Trending
ee-track">
Link copied!

Massive Tech Support Scam Exposed

Cyble Research and Intelligence exposes a massive scam that uses fake defender alert to trick victims into making payments.

October 11, 2022 · 4 min read
<strong>Massive Tech Support Scam Exposed</strong>

Fake Windows Defender Alerts weaponized to target users

 

A tech support scam is an extensive fraud where the scammer offers a support service for any legitimate entity and lures the victim into contacting the scammer via a fake support helpline number. After contacting the helpline, the scammer gains access to the victim’s machine and can perform activities such as fraudulent transactions, stealing sensitive data, etc.

Recently, Cyble Research & Intelligence Labs (CRIL) identified a new ongoing tech support scam where the Threat Actor has developed various phishing websites that pretend to be Microsoft support sites that show a fake Windows defender alert.

We have observed over 50 phishing sites related to this scam since September 2022, and the related IP 68.178.145[.]199 is located in India. In the past, a study related to the scam found that 85% of IPs involved in tech support scams were located in India.

We believe the user may have received this phishing URL via email or SMS, similar to other tech support scams. When users visit this phishing site hxxp://7878winsupportonline[.]xyz, it opens various popups warning them that their computer has been locked and alerts users by playing an audio “important security message” until the user closes the fake website.

After opening the phishing site, it displays the “Quick Scan” pop-up and a fake scan stating that it has detected threats on the victim’s machine, as shown in the image below

Quick scan, Fake, popup

The phishing site also shows the fake Threat Scan result with the detection name, type of malware, object type, and location. The TA shows these fake results to victims to make them believe their machine has been compromised by multiple threats.

Phishing, Threat Scan

Further, the phishing site displays a pop-up window that states that the victim’s computer has been blocked due to illegal activity. Additionally, the site notifies victims that their computers have been infected with the Trojan spyware and sensitive data such as email credentials, banking passwords, Facebook login, pictures & documents have been compromised.

Figure 3 – Displaying fake alert window 1
Figure 3 – Displaying fake alert window

 

To unlock the device and prevent identity theft, the phishing site advise the user to call a support technician and shows a “Windows Defender Security Center” pop-up that contains a support contact number, as shown below.

Phishing, Support

Phishing, Support
Figure 4 – Phishing site displaying the support contact number

Additionally, CRIL observed the tech support scam targeting iPhone devices as well. The phishing site hxxp://0044winsupportonline[.]xyz pretends to be an official Apple support website and shows the message that the device has been locked due to illegal activity. To unlock the device, the victim needs to contact the customer support number mentioned on the phishing site.

Apple Support, Phishing

After contacting the scammers, they gain access to the victim’s system using any third-party remote desktop application. They can then perform several activities, including performing fraudulent transactions and installing other malware such as RATs, stealers, or other unwanted programs that can steal sensitive data from the victim’s machine.

 Conclusion

 

Scammers are constantly developing new strategies and different campaigns to target potential victims. Our research indicates that scammers involved in tech support scams leverage the legitimacy of reputable firms such as Microsoft to lure their victims into calling what they believe is a customer support helpline. The scammers can then further steal sensitive data from the victim’s machine.

Typically, Windows Defender will only alert users via the installed Windows Defender application and not via a web browser.

Cyble Research & Intelligence Labs constantly monitors active phishing campaigns and keeps our readers updated with our latest findings about phishing and other types of data-stealing attacks.

Our Recommendations

 

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. 
  • Regularly monitor your financial transactions, and if you notice any suspicious activity, contact your bank immediately. 
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile. 
  • Refrain from opening untrusted links and email attachments without verifying their authenticity. 

Indicators Of Compromise (IOCs)

 

IndicatorsIndicator TypeDescription
hxxp://0088winsupportonline[.]xyz/URLPhishing site
hxxp://0077winsupportonline[.]xyz/URLPhishing site
hxxp://0066winsupportonline[.]xyz/URLPhishing site
hxxp://0022winsupportonline[.]xyz/URLPhishing site
hxxps://4545winsupportonlinehelp[.]xyz/URLPhishing site
hxxp://0044winsupportonline[.]xyz/URLPhishing site
hxxp://7878winsupportonline[.]xyz/URLPhishing site
hxxp://8080winsupportonlinee[.]xyz/URLPhishing site
hxxp://7373winsupportonline[.]xyz/URLPhishing site
hxxp://3333winsupoortonlineget3333[.]xyzURLPhishing site
hxxp://7272winsupportonline[.]xyz/URLPhishing site
hxxps://7676winsupportonline[.]xyz/URLPhishing site
hxxp://7070winsupportonline[.]xyz/URLPhishing site
hxxp://7676winsupportonline[.]xyz/URLPhishing site
hxxps://7474winsupportonline[.]xyz/URLPhishing site
hxxps://6161winsupportonline[.]xyz/URLPhishing site
hxxp://6363winsupportonline[.]xyz/URLPhishing site
hxxp://6161winsupportonline[.]xyz/URLPhishing site
hxxp://7575winsupportonline[.]xyzURLPhishing site
hxxp://7474winsupportonline[.]xyzURLPhishing site
hxxps://5959winsupportonline[.]xyz/URLPhishing site
hxxp://6464winsupportonline[.]xyzURLPhishing site
hxxp://5555winsuppottonline[.]xyz/URLPhishing site
hxxp://5656winsuppottonline[.]xyz/URLPhishing site
hxxp://3434winsupoortonlineget3434[.]xyzURLPhishing site
hxxp://6262winsupportonline[.]xyz/URLPhishing site
hxxp://5151winsupportonlineget[.]xyz/URLPhishing site
hxxp://5353winsupportonlineget[.]xyz/URLPhishing site
hxxp://5858winsupportonline[.]xyz/URLPhishing site
hxxp://5050winsupportoninehelp[.]xyz/URLPhishing site
hxxp://5454winsuppottonline[.]xyz/URLPhishing site
hxxp://4949winsupportoninehelp[.]xyz/URLPhishing site
hxxp://5252winsupportonlineget[.]xyz/URLPhishing site
hxxp://4848winsupportonlineherk[.]xyzURLPhishing site
hxxp://4444winsupportonlinehelp[.]xyzURLPhishing site
hxxp://4646winsupportonlinehelp[.]xyz/URLPhishing site
hxxp://4747winsupportonlineherk[.]xyzURLPhishing site
hxxp://4242iossupportonlineios4242[.]xyzURLPhishing site
hxxp://4343iossupportonlineios4343[.]xyzURLPhishing site
hxxp://4040iossupportonlineios4040[.]xyz/URLPhishing site
hxxps://3030winsupportonline3030[.]xyz/URLPhishing site
hxxp://2929ioshelponlineios2929[.]xyz/URLPhishing site
hxxp://3232winsupportolnlineghets3232[.]xyzURLPhishing site
hxxp://3131winsupportolnlineghets3131[.]xyzURLPhishing site
hxxp://2727iossupportonlingegetios2727[.]xyzURLPhishing site
hxxp://2424ioshelponlinehekowios2424[.]xyzURLPhishing site
hxxp://9winsuuportoiblineghswin9[.]xyzURLPhishing site
hxxp://10winsuuportoiblineghswin10[.]xyzURLPhishing site
hxxp://9winsuuportoiblineghswin9[.]xyz/URLPhishing site
hxxp://8winsupportinonwgrtw8[.]xyz/URLPhishing site
hxxp://2ioshelotheisbsheibsios2[.]xyzURLPhishing site
hxxp://3iosheloproducttuoebsusios3[.]xyz/URLPhishing site
68.178.145[.]199URLIP address

 

AI Threat Intelligence

Stop Executive Threats
Before They Strike

Monitor dark web chatter, detect lookalike domains, and protect your C-suite from targeted impersonation — in real time, across 50+ countries.

Scroll to Top

Book your session

Request a Personalized Demo

See how Cyble's threat intelligence protects your organization. A specialist will reach out within one business day.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams

Download the brochure

Get the Cyble Vision Brochure

Explore how Cyble Vision delivers AI-powered threat intelligence across your attack surface. Fill in your details to access the brochure.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams