/24/2016)
- BinaryOptionsMastery.trade (Created on 06/20/2017)
- BinaryOptionsMastery.club (Created on 06/20/2017)
- PornKtUbe.top (Created on 06/20/2017)
All these domains were redirecting users to numeric tech support scam domains. For instance, here is a list of numeric tech support scam domains associated with redirects from PornKtUbe.top:
Numeric Domain | First Seen | Last Seen |
9567884489324564306.review | 7/8/2017 | 7/8/2017 |
404135656449876534.review | 7/8/2017 | 7/8/2017 |
465493778756689587756.win | 7/7/2017 | 7/7/2017 |
143692967985443721655874549.win | 7/7/2017 | 7/7/2017 |
956845943864845564431.bid | 7/7/2017 | 7/7/2017 |
78695470544525116165.review | 7/6/2017 | 7/6/2017 |
12456687546436615765.bid | 7/5/2017 | 7/5/2017 |
7655641355646139835.bid | 7/5/2017 | 7/5/2017 |
36569568438953111.bid | 7/5/2017 | 7/5/2017 |
1353784657483637846.bid | 7/3/2017 | 7/3/2017 |
88473284726188475864.bid | 7/3/2017 | 7/3/2017 |
4783927684238562829.review | 7/2/2017 | 7/2/2017 |
6327846573842957839275.win | 7/2/2017 | 7/2/2017 |
74632876563895786754.bid | 6/30/2017 | 6/30/2017 |
4556407486950.review | 6/29/2017 | 6/29/2017 |
455436551439.bid | 6/28/2017 | 6/28/2017 |
354236455893654.bid | 6/28/2017 | 6/28/2017 |
01786988943984.review | 6/28/2017 | 6/28/2017 |
536258694354546323.site | 6/27/2017 | 6/27/2017 |
44389536466341.site | 6/27/2017 | 6/27/2017 |
332948932566575651.site | 6/27/2017 | 6/27/2017 |
05615465645446.review | 6/26/2017 | 6/26/2017 |
46543466890678594.win | 6/26/2017 | 6/26/2017 |
45846475896455664.win | 6/26/2017 | 6/26/2017 |
045156413215571436.win | 6/26/2017 | 6/26/2017 |
02329873649247462.win | 6/25/2017 | 6/25/2017 |
96758608440451657.win | 6/25/2017 | 6/25/2017 |
16550785949065.win | 6/24/2017 | 6/24/2017 |
998755640344345.win | 6/24/2017 | 6/24/2017 |
746895417605565.win | 6/24/2017 | 6/24/2017 |
743564543645645764.win | 6/23/2017 | 6/23/2017 |
These numeric tech support scam domains use various TLDs including .win, .site, .bid, .review, .xyz, and .pro. You can see similar numeric tech support scam domains associated with redirects from ItalyGirls.mobi, BinaryOptionsMastery.trade and BinaryOptionsMastery.club.
Most hosts are going to be redirected to these tech support domains from typical redirection methods like “302 Found”, etc. Furthermore, while doing my research into this campaign I noticed that the HTTP cookie in the TCP stream contained the string “yatutzebil”:
Additional research shows that security researcher @cleverexploit has been tracking a malicious redirection campaign called “Yatut” since 11/16/2016. This campaign name appears to be in reference to the cookie name “yatutzebil”.
Another interesting note about this campaign is that hosts are being redirected to PornKtUbe.top (and other domains resolving to 5.9.86.131) from hundreds of other domains.
Below is a list of domains that redirected users to PornKtUbe.top (includes first time and last time it happened):
Domain | First Seen | Last Seen |
thaonguyenso.com | 6/23/2017 | 7/9/2017 |
marcomendez.es | 7/8/2017 | 7/9/2017 |
bookpart.ru | 7/4/2017 | 7/8/2017 |
minecraftdedicatedservers.com | 7/8/2017 | 7/8/2017 |
hammerandtongues.com | 7/7/2017 | 7/7/2017 |
venturethought.com | 7/5/2017 | 7/7/2017 |
w163club.ru | 6/24/2017 | 7/7/2017 |
educacionaunclick.com | 7/7/2017 | 7/7/2017 |
hammerandtongues.com | 7/7/2017 | 7/7/2017 |
qconnect.com.br | 6/26/2017 | 7/6/2017 |
dnzpetshop.com | 6/29/2017 | 7/5/2017 |
euhut.com | 7/5/2017 | 7/5/2017 |
perf1climited.com | 7/4/2017 | 7/4/2017 |
ledchannel.com.br | 6/25/2017 | 7/4/2017 |
growthhackergurus.com | 6/25/2017 | 7/3/2017 |
shoow.es | 6/24/2017 | 7/3/2017 |
stdntshack.com | 7/3/2017 | 7/3/2017 |
aevum.it | 6/25/2017 | 7/3/2017 |
glamourlux.nl | 7/2/2017 | 7/2/2017 |
plotat.com | 6/25/2017 | 7/2/2017 |
promotesmallbusinesses.com | 7/1/2017 | 7/1/2017 |
tool-expert.pl | 6/24/2017 | 7/1/2017 |
samarpanft.org | 7/1/2017 | 7/1/2017 |
gogogossip.com | 6/28/2017 | 7/1/2017 |
oakharbor-residences.com | 6/27/2017 | 7/1/2017 |
hartzonwheels.com | 6/28/2017 | 6/30/2017 |
ticketsbarcelona.pro | 6/30/2017 | 6/30/2017 |
about520.cn | 6/30/2017 | 6/30/2017 |
sonomainhomeaides.com | 6/30/2017 | 6/30/2017 |
s-kub.ru | 6/29/2017 | 6/29/2017 |
pricepiklin.ru | 6/29/2017 | 6/29/2017 |
praskoviamoskva.ru | 6/29/2017 | 6/29/2017 |
careerspoint.in | 6/29/2017 | 6/29/2017 |
bwarddesigns.com | 6/28/2017 | 6/28/2017 |
imarika.org | 6/28/2017 | 6/28/2017 |
marketdesignpro.com | 6/28/2017 | 6/28/2017 |
errata.pl | 6/24/2017 | 6/28/2017 |
paindontlast.com | 6/26/2017 | 6/27/2017 |
ladyksolutions.com | 6/27/2017 | 6/27/2017 |
minassyifa.com.my | 6/27/2017 | 6/27/2017 |
goforitsolutions.com | 6/27/2017 | 6/27/2017 |
beatsounds.com.au | 6/27/2017 | 6/27/2017 |
afase.com | 6/27/2017 | 6/27/2017 |
panelradyator.com.tr | 6/27/2017 | 6/27/2017 |
frisonesvillamichelle.com | 6/27/2017 | 6/27/2017 |
ploch.net.pl | 6/27/2017 | 6/27/2017 |
gobik.pl | 6/27/2017 | 6/27/2017 |
alemos.ru | 6/27/2017 | 6/27/2017 |
spiritcentral.tv | 6/27/2017 | 6/27/2017 |
dentalglasgow.com | 6/27/2017 | 6/27/2017 |
dexler.kr | 6/27/2017 | 6/27/2017 |
realitsolutionsgh.com | 6/27/2017 | 6/27/2017 |
sulemansanid.club | 6/27/2017 | 6/27/2017 |
rodbizconsulting.com | 6/27/2017 | 6/27/2017 |
alojinhadaviradaverde.com.br | 6/27/2017 | 6/27/2017 |
jiffyrando.com | 6/27/2017 | 6/27/2017 |
mjs-wordpress.web.malta.magnetomedia.net | 6/27/2017 | 6/27/2017 |
buckprofits.com | 6/27/2017 | 6/27/2017 |
powerfitgames.com | 6/27/2017 | 6/27/2017 |
bnsyemen.com | 6/27/2017 | 6/27/2017 |
alignmyspinedfw.com | 6/27/2017 | 6/27/2017 |
ashwaracing.com | 6/27/2017 | 6/27/2017 |
nanihau.com | 6/27/2017 | 6/27/2017 |
powerfitgames.com | 6/27/2017 | 6/27/2017 |
hydraulic-technology.ru | 6/26/2017 | 6/27/2017 |
henriksenbil.se | 6/23/2017 | 6/27/2017 |
henriksenbil.se | 6/23/2017 | 6/27/2017 |
energyshares.co | 6/26/2017 | 6/26/2017 |
nvcja.calhans.com | 6/24/2017 | 6/26/2017 |
athle-caluire.net | 6/26/2017 | 6/26/2017 |
turbofreebie.de | 6/26/2017 | 6/26/2017 |
adatecnologia.com.br | 6/26/2017 | 6/26/2017 |
unitedeximindia.com | 6/26/2017 | 6/26/2017 |
dolcevitahotel.dn.ua | 6/26/2017 | 6/26/2017 |
ulkucuisciler.org | 6/26/2017 | 6/26/2017 |
banadironline.com | 6/26/2017 | 6/26/2017 |
plumberinsacramento.org | 6/23/2017 | 6/25/2017 |
kmzen.com | 6/25/2017 | 6/25/2017 |
leadfunnelspro.com | 6/24/2017 | 6/25/2017 |
advance-ps.co.uk | 6/25/2017 | 6/25/2017 |
face-reading.net | 6/25/2017 | 6/25/2017 |
selenpansiyon.com | 6/25/2017 | 6/25/2017 |
sabseatle.com | 6/24/2017 | 6/24/2017 |
greatinvestmentinistanbul.com | 6/24/2017 | 6/24/2017 |
clinicaitca.esferaglobal.com.br | 6/24/2017 | 6/24/2017 |
plumberinauburn.com | 6/24/2017 | 6/24/2017 |
powerseptic.com | 6/24/2017 | 6/24/2017 |
clinicaitca.com.br | 6/24/2017 | 6/24/2017 |
ikmeleuz.ru | 6/24/2017 | 6/24/2017 |
udofit.ru | 6/24/2017 | 6/24/2017 |
thehorsingtonpost.org | 6/24/2017 | 6/24/2017 |
caticlan.com.au | 6/24/2017 | 6/24/2017 |
kiwi.kiev.ua | 6/24/2017 | 6/24/2017 |
seucurso.com.br | 6/23/2017 | 6/23/2017 |
glasslockvn.com | 6/23/2017 | 6/23/2017 |
flyforenergy.com | 6/23/2017 | 6/23/2017 |
bodrumminagift.com | 6/23/2017 | 6/23/2017 |
leadfunnelspro.com | 6/23/2017 | 6/23/2017 |
refinedartshow.com | 6/23/2017 | 6/23/2017 |
Taking the first domain in the list above, thaonguyenso.com, shows the server returning a “302 Found” pointing to PornKtUbe.top. PornKtUbe.top then redirects the host to a numeric tech support scam domain:
Below are some examples of the numeric tech support scam pages resulting from this campaign:
There is some additional evidence that this “Yatut” campaign could have been involved in redirecting users to exploit kits. For instance, preliminary research into Yatut domains like getanygirls.info and 1200perday.com show’s hosts were redirected to from these domains to subdomains used by exploit kits.
Below is a list of subdomains that hosts were directed to from getanygirls.info:
Subdomain | First Seen | Last Seen |
br7qm.f34dob.top | 10/25/2016 | 10/25/2016 |
pln7y.tzyju5w.top | 10/25/2016 | 10/25/2016 |
jk101.oc81ioxvb.top | 10/25/2016 | 10/25/2016 |
gzi692.pq0hft0.top | 10/25/2016 | 10/25/2016 |
a9osc.dtud65z.top | 10/25/2016 | 10/25/2016 |
opjyj.sptu7a2e.top | 10/24/2016 | 10/25/2016 |
purame.lxlld.com | 10/25/2016 | 10/25/2016 |
blanda.lwllg.com | 10/24/2016 | 10/24/2016 |
pop.ltllk.com | 10/24/2016 | 10/24/2016 |
wmi39.krqgww.top | 10/24/2016 | 10/24/2016 |
xttkeb.ux6im01.top | 10/24/2016 | 10/24/2016 |
cpgk.m60wr8ls.top | 10/24/2016 | 10/24/2016 |
wocz0.d7kkrgq.top | 10/21/2016 | 10/21/2016 |
orwr5.vxk0gw2.top | 10/21/2016 | 10/21/2016 |
g2p3pii.lahimh.top | 10/21/2016 | 10/21/2016 |
rnenl.sqqxqbl.top | 10/21/2016 | 10/21/2016 |
cvxifni.qhnsav.top | 10/21/2016 | 10/21/2016 |
tnbpad.szp15w.top | 10/20/2016 | 10/20/2016 |
dvge.agk04.top | 10/20/2016 | 10/20/2016 |
l9q4n7.xvr3z8.top | 10/20/2016 | 10/20/2016 |
upc4t7z.sw5e8jo.top | 10/20/2016 | 10/20/2016 |
xs41rv.ptn3r.top | 10/20/2016 | 10/20/2016 |
s5kl59.ptn3r.top | 10/20/2016 | 10/20/2016 |
ybuso.z3zu8y.top | 10/20/2016 | 10/20/2016 |
emugh.z3zu8y.top | 10/20/2016 | 10/20/2016 |
add.diamonvest.com | 10/20/2016 | 10/20/2016 |
mh1w94.loagn0d.top | 10/20/2016 | 10/20/2016 |
x7kwd7.space | 8/30/2016 | 8/30/2016 |
rt.203kcontractorskentucky.com | 8/28/2016 | 8/28/2016 |
ki.203kcontractorskansas.com | 8/28/2016 | 8/28/2016 |
fd.203kcontractorsiowa.com | 8/28/2016 | 8/28/2016 |
df.203kcontractorsindiana.com | 8/28/2016 | 8/28/2016 |
df.203kcontractorinabox.net | 8/26/2016 | 8/26/2016 |
xz.thepowerofwhenbook.com | 8/24/2016 | 8/24/2016 |
ds.thepowerofwhen.org | 8/23/2016 | 8/23/2016 |
new.theinsomniablog.com | 8/23/2016 | 8/23/2016 |
i45h5.kinfacitontjo.top | 8/17/2016 | 8/17/2016 |
rew.yousuck.biz | 8/17/2016 | 8/17/2016 |
trend.whatsabusinessworth.com | 8/17/2016 | 8/17/2016 |
you.tedwhair.com | 8/16/2016 | 8/17/2016 |
rent.pre-hireassessments.com | 8/16/2016 | 8/16/2016 |
eqw.instapros.com | 8/16/2016 | 8/16/2016 |
tre.inparq.com | 8/16/2016 | 8/16/2016 |
ytr.houstonbusinessplanning.com | 8/15/2016 | 8/15/2016 |
tree.dardanus.info | 8/10/2016 | 8/10/2016 |
poi.gettheir.com | 8/9/2016 | 8/9/2016 |
pcibcg.ca1srg80.top | 7/20/2016 | 7/20/2016 |
d6o37.dlpj33o.top | 5/23/2016 | 5/23/2016 |
uc7.ecmi9pbpv.top | 5/20/2016 | 5/20/2016 |
t4jppv.jaupowliqw.top | 5/19/2016 | 5/19/2016 |
Below is a list of subdomains that hosts were directed to from 1200perday.com:
Subdomain | First Seen | Last Seen |
fd.thesleepdoctor.org | 8/24/2016 | 8/24/2016 |
xz.thepowerofwhenbook.com | 8/24/2016 | 8/24/2016 |
my.thefunctionalsleepdoctor.com | 8/23/2016 | 8/23/2016 |
Checking the IP resolution history for these subdomains and then looking up their IP history on VirusTotal will show you their malicious history.
Examples include IPs 109.234.38.67, 109.234.38.34, and 185.141.25.234.
Looking at the “Latest detected URLs” on these VirusTotal reports reveals what appear to be URLs associated with RIG exploit kit. It would seem like this campaign has shifted its focus from infection vectors using exploits kits to social engineering schemes using tech support scam pages.
Thankfully these tech support scam pages aren’t going to deliver any malware to your system. Users can safely ignore their bullshit warnings and close the page. If you can’t close the page via traditional methods then you can start Windows Task Manager, click on the Applications tab, and then end any running task related to your web browser.
FTC page on Tech Support Scams:
https://www.consumer.ftc.gov/articles/0346-tech-support-scams
Microsoft – The Fight Against Tech Support Scams:
https://blogs.microsoft.com/on-the-issues/2017/05/18/fight-tech-support-scams/
Microsoft – Report a Tech Support Scam:
https://www.microsoft.com/en-us/reportascam/?locale=en-US
Until next time!
Hey, just saying, maybe “ajax.googleapis.com” shouldn’t be among all those .top domains.
LikeLike
Correct. An oversight. Thanks.
LikeLike