{"id":15628,"date":"2019-06-25T20:48:01","date_gmt":"2019-06-26T04:48:01","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/06\/25\/news-9377\/"},"modified":"2019-06-25T20:48:01","modified_gmt":"2019-06-26T04:48:01","slug":"news-9377","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2019\/06\/25\/news-9377\/","title":{"rendered":"Recipe for success: tech support scammers zero in via paid search"},"content":{"rendered":"<p><strong>Credit to Author: Threat Intelligence Team| Date: Tue, 25 Jun 2019 15:00:00 +0000<\/strong><\/p>\n<p>Tech support scammers are known for engaging in a game of whack-a-mole with defenders. Case in point, last month there were reports that crooks had <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/microsoft-tech-support-scams-invade-azure-cloud-services\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">invaded Microsoft Azure Cloud Services<\/a> to host fake warning pages, also known as browser lockers. In this blog, we take a look at one of the top campaigns that is responsible for driving traffic to those Azure-hosted scareware pages.<\/p>\n<p>We discovered that the scammers have been buying ads displayed on major Internet portals to target an older demographic. Indeed, they were using paid search results to drive traffic towards decoy blogs that would redirect victims to a browlock page.<\/p>\n<p>This scheme has actually been going on for months and has intensified recently, all the while keeping the same modus operandi. Although not overly sophisticated, the threat actors behind it have been able to abuse major ad platforms and hosting providers for several months.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/diagram_.png\" data-rel=\"lightbox-0\" title=\"\"><img decoding=\"async\" data-attachment-id=\"39155\" data-permalink=\"https:\/\/blog.malwarebytes.com\/tech-support-scams\/2019\/06\/recipe-for-success-tech-support-scammers-zero-in-via-paid-search\/attachment\/diagram_-3\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/diagram_.png\" data-orig-size=\"594,599\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"diagram_\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/diagram_-297x300.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/diagram_.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/diagram_.png\" alt=\"\" class=\"wp-image-39155\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/diagram_.png 594w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/diagram_-150x150.png 150w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/diagram_-297x300.png 297w\" sizes=\"(max-width: 594px) 100vw, 594px\" \/><\/a><\/figure>\n<\/div>\n<h3>Leveraging paid search results<\/h3>\n<p>Tech support scams are typically distributed via malvertising campaigns. Cheap adult traffic is usually first on the list for many groups of scammers. Not only is it cost effective, but it also plays into the psychology of users believing they got infected after visiting a dodgy website.<\/p>\n<p>Other times, we see scammers actively targeting brands by trying to impersonate them. The idea is to reel in victims looking for support with a particular product or service. However, in this particular campaign, the crooks are targeting folks looking up food recipes.<\/p>\n<p>There are two types of results from a search engine results page (SERP):<\/p>\n<ul>\n<li>Organic search results that match the user\u2019s search query based on relevance. The top listed sites are usually those that have the best Search Engine Optimization (SEO).<\/li>\n<li>Paid search results, which are basically ads relevant to the user&#8217;s query. They require a certain budget where not all keywords are equal in cost.<\/li>\n<\/ul>\n<p>Because paid search results are typically displayed at the top (often blending in with organic search results), they tend to generate more clicks.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/paidsearch.png\" data-rel=\"lightbox-1\" title=\"\"><img decoding=\"async\" data-attachment-id=\"39156\" data-permalink=\"https:\/\/blog.malwarebytes.com\/tech-support-scams\/2019\/06\/recipe-for-success-tech-support-scammers-zero-in-via-paid-search\/attachment\/paidsearch\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/paidsearch.png\" data-orig-size=\"1130,866\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"paidsearch\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/paidsearch-300x230.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/paidsearch-600x460.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/paidsearch.png\" alt=\"\" class=\"wp-image-39156\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/paidsearch.png 1130w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/paidsearch-300x230.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/paidsearch-600x460.png 600w\" sizes=\"(max-width: 1130px) 100vw, 1130px\" \/><\/a><\/figure>\n<\/div>\n<p>We searched for various recipes on several different web portals (CenturyLink, Att.net, Yahoo! search and xfinity) and were able to easily find the ads bought by the scammers.<\/p>\n<p>We do not have exact metrics on how many people clicked on those ads but we can infer that this campaign drew a significant amount of traffic based on two indicators: the first being our own telemetry and the second from a URL shortener used by one of the websites:<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/bitly_.png\" data-rel=\"lightbox-2\" title=\"\"><img decoding=\"async\" data-attachment-id=\"39249\" data-permalink=\"https:\/\/blog.malwarebytes.com\/tech-support-scams\/2019\/06\/recipe-for-success-tech-support-scammers-zero-in-via-paid-search\/attachment\/bitly_\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/bitly_.png\" data-orig-size=\"743,608\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"bitly_\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/bitly_-300x245.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/bitly_-600x491.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/bitly_.png\" alt=\"\" class=\"wp-image-39249\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/bitly_.png 743w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/bitly_-300x245.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/bitly_-600x491.png 600w\" sizes=\"(max-width: 743px) 100vw, 743px\" \/><\/a><\/figure>\n<\/div>\n<p>While those ads look typical and actually match our keyword search quite well, they actually redirect to websites created with malicious intent.<\/p>\n<h3>Decoy websites<\/h3>\n<p>To support their scheme, the scammers have created a number of food-related blogs. The content appears to be genuine, and there are even some comments on many of the articles.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/blogs.png\" data-rel=\"lightbox-3\" title=\"\"><img decoding=\"async\" data-attachment-id=\"39205\" data-permalink=\"https:\/\/blog.malwarebytes.com\/tech-support-scams\/2019\/06\/recipe-for-success-tech-support-scammers-zero-in-via-paid-search\/attachment\/blogs\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/blogs.png\" data-orig-size=\"1007,795\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"blogs\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/blogs-300x237.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/blogs-600x474.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/blogs-600x474.png\" alt=\"\" class=\"wp-image-39205\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/blogs-600x474.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/blogs-300x237.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/blogs.png 1007w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/a><\/figure>\n<\/div>\n<p>However, upon closer inspection, we can see that those sites have basically taken content from various web developer sites offering paid or free HTML templates.  &#8220;&lt;!&#8211; Mirrored from&#8230;&#8221;  is an artifact left by the <a rel=\"noreferrer noopener\" aria-label=\"HTTrack (opens in a new tab)\" href=\"https:\/\/www.httrack.com\/\" target=\"_blank\">HTTrack<\/a> website copier tool. Incidentally, this kind of mirroring is something we often witness when it comes to browser locker pages that have been copied from other sites.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/mirror.png\" data-rel=\"lightbox-4\" title=\"\"><img decoding=\"async\" data-attachment-id=\"39187\" data-permalink=\"https:\/\/blog.malwarebytes.com\/tech-support-scams\/2019\/06\/recipe-for-success-tech-support-scammers-zero-in-via-paid-search\/attachment\/mirror\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/mirror.png\" data-orig-size=\"599,768\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"mirror\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/mirror-234x300.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/mirror-468x600.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/mirror.png\" alt=\"\" class=\"wp-image-39187\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/mirror.png 599w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/mirror-234x300.png 234w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/mirror-468x600.png 468w\" sizes=\"(max-width: 599px) 100vw, 599px\" \/><\/a><\/figure>\n<\/div>\n<p>During our testing, visiting those sites directly did not create any malicious redirection, and they seemed to be absolutely benign. With only circumstantial evidence and without the so-called smoking gun, a case could not be made just yet.<\/p>\n<h3>Full infection chain<\/h3>\n<p>After some trial and error that included swapping various User-Agent strings and avoiding using commercial VPNs, we eventually were able to replay a full infection chain, from the original advert to the browser locker page.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/traffic.png\" data-rel=\"lightbox-5\" title=\"\"><img decoding=\"async\" data-attachment-id=\"39157\" data-permalink=\"https:\/\/blog.malwarebytes.com\/tech-support-scams\/2019\/06\/recipe-for-success-tech-support-scammers-zero-in-via-paid-search\/attachment\/traffic-25\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/traffic.png\" data-orig-size=\"996,869\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"traffic\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/traffic-300x262.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/traffic-600x523.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/traffic.png\" alt=\"\" class=\"wp-image-39157\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/traffic.png 996w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/traffic-300x262.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/traffic-600x523.png 600w\" sizes=\"(max-width: 996px) 100vw, 996px\" \/><\/a><\/figure>\n<\/div>\n<p>The blog&#8217;s URL is actually called three consecutive times, and the last one performs a POST request with the eventual conditional redirect to the browlock. In the screenshot below, you can see the difference between proper cloaking (no malicious behavior) and the redirect to a browlock page:<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/cloaking.png\" data-rel=\"lightbox-6\" title=\"\"><img decoding=\"async\" data-attachment-id=\"39207\" data-permalink=\"https:\/\/blog.malwarebytes.com\/tech-support-scams\/2019\/06\/recipe-for-success-tech-support-scammers-zero-in-via-paid-search\/attachment\/cloaking\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/cloaking.png\" data-orig-size=\"562,139\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"cloaking\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/cloaking-300x74.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/cloaking.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/cloaking.png\" alt=\"\" class=\"wp-image-39207\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/cloaking.png 562w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/cloaking-300x74.png 300w\" sizes=\"(max-width: 562px) 100vw, 562px\" \/><\/a><\/figure>\n<\/div>\n<h3>Browlock page<\/h3>\n<p>The fake warning page is fairly standard. It checks for the type of browser and operating system in order to display the appropriate template to Windows and Mac OS victims.<\/p>\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/browlock_page.png\" data-rel=\"lightbox-7\" title=\"\"><img decoding=\"async\" data-attachment-id=\"39209\" data-permalink=\"https:\/\/blog.malwarebytes.com\/tech-support-scams\/2019\/06\/recipe-for-success-tech-support-scammers-zero-in-via-paid-search\/attachment\/browlock_page\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/browlock_page.png\" data-orig-size=\"1224,745\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"browlock_page\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/browlock_page-300x183.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/browlock_page-600x365.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/browlock_page.png\" alt=\"\" class=\"wp-image-39209\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/browlock_page.png 1224w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/browlock_page-300x183.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/browlock_page-600x365.png 600w\" sizes=\"(max-width: 1224px) 100vw, 1224px\" \/><\/a><\/figure>\n<p>The scammers often register entire ranges of hostnames on Azure by iterating through numbers attached to random strings. While many of those pages are taken down quickly, new ones are constantly popping back up in order to keep the campaign running. Here are some URI patterns we observed:<\/p>\n<p><em>10-server[.]azurewebsites[.]net\/call-now1\/<br \/>2securityxew-561error[.]azurewebsites[.]net\/Call-Now1\/<br \/>10serverloadingfailed-hgdfc777error[.]azurewebsites[.]net\/chx\/<br \/>11iohhwefuown[.]azurewebsites[.]net\/Call-Support1\/<br \/>11serversecurityjunkfile-65error[.]azurewebsites[.]net\/Call-Mac-Support\/<br \/>2serverdatacrash-de-12error[.]azurewebsites[.]net\/macx\/<br \/>2systemservertemporaryblockghjj-510error[.]azurewebsites[.]net\/mac-support\/<\/em><\/p>\n<p>We believe the crooks may also be rotating the decoy site that performs the redirect in addition to the existing user filtering in order to evade detection from security scanners.<\/p>\n<h3>Finding the perpetrators<\/h3>\n<p>We do not condone interacting with scammers directly, but part of this investigation was about finding who was behind this campaign in order to take action and spare more victims.<\/p>\n<p>To continue on with deception, the rogue technicians lied to us about the state of our computer and made up imaginary threats. The goal was to sell expensive support packages that actually add little value.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/firewall.png\" data-rel=\"lightbox-8\" title=\"\"><img decoding=\"async\" data-attachment-id=\"39251\" data-permalink=\"https:\/\/blog.malwarebytes.com\/tech-support-scams\/2019\/06\/recipe-for-success-tech-support-scammers-zero-in-via-paid-search\/attachment\/firewall\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/firewall.png\" data-orig-size=\"1268,684\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"firewall\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/firewall-300x162.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/firewall-600x324.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/firewall.png\" alt=\"\" class=\"wp-image-39251\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/firewall.png 1268w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/firewall-300x162.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/firewall-600x324.png 600w\" sizes=\"(max-width: 1268px) 100vw, 1268px\" \/><\/a><\/figure>\n<\/div>\n<p>The company selling those services is A2Z Cleaner Pro (AKA Coretel Communications) and was previously identified by one victim in August 2018 in a <a href=\"https:\/\/www.consumer.ftc.gov\/blog\/2017\/05\/avoid-tech-trap\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">blog comment<\/a> on the FTC&#8217;s website.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/pay.png\" data-rel=\"lightbox-9\" title=\"\"><img decoding=\"async\" data-attachment-id=\"39257\" data-permalink=\"https:\/\/blog.malwarebytes.com\/tech-support-scams\/2019\/06\/recipe-for-success-tech-support-scammers-zero-in-via-paid-search\/attachment\/pay-5\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/pay.png\" data-orig-size=\"1264,671\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"pay\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/pay-300x159.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/pay-600x319.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/pay.png\" alt=\"\" class=\"wp-image-39257\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/pay.png 1264w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/pay-300x159.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/pay-600x319.png 600w\" sizes=\"(max-width: 1264px) 100vw, 1264px\" \/><\/a><\/figure>\n<\/div>\n<p>Their webste is hosted at 198.57.219.8, where we found two other interesting artifacts. The first one is a company named CoreTel that is also used by the scammers as a kind of business entity. It appears to be a rip off from another domain that pre-existed by several years and also hosted on the same IP adddress:<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter is-resized\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/coretel.png\" data-rel=\"lightbox-10\" title=\"\"><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"39256\" data-permalink=\"https:\/\/blog.malwarebytes.com\/tech-support-scams\/2019\/06\/recipe-for-success-tech-support-scammers-zero-in-via-paid-search\/attachment\/coretel\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/coretel.png\" data-orig-size=\"898,641\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"coretel\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/coretel-300x214.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/coretel-600x428.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/coretel.png\" alt=\"\" class=\"wp-image-39256\" width=\"528\" height=\"377\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/coretel.png 898w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/coretel-300x214.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/coretel-600x428.png 600w\" sizes=\"auto, (max-width: 528px) 100vw, 528px\" \/><\/a><\/figure>\n<\/div>\n<p>And then, there are two new recipe sites that were both registered in June and, as with previous ones, they also use content copied from other places: <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter is-resized\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/junerecipes.png\" data-rel=\"lightbox-11\" title=\"\"><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"39254\" data-permalink=\"https:\/\/blog.malwarebytes.com\/tech-support-scams\/2019\/06\/recipe-for-success-tech-support-scammers-zero-in-via-paid-search\/attachment\/junerecipes\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/junerecipes.png\" data-orig-size=\"957,775\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"junerecipes\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/junerecipes-300x243.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/junerecipes-600x486.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/junerecipes.png\" alt=\"\" class=\"wp-image-39254\" width=\"530\" height=\"428\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/junerecipes.png 957w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/junerecipes-300x243.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/junerecipes-600x486.png 600w\" sizes=\"auto, (max-width: 530px) 100vw, 530px\" \/><\/a><\/figure>\n<\/div>\n<h3>Mitigation and take down<\/h3>\n<p>Malwarebytes&#8217; browser extension was already blocking the various browlock pages heuristically.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter is-resized\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/block_.png\" data-rel=\"lightbox-12\" title=\"\"><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"39211\" data-permalink=\"https:\/\/blog.malwarebytes.com\/tech-support-scams\/2019\/06\/recipe-for-success-tech-support-scammers-zero-in-via-paid-search\/attachment\/block_\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/block_.png\" data-orig-size=\"670,678\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"block_\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/block_-296x300.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/block_-593x600.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/block_.png\" alt=\"\" class=\"wp-image-39211\" width=\"440\" height=\"444\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/block_.png 670w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/block_-150x150.png 150w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/block_-296x300.png 296w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/block_-593x600.png 593w\" sizes=\"auto, (max-width: 440px) 100vw, 440px\" \/><\/a><\/figure>\n<\/div>\n<p>We immediately reported the fraudulent ads to Google and Microsoft (Bing), as well as the decoy blogs to GoDaddy. The majority of their domains have been taken down already and their ad campaigns banned.<\/p>\n<p>This tech support scam campaign cleverly targeted an older segment of the population by using paid search results for food recipes via online portals used by many Internet Service Providers.<\/p>\n<p>There is no doubt scammers will continue to abuse ad platforms and hosting providers to carry out their business. However, industry cooperation for takedowns can set them back and save thousands of victims from being defrauded.<\/p>\n<h3>Indicators of compromise<\/h3>\n<p><strong>Decoy blogs<\/strong><\/p>\n<p><em>alhotcake[.]com<br \/>bestrecipesus[.]com<br \/>cheforrecipes[.]com<br \/>chilly-recipesfood[.]com<br \/>cookwellrecipes[.]com<br \/>dezirerecipes[.]com<br \/>dinnerplusrecipes[.]com<\/em><br \/><em>dinnerrecipiesforu.com<br \/>handmaderecipies[.]com<br \/>homecookedrecipe[.]com<br \/>hotandsweetrecipe[.]com<br \/>just-freshrecipes[.]com<br \/>lunch-recipesstore[.]com<br \/>mexirecipes[.]com<br \/>neelamrecipes[.]com<br \/>nidhikitchenrecipes[.]com<br \/>organicrecipesandfood[.]com<br \/>recipes4store[.]com<br \/>recipestores[.]com<br \/>royalwarerecipes[.]com<br \/>smokyrecipe[.]com<br \/>specialsweetrecipes[.]com<br \/>starcooking[.]club<\/em><br \/><em>starrecipies[.]com<br \/>sweethomemadefoods[.]com<br \/>tatesty-recipes[.]com<br \/>today4recipes[.]com<br \/>tophighrecipes[.]com<br \/>toptipsknowledge[.]com<br \/>totalspicyrecipes[.]com<br \/>vegfood-recipes[.]com<br \/>yammy-recipes[.]com<\/em><br \/><em>handmaderecipies[.]com<br \/>homecookedrecipe[.]com<br \/>hotandsweetrecipe[.]com<br \/>just-freshrecipes[.]com<br \/>lunch-recipesstore[.]com<br \/>mexirecipes[.]com<br \/>neelamrecipes[.]com<br \/>nidhikitchenrecipes[.]com<br \/>organicrecipesandfood[.]com<br \/>recipes4store[.]com<br \/>recipestores[.]com<br \/>royalwarerecipes[.]com<br \/>smokyrecipe[.]com<br \/>specialsweetrecipes[.]com<br \/>starcooking[.]club<\/em><br \/><em>starrecipies[.]com<br \/>sweethomemadefoods[.]com<br \/>tatesty-recipes[.]com<br \/>today4recipes[.]com<br \/>tophighrecipes[.]com<br \/>toptipsknowledge[.]com<br \/>totalspicyrecipes[.]com<br \/>vegfood-recipes[.]com<br \/>yammy-recipes[.]com<\/em><br \/>healthycookingidea[.]com<br \/>recipesstudios[.]com<\/p>\n<p>a2zpcprotection[.]com<br \/>a2zcleanerpro[.]com<\/p>\n<p><strong>Regex to match browlock URIs on Azure<\/strong><\/p>\n<p><em>^http(s|):\/\/(?!www)^.{2}[a-z]{2,7}\/([cC]all-([nN]ow|Support)1|chx|macx|(Call-)?[mM]ac-[sS]upport)<\/em><\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/tech-support-scams\/2019\/06\/recipe-for-success-tech-support-scammers-zero-in-via-paid-search\/\">Recipe for success: tech support scammers zero in via paid search<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/tech-support-scams\/2019\/06\/recipe-for-success-tech-support-scammers-zero-in-via-paid-search\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Threat Intelligence Team| Date: Tue, 25 Jun 2019 15:00:00 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/tech-support-scams\/2019\/06\/recipe-for-success-tech-support-scammers-zero-in-via-paid-search\/' title='Recipe for success: tech support scammers zero in via paid search'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/06\/shutterstock_1115785301.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>We take a deep dive into the recently reported Azure-hosted tech support scam pages, identifying this as one of the most successful scam campaigns in use today.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/tech-support-scams\/\" rel=\"category tag\">Tech support scams<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/browlocks\/\" rel=\"tag\">browlocks<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/browser-locker\/\" rel=\"tag\">browser locker<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/browser-lockers\/\" rel=\"tag\">browser lockers<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/malvertising\/\" rel=\"tag\">malvertising<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/scammers\/\" rel=\"tag\">scammers<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/scams\/\" rel=\"tag\">scams<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/tech-support-scam\/\" rel=\"tag\">tech support scam<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/tech-support-scammers\/\" rel=\"tag\">tech support scammers<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/tech-support-scams\/\" rel=\"tag\">tech support scams<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/tech-support-scams\/2019\/06\/recipe-for-success-tech-support-scammers-zero-in-via-paid-search\/' title='Recipe for success: tech support scammers zero in via paid search'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/tech-support-scams\/2019\/06\/recipe-for-success-tech-support-scammers-zero-in-via-paid-search\/\">Recipe for success: tech support scammers zero in via paid search<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[19502,17025,19503,10531,10512,10574,10544,11981,10577],"class_list":["post-15628","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-browlocks","tag-browser-locker","tag-browser-lockers","tag-malvertising","tag-scammers","tag-scams","tag-tech-support-scam","tag-tech-support-scammers","tag-tech-support-scams"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15628","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=15628"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15628\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=15628"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=15628"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=15628"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}