{"id":12298,"date":"2018-05-15T11:10:04","date_gmt":"2018-05-15T19:10:04","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/05\/15\/news-6067\/"},"modified":"2018-05-15T11:10:04","modified_gmt":"2018-05-15T19:10:04","slug":"news-6067","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2018\/05\/15\/news-6067\/","title":{"rendered":"Tech support scam uses fake Shoppers Stop site to lure thousands"},"content":{"rendered":"

Credit to Author: J\u00e9r\u00f4me Segura| Date: Tue, 08 May 2018 13:25:00 +0000<\/strong><\/p>\n

These days, there are a lot of browser locker campaigns fueled by malvertising or redirection from hacked sites. But the Shoppers Stop tech scam campaign is actually a bit of both, using compromised sites injected with advertising code that redirects users to other threats,\u00a0including tech support scams, via malvertising.<\/p>\n

We believe those ad injections came from pirated CMS themes. Normally, these are WordPress themes that people typically have to pay to download. Instead, they are offered for free, with a bonus bundle of malicious code.<\/p>\n

One aspect we noticed as part of the redirection mechanism was an online shopping portal registered to domains with suspicious TLDs such as\u00a0.trade<\/em>, .accountant<\/em>, .ml<\/em>\u00a0that quickly rotate to make blacklisting approaches futile. However, using that same artifact, we were able to flag other browser locker incidents for this particular campaign.<\/p>\n

The browlock<\/h3>\n

The browser locker used in this campaign is a spin-off of the Google Chrome Safebrowing warning. The scammers have added scare tactics to it (e.g.\u00a0Hard Drive Safety Delete Starting in: 5:00 minutes<\/em>), as well as authentication pop-ups that prevent the user from closing the browser tab or window.<\/p>\n

\"\"<\/a><\/p>\n

In this template, the crooks have not bothered with changing the IP address (supposedly of their victim), which still belongs to the original creator of that page, located somewhere in India. The toll-free number, dynamically populated both on the page and the URL, is what the scammers hope potential victims will dial.<\/p>\n

Traffic<\/h3>\n

As mentioned earlier, the number one vector of traffic to these browser locker pages is advertising\u2014more precisely, malvertising. Perpetrators can spend a small budget and attract a fair amount of visits through one of many ad networks. More and more, we are seeing ad platforms ensure that visitors are legitimate and not bots or others using anonymous proxies.<\/p>\n

In some cases, this ‘lead funneling’ is doubled by the use of a traffic distribution system (TDS). Here’s an example we captured via the well-documented BlackTDS<\/a>, redirecting users to ad networks and eventually to the browlock.<\/p>\n

\"\"<\/a><\/p>\n

BlackTDS has been the source of many browser lockers that have been caught by other researchers as well. For example, on March 29,\u00a0Vitali Kremez reported<\/a> an infection chain to a browlock started via\u00a0smarttraffics[.]ml<\/em>.<\/p>\n

Another instance of the same threat was found as part of an ongoing campaign of compromised websites injected with ad network code. There have been reports from site owners since late last year, but the trend has increased recently.<\/p>\n

Denis Sinegubko<\/a> from Sucuri<\/a> noted<\/a> that an ad script with the same ID was injected into over 2,000 websites and drew the conclusion that this was not a case of webmasters using ads for monetization, but rather unwanted ad injections into their CMS. Using the\u00a0Source Code Search Engine PublicWWW<\/a>, we found thousands of websites with the same ad codes:<\/p>\n

\"\"<\/a><\/p>\n

For several weeks now, we have reproduced numerous infection chains to exploit kits, browlocks, and other scams via those injected ads.<\/p>\n

\/\/go.oclaserver[.]com\/apu.php?zoneid=removed  \/\/go.mobtrks[.]com\/notice.php?p=removed&interstitial=1  \/\/go.mobisla[.]com\/notice.php?p=removed&interactive=1&pushup=1  \/\/defpush[.]com\/ntfc.php?p=removed<\/pre>\n
The server side PHP code (WP-VCD malware<\/a>) used to load those ads can be seen below. Thanks to our friends at Sucuri for sharing it.<\/p>\n
\"\"<\/a><\/p>\n
Sucuri’s SiteCheck<\/a> detects these server-side injections as rogueads.unwanted_ads<\/a>. The leading cause for these injections are Nulled themes, pirated copies of paid-for CMS themes. The free lunch often comes with backdoors, lack of future updates, and of course violating licensing and copyright laws.<\/p>\n
\"\"<\/a><\/p>\n
In the following traffic capture (thanks Baber Pervez<\/a>), we notice the ad injection leading to a malicious redirection chain via the following sequence:<\/p>\n