{"id":11372,"date":"2018-02-05T11:10:03","date_gmt":"2018-02-05T19:10:03","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/02\/05\/news-5143\/"},"modified":"2018-02-05T11:10:03","modified_gmt":"2018-02-05T19:10:03","slug":"news-5143","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2018\/02\/05\/news-5143\/","title":{"rendered":"Boomerang spam bombs Malwarebytes forum\u2014not a smart move"},"content":{"rendered":"<p><strong>Credit to Author: William Tsing| Date: Mon, 05 Feb 2018 17:57:42 +0000<\/strong><\/p>\n<p>Tech support scammers are generally not the best and brightest. As such, they will occasionally post ads for their fake companies in the comment sections here or on the Malwarebytes forums. Last week, however, scammers struggled with configuring their spambots, resulting in spam bombs on the forum lasting roughly 72 hours, with a slow taper down for two more days.<\/p>\n<p>Over six days, 246 spam accounts associated with this activity were banned. We wondered what threat actor group would exercise such phenomenally poor judgment, so we drilled down a bit into who these people are.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-21315\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/01\/spamflooder-600x96.png\" alt=\"\" width=\"600\" height=\"96\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/01\/spamflooder-600x96.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/01\/spamflooder-300x48.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/01\/spamflooder.png 1263w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/p>\n<p>As it turns out, the majority of the spam was posted for a threat actor we were already familiar with: Boomerang Tech Solutions. Boomerang scams using an AV theme, so they need to use the Malwarebytes brand to appear properly comprehensive to victims. They will also look to legitimate AV customers for scam targeting. Over the past year, Boomerang has:<\/p>\n<ul>\n<li>Posted ads to our forums<\/li>\n<li>Posted ads to blog comment sections<\/li>\n<li>Maintained Twitter accounts to direct traffic to their domains<\/li>\n<li>Monitored the Facebook pages of various AV companies to find customers requesting tech support. They then targeted those customers with linked phone numbers, claiming to be the company in question.<\/li>\n<li>Made outbound calls to victims as Malwarebytes, then subsequently deleted MBAM from victim systems<\/li>\n<\/ul>\n<p>As you can imagine, this behavior has not endeared them to US-based merchant processors, leaving them with pay by check as the primary payment option. (More on why alternative payment options tend to be bad <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/03\/tech-support-scammers-and-their-banking-woes\/\" target=\"_blank\" rel=\"noopener\">here.<\/a>)<\/p>\n<h2><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-21317 size-large\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/01\/spam3-600x521.png\" alt=\"\" width=\"600\" height=\"521\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/01\/spam3-600x521.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/01\/spam3-300x261.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/01\/spam3.png 1600w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/h2>\n<h3>Indicators<\/h3>\n<p>Our counterfraud team has observed the following Indicators of Compromise (IOCs) related to Boomerang activity:<\/p>\n<table style=\"height: 453px;\" width=\"542\">\n<tbody>\n<tr>\n<td width=\"234\"><strong>Website<\/strong><\/td>\n<td width=\"234\"><strong>Twitter handle<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"234\">Antivirus-support-number[.]com<\/td>\n<td width=\"234\">@Malwrebytes\u00a0\u200f<\/td>\n<\/tr>\n<tr>\n<td width=\"234\">Boomerangtechnologies[.]info<\/td>\n<td width=\"234\">@malwarebytes4\u00a0\u200f<\/td>\n<\/tr>\n<tr>\n<td width=\"234\">www.antivirustechnicalhelp[.]com<\/td>\n<td width=\"234\">@malwarebytes_\u00a0\u200f<\/td>\n<\/tr>\n<tr>\n<td width=\"234\">www.wisdomsquad[.]com<\/td>\n<td width=\"234\">@malwarebytetech\u00a0\u200f<\/td>\n<\/tr>\n<tr>\n<td width=\"234\">www.seccurityexperts[.]com<\/td>\n<td width=\"234\">@quickencontact2 \u200f<\/td>\n<\/tr>\n<tr>\n<td width=\"234\">liveantivirushelp[.]com<\/td>\n<td width=\"234\">n\/a<\/td>\n<\/tr>\n<tr>\n<td width=\"234\">antivirusconsulting[.]com<\/td>\n<td width=\"234\">n\/a<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>www.bluenetworksecurity[.]com<\/p>\n<h3>How Boomerang rips us off<\/h3>\n<p>When Boomerang first came on our radar about a year ago, we called them up to see precisely how victims are being targeted. As you can see in the video of our call below, there\u2019s nothing at all original here. Boomerang tells us that we are bedeviled by \u201cillegal connections\u201d sending our data overseas. The only slightly unusual parts are the relatively high quality of their website (most of these guys struggle with HTML), and the phone rep who told us that Malwarebytes does not protect from \u201cviruses coming from the Internet.\u201d Check out the video to see the standard Boomerang pitch.<\/p>\n<p><iframe  src='https:\/\/www.youtube.com\/embed\/q4-hCY1kFVw?version=3&#038;rel=1&#038;fs=1&#038;autohide=2&#038;showsearch=0&#038;showinfo=1&#038;iv_load_policy=1&#038;wmode=transparent' width=\"100%\" height=\"420\" frameborder=\"0\" ><\/iframe> <\/p>\n<h3>How to stay safe<\/h3>\n<p>First and foremost, be a little extra suspicious of any company that is resistant to accept payment with a credit card. If they can&#8217;t process credit payments easily, there&#8217;s probably a good (bad) reason why. If you&#8217;ve had a run-in with these or any other tech support scammer (on our site, forum, or anywhere else), you can find information on what to do next <a href=\"https:\/\/blog.malwarebytes.com\/tech-support-scams\/\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<p>Have you been contacted by someone claiming to be us or our representative? See how to evaluate those claims <a href=\"https:\/\/blog.malwarebytes.com\/101\/2017\/04\/do-i-have-malwarebytes-or-a-tech-support-scam\/\" target=\"_blank\" rel=\"noopener\">here<\/a>. Lastly, if you&#8217;ve dealt with anyone from Boomerang yourself, post to the comments below to let others know your experience. Stay suspicious and stay safe.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/social-engineering-cybercrime\/2018\/02\/boomerang-spam-bombs-malwarebytes-forum-not-smart-move\/\">Boomerang spam bombs Malwarebytes forum\u2014not a smart move<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/social-engineering-cybercrime\/2018\/02\/boomerang-spam-bombs-malwarebytes-forum-not-smart-move\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: William Tsing| Date: Mon, 05 Feb 2018 17:57:42 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/cybercrime\/social-engineering-cybercrime\/2018\/02\/boomerang-spam-bombs-malwarebytes-forum-not-smart-move\/' title='Boomerang spam bombs Malwarebytes forum\u2014not a smart move'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2015\/04\/photodune-4786860-technical-support-close-up-screen-display-s.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>Boomerang Tech solutions had trouble configuring their spambots, thus dropping a few spam bombs on Malwarebytes forums. Watch us catch them red-handed in a scammer call.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/cybercrime\/\" rel=\"category tag\">Cybercrime<\/a><\/li>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/cybercrime\/social-engineering-cybercrime\/\" rel=\"category tag\">Social engineering<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/boomerang\/\" rel=\"tag\">Boomerang<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/forums\/\" rel=\"tag\">forums<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/mbam\/\" rel=\"tag\">MBAM<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/spam\/\" rel=\"tag\">spam<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/tss\/\" rel=\"tag\">TSS<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/cybercrime\/social-engineering-cybercrime\/2018\/02\/boomerang-spam-bombs-malwarebytes-forum-not-smart-move\/' title='Boomerang spam bombs Malwarebytes forum\u2014not a smart move'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/social-engineering-cybercrime\/2018\/02\/boomerang-spam-bombs-malwarebytes-forum-not-smart-move\/\">Boomerang spam bombs Malwarebytes forum\u2014not a smart move<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[17409,4503,17410,16150,10510,10518,10545],"class_list":["post-11372","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-boomerang","tag-cybercrime","tag-forums","tag-mbam","tag-social-engineering","tag-spam","tag-tss"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11372","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=11372"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11372\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=11372"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=11372"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=11372"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}