Summary
Attackers who were previously abusing DigitalOcean to host a tech support scam have expanded the operation, now abusing StackPath CDN to distribute the scam, and are likely to start abusing additional cloud services to deliver the scam in the near future. From February 1 to March 16, Netskope Threat Labs has seen a 10x increase of traffic to tech support scam pages delivered by StackPath CDN. Their end goal remains the same, which is to convince victims that their computer is infected with malware and have them call the “support” hotline.
The scammers appear to be shifting their focus from abusing a single cloud service to instead simultaneously abusing multiple services. While traffic to the scam pages on StackPath is on the rise, traffic to the same scam pages hosted on DigitalOcean continues, having decreased only slightly since our previous blog post on this topic. At the same time, the scam pages have also surfaced on Azure Web Apps and Amazon CloudFront. The scammers have been reaching victims mainly in North America, Asia, and Southern Europe.
Netskope Threat Labs continues to report domains hosting the scam to Digital Ocean and have now started reporting domains hosting the scam to StackPath too. We expect that the scammers will likely continue to pivot among cloud services to try to evade detection and takedowns. We will continue monitoring the scam and provide relevant updates.
Recommendations
The scams and phishing pages described in the post are easily recognisable by the URL, as the attacker has made little effort to disguise the URL. Users can easily avoid becoming victims of the types of attacks described in this post by simply checking the URL and making sure it is the legitimate website. Users should always access important pages, like their banking portal or webmail, by typing the URL directly into the web browser instead of using search engines or any other links, as the results could be manipulated by SEO techniques or malicious ads. We strongly recommend immediately closing web pages that say your computer is infected and also never calling the number on the screen.
Netskope Threat Labs recommends that organizations review their security policies to ensure that they are adequately protected against these and similar phishing pages and scams. Other recommendations include:
- Inspect all HTTP and HTTPS traffic, including all web and cloud traffic, to prevent users from visiting malicious websites. Netskope customers can configure their Netskope NG-SWG with a URL filtering policy to block known phishing and scam sites, and a threat protection policy to inspect all web content to identify unknown phishing and scam sites using a combination of signatures, threat intelligence, and machine learning.
- Use Remote Browser Isolation (RBI) technology to provide additional protection when there is a need to visit websites that fall into categories that can present higher risk, like newly observed and newly registered domains.
Protection
Netskope Threat Labs is actively monitoring this campaign and has ensured coverage for all known threat indicators and payloads.
- Netskope Threat Protection
- Document-HTML.Trojan.TechScam
- Document-HTML.Trojan.Cryxos
- Trojan.GenericKD.65753936
- Netskope Advanced Threat Protection provides proactive coverage against this threat.
- Gen.Malware.Detect.By.StHeur indicates a sample that was detected using static analysis
- Gen.Malware.Detect.By.Sandbox indicates a sample that was detected by our cloud sandbox
IOCs
Below are the IOCs related to the web pages analyzed in this blog post.
Domains:
a4a2r9q8[.]stackpathcdn[.]com
a5q2c2k7[.]stackpathcdn[.]com
b3n4c8r7[.]stackpathcdn[.]com
b3x6d2v5[.]stackpathcdn[.]com
b5h9h6d4[.]stackpathcdn[.]com
b6c9x3b7[.]stackpathcdn[.]com
b7d3s6s3[.]stackpathcdn[.]com
b7j5t2j8[.]stackpathcdn[.]com
c3c5i7q7[.]stackpathcdn[.]com
c5m8g6b6[.]stackpathcdn[.]com
c6c5i6r3[.]stackpathcdn[.]com
c9y9t7u6[.]stackpathcdn[.]com
d2i2v3t9[.]stackpathcdn[.]com
d4f8s8i9[.]stackpathcdn[.]com
d4p6n2k2[.]stackpathcdn[.]com
d4x5v5y3[.]stackpathcdn[.]com
d9b6m2w5[.]stackpathcdn[.]com
e3r2y5v6[.]stackpathcdn[.]com
e6n6m5w2[.]stackpathcdn[.]com
e7j8k3s8[.]stackpathcdn[.]com
f4i3y4t6[.]stackpathcdn[.]com
f6d4c9p8[.]stackpathcdn[.]com
f6f4p3t9[.]stackpathcdn[.]com
f9c8b5d7[.]stackpathcdn[.]com
g2d4n7b2[.]stackpathcdn[.]com
g4k3t3m4[.]stackpathcdn[.]com
g5c9z2i2[.]stackpathcdn[.]com
g5t9r7y3[.]stackpathcdn[.]com
g5z9x5e4[.]stackpathcdn[.]com
h6j7v2n3[.]stackpathcdn[.]com
h7j4x7z8[.]stackpathcdn[.]com“
h7j4x7z8[.]stackpathcdn[.]com
h7r7m4v7[.]stackpathcdn[.]com
i2p8s4r3[.]stackpathcdn[.]com
i3h5k7b7[.]stackpathcdn[.]com
i4h3k4s6[.]stackpathcdn[.]com
i8w8n4d7[.]stackpathcdn[.]com
i9n5z4q2[.]stackpathcdn[.]com
j3j4e7b4[.]stackpathcdn[.]com
j5a4s9g2[.]stackpathcdn[.]com
j7s7b2r9[.]stackpathcdn[.]com
k3a7e8k4[.]stackpathcdn[.]com
k4p5j5a7[.]stackpathcdn[.]com<