Tech Support Scams Using Numeric Domains

malwarebreakdown on July 10, 2017

According to Microsoft, tech support scams (TSS) are a growing problem with 2 out of 3 consumers reporting that they’ve encountered them in recent years. As somebody who often captures malvertising chains I can tell you that I too have seen a big uptick in redirects leading to tech support scam pages. A lot of the times these pages are using subdomains or domains that attempt to look like legitimate Microsoft domains. For example, microsoftsupport.com-prtscrhelp18[.]us:

TSS 3

However, I’ve also been seeing a lot of numeric domains being used by these tech support scammers recently.

One example of this was finding numerous domains resolving to 5.9.86.131 (Network 5.9.0.0/16 – ASN 24940) being used to redirect users to tech support scam pages. Some of these domains include:

  • ItalyGirls.mobi (Created on 11/24/2016)
  • BinaryOptionsMastery.trade (Created on 06/20/2017)
  • BinaryOptionsMastery.club (Created on 06/20/2017)
  • PornKtUbe.top (Created on 06/20/2017)

All these domains were redirecting users to numeric tech support scam domains. For instance, here is a list of numeric tech support scam domains associated with redirects from PornKtUbe.top:

Numeric Domain First Seen Last Seen
9567884489324564306.review 7/8/2017 7/8/2017
404135656449876534.review 7/8/2017 7/8/2017
465493778756689587756.win 7/7/2017 7/7/2017
143692967985443721655874549.win 7/7/2017 7/7/2017
956845943864845564431.bid 7/7/2017 7/7/2017
78695470544525116165.review 7/6/2017 7/6/2017
12456687546436615765.bid 7/5/2017 7/5/2017
7655641355646139835.bid 7/5/2017 7/5/2017
36569568438953111.bid 7/5/2017 7/5/2017
1353784657483637846.bid 7/3/2017 7/3/2017
88473284726188475864.bid 7/3/2017 7/3/2017
4783927684238562829.review 7/2/2017 7/2/2017
6327846573842957839275.win 7/2/2017 7/2/2017
74632876563895786754.bid 6/30/2017 6/30/2017
4556407486950.review 6/29/2017 6/29/2017
455436551439.bid 6/28/2017 6/28/2017
354236455893654.bid 6/28/2017 6/28/2017
01786988943984.review 6/28/2017 6/28/2017
536258694354546323.site 6/27/2017 6/27/2017
44389536466341.site 6/27/2017 6/27/2017
332948932566575651.site 6/27/2017 6/27/2017
05615465645446.review 6/26/2017 6/26/2017
46543466890678594.win 6/26/2017 6/26/2017
45846475896455664.win 6/26/2017 6/26/2017
045156413215571436.win 6/26/2017 6/26/2017
02329873649247462.win 6/25/2017 6/25/2017
96758608440451657.win 6/25/2017 6/25/2017
16550785949065.win 6/24/2017 6/24/2017
998755640344345.win 6/24/2017 6/24/2017
746895417605565.win 6/24/2017 6/24/2017
743564543645645764.win 6/23/2017 6/23/2017

These numeric tech support scam domains use various TLDs including .win, .site, .bid, .review, .xyz, and .pro. You can see similar numeric tech support scam domains associated with redirects from ItalyGirls.mobi, BinaryOptionsMastery.trade and BinaryOptionsMastery.club.

Most hosts are going to be redirected to these tech support domains from typical redirection methods like “302 Found”, etc. Furthermore, while doing my research into this campaign I noticed that the HTTP cookie in the TCP stream contained the string “yatutzebil”:

302 Found

Example from pornktube.top

302 Found 2

Example from italygirls.mobi

Additional research shows that security researcher @cleverexploit has been tracking a malicious redirection campaign called “Yatut” since 11/16/2016. This campaign name appears to be in reference to the cookie name “yatutzebil”. 

Another interesting note about this campaign is that hosts are being redirected to PornKtUbe.top (and other domains resolving to 5.9.86.131) from hundreds of other domains.

Below is a list of domains that redirected users to PornKtUbe.top (includes first time and last time it happened):

Domain First Seen Last Seen
thaonguyenso.com 6/23/2017 7/9/2017
marcomendez.es 7/8/2017 7/9/2017
bookpart.ru 7/4/2017 7/8/2017
minecraftdedicatedservers.com 7/8/2017 7/8/2017
hammerandtongues.com 7/7/2017 7/7/2017
venturethought.com 7/5/2017 7/7/2017
w163club.ru 6/24/2017 7/7/2017
educacionaunclick.com 7/7/2017 7/7/2017
hammerandtongues.com 7/7/2017 7/7/2017
qconnect.com.br 6/26/2017 7/6/2017
dnzpetshop.com 6/29/2017 7/5/2017
euhut.com 7/5/2017 7/5/2017
perf1climited.com 7/4/2017 7/4/2017
ledchannel.com.br 6/25/2017 7/4/2017
growthhackergurus.com 6/25/2017 7/3/2017
shoow.es 6/24/2017 7/3/2017
stdntshack.com 7/3/2017 7/3/2017
aevum.it 6/25/2017 7/3/2017
glamourlux.nl 7/2/2017 7/2/2017
plotat.com 6/25/2017 7/2/2017
promotesmallbusinesses.com 7/1/2017 7/1/2017
tool-expert.pl 6/24/2017 7/1/2017
samarpanft.org 7/1/2017 7/1/2017
gogogossip.com 6/28/2017 7/1/2017
oakharbor-residences.com 6/27/2017 7/1/2017
hartzonwheels.com 6/28/2017 6/30/2017
ticketsbarcelona.pro 6/30/2017 6/30/2017
about520.cn 6/30/2017 6/30/2017
sonomainhomeaides.com 6/30/2017 6/30/2017
s-kub.ru 6/29/2017 6/29/2017
pricepiklin.ru 6/29/2017 6/29/2017
praskoviamoskva.ru 6/29/2017 6/29/2017
careerspoint.in 6/29/2017 6/29/2017
bwarddesigns.com 6/28/2017 6/28/2017
imarika.org 6/28/2017 6/28/2017
marketdesignpro.com 6/28/2017 6/28/2017
errata.pl 6/24/2017 6/28/2017
paindontlast.com 6/26/2017 6/27/2017
ladyksolutions.com 6/27/2017 6/27/2017
minassyifa.com.my 6/27/2017 6/27/2017
goforitsolutions.com 6/27/2017 6/27/2017
beatsounds.com.au 6/27/2017 6/27/2017
afase.com 6/27/2017 6/27/2017
panelradyator.com.tr 6/27/2017 6/27/2017
frisonesvillamichelle.com 6/27/2017 6/27/2017
ploch.net.pl 6/27/2017 6/27/2017
gobik.pl 6/27/2017 6/27/2017
alemos.ru 6/27/2017 6/27/2017
spiritcentral.tv 6/27/2017 6/27/2017
dentalglasgow.com 6/27/2017 6/27/2017
dexler.kr 6/27/2017 6/27/2017
realitsolutionsgh.com 6/27/2017 6/27/2017
sulemansanid.club 6/27/2017 6/27/2017
rodbizconsulting.com 6/27/2017 6/27/2017
alojinhadaviradaverde.com.br 6/27/2017 6/27/2017
jiffyrando.com 6/27/2017 6/27/2017
mjs-wordpress.web.malta.magnetomedia.net 6/27/2017 6/27/2017
buckprofits.com 6/27/2017 6/27/2017
powerfitgames.com 6/27/2017 6/27/2017
bnsyemen.com 6/27/2017 6/27/2017
alignmyspinedfw.com 6/27/2017 6/27/2017
ashwaracing.com 6/27/2017 6/27/2017
nanihau.com 6/27/2017 6/27/2017
powerfitgames.com 6/27/2017 6/27/2017
hydraulic-technology.ru 6/26/2017 6/27/2017
henriksenbil.se 6/23/2017 6/27/2017
henriksenbil.se 6/23/2017 6/27/2017
energyshares.co 6/26/2017 6/26/2017
nvcja.calhans.com 6/24/2017 6/26/2017
athle-caluire.net 6/26/2017 6/26/2017
turbofreebie.de 6/26/2017 6/26/2017
adatecnologia.com.br 6/26/2017 6/26/2017
unitedeximindia.com 6/26/2017 6/26/2017
dolcevitahotel.dn.ua 6/26/2017 6/26/2017
ulkucuisciler.org 6/26/2017 6/26/2017
banadironline.com 6/26/2017 6/26/2017
plumberinsacramento.org 6/23/2017 6/25/2017
kmzen.com 6/25/2017 6/25/2017
leadfunnelspro.com 6/24/2017 6/25/2017
advance-ps.co.uk 6/25/2017 6/25/2017
face-reading.net 6/25/2017 6/25/2017
selenpansiyon.com 6/25/2017 6/25/2017
sabseatle.com 6/24/2017 6/24/2017
greatinvestmentinistanbul.com 6/24/2017 6/24/2017
clinicaitca.esferaglobal.com.br 6/24/2017 6/24/2017
plumberinauburn.com 6/24/2017 6/24/2017
powerseptic.com 6/24/2017 6/24/2017
clinicaitca.com.br 6/24/2017 6/24/2017
ikmeleuz.ru 6/24/2017 6/24/2017
udofit.ru 6/24/2017 6/24/2017
thehorsingtonpost.org 6/24/2017 6/24/2017
caticlan.com.au 6/24/2017 6/24/2017
kiwi.kiev.ua 6/24/2017 6/24/2017
seucurso.com.br 6/23/2017 6/23/2017
glasslockvn.com 6/23/2017 6/23/2017
flyforenergy.com 6/23/2017 6/23/2017
bodrumminagift.com 6/23/2017 6/23/2017
leadfunnelspro.com 6/23/2017 6/23/2017
refinedartshow.com 6/23/2017 6/23/2017

Taking the first domain in the list above, thaonguyenso.com, shows the server returning a “302 Found” pointing to PornKtUbe.top.  PornKtUbe.top then redirects the host to a numeric tech support scam domain:

302 Found 3

Below are some examples of the numeric tech support scam pages resulting from this campaign:

TSS from pornktube dot top

Redirected to this TSS page from pornktube.top

TSS italygirls dot mobi

Redirected to this TSS page from italygirls.mobi

There is some additional evidence that this “Yatut” campaign could have been involved in redirecting users to exploit kits. For instance, preliminary research into Yatut domains like getanygirls.info and 1200perday.com show’s hosts were redirected to from these domains to subdomains used by exploit kits.

Below is a list of subdomains that hosts were directed to from getanygirls.info:

Subdomain First Seen Last Seen
br7qm.f34dob.top 10/25/2016 10/25/2016
pln7y.tzyju5w.top 10/25/2016 10/25/2016
jk101.oc81ioxvb.top 10/25/2016 10/25/2016
gzi692.pq0hft0.top 10/25/2016 10/25/2016
a9osc.dtud65z.top 10/25/2016 10/25/2016
opjyj.sptu7a2e.top 10/24/2016 10/25/2016
purame.lxlld.com 10/25/2016 10/25/2016
blanda.lwllg.com 10/24/2016 10/24/2016
pop.ltllk.com 10/24/2016 10/24/2016
wmi39.krqgww.top 10/24/2016 10/24/2016
xttkeb.ux6im01.top 10/24/2016 10/24/2016
cpgk.m60wr8ls.top 10/24/2016 10/24/2016
wocz0.d7kkrgq.top 10/21/2016 10/21/2016
orwr5.vxk0gw2.top 10/21/2016 10/21/2016
g2p3pii.lahimh.top 10/21/2016 10/21/2016
rnenl.sqqxqbl.top 10/21/2016 10/21/2016
cvxifni.qhnsav.top 10/21/2016 10/21/2016
tnbpad.szp15w.top 10/20/2016 10/20/2016
dvge.agk04.top 10/20/2016 10/20/2016
l9q4n7.xvr3z8.top 10/20/2016 10/20/2016
upc4t7z.sw5e8jo.top 10/20/2016 10/20/2016
xs41rv.ptn3r.top 10/20/2016 10/20/2016
s5kl59.ptn3r.top 10/20/2016 10/20/2016
ybuso.z3zu8y.top 10/20/2016 10/20/2016
emugh.z3zu8y.top 10/20/2016 10/20/2016
add.diamonvest.com 10/20/2016 10/20/2016
mh1w94.loagn0d.top 10/20/2016 10/20/2016
x7kwd7.space 8/30/2016 8/30/2016
rt.203kcontractorskentucky.com 8/28/2016 8/28/2016
ki.203kcontractorskansas.com 8/28/2016 8/28/2016
fd.203kcontractorsiowa.com 8/28/2016 8/28/2016
df.203kcontractorsindiana.com 8/28/2016 8/28/2016
df.203kcontractorinabox.net 8/26/2016 8/26/2016
xz.thepowerofwhenbook.com 8/24/2016 8/24/2016
ds.thepowerofwhen.org 8/23/2016 8/23/2016
new.theinsomniablog.com 8/23/2016 8/23/2016
i45h5.kinfacitontjo.top 8/17/2016 8/17/2016
rew.yousuck.biz 8/17/2016 8/17/2016
trend.whatsabusinessworth.com 8/17/2016 8/17/2016
you.tedwhair.com 8/16/2016 8/17/2016
rent.pre-hireassessments.com 8/16/2016 8/16/2016
eqw.instapros.com 8/16/2016 8/16/2016
tre.inparq.com 8/16/2016 8/16/2016
ytr.houstonbusinessplanning.com 8/15/2016 8/15/2016
tree.dardanus.info 8/10/2016 8/10/2016
poi.gettheir.com 8/9/2016 8/9/2016
pcibcg.ca1srg80.top 7/20/2016 7/20/2016
d6o37.dlpj33o.top 5/23/2016 5/23/2016
uc7.ecmi9pbpv.top 5/20/2016 5/20/2016
t4jppv.jaupowliqw.top 5/19/2016 5/19/2016

Below is a list of subdomains that hosts were directed to from 1200perday.com:

Subdomain First Seen Last Seen
fd.thesleepdoctor.org 8/24/2016 8/24/2016
xz.thepowerofwhenbook.com 8/24/2016 8/24/2016
my.thefunctionalsleepdoctor.com 8/23/2016 8/23/2016

Checking the IP resolution history for these subdomains and then looking up their IP history on VirusTotal will show you their malicious history.

Examples include IPs 109.234.38.67109.234.38.34, and 185.141.25.234.

VirusTotal shows malicious history (URLs) associated with IP address
VirusTotal shows malicious history (URLs) associated with IP address

Looking at the “Latest detected URLs” on these VirusTotal reports reveals what appear to be URLs associated with RIG exploit kit. It would seem like this campaign has shifted its focus from infection vectors using exploits kits to social engineering schemes using tech support scam pages.

Thankfully these tech support scam pages aren’t going to deliver any malware to your system. Users can safely ignore their bullshit warnings and close the page. If you can’t close the page via traditional methods then you can start Windows Task Manager, click on the Applications tab, and then end any running task related to your web browser.

FTC page on Tech Support Scams:
https://www.consumer.ftc.gov/articles/0346-tech-support-scams

Microsoft – The Fight Against Tech Support Scams:
https://blogs.microsoft.com/on-the-issues/2017/05/18/fight-tech-support-scams/

Microsoft – Report a Tech Support Scam:
https://www.microsoft.com/en-us/reportascam/?locale=en-US

Until next time!

Published by malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

  1. Tohar July 13, 2017 at 11:53 AM

    Hey, just saying, maybe “ajax.googleapis.com” shouldn’t be among all those .top domains.

    Like

    Reply

    1. malwarebreakdown July 14, 2017 at 12:49 AM

      Correct. An oversight. Thanks.

      Like

      Reply

Leave a Comment

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: