Tech support scammers are a very unique type of online criminals who traditionally were never as sophisticated as malware authors. For the most part, they really didn't need to be since even a quickly put together scary webpage with some audio background would suffice to con victims.
While this dirty business was poorly organized in the beginning, in recent years things started to shape up and a strong affiliate model blossomed via malvertising. Thousands of websites with fake warnings rely on scare tactics to drive leads (victims) into shady tech support call centres to extort their money.
One of the best and most elusive affiliates to date has been wreaking havoc on Amazon Web Services (AWS) for several months using the Google Safe Browsing template and enjoying the Amazon Elastic Compute Cloud (EC2).
The cloud infrastructure was perfect for a whack-a-mole game where thousands of domains and subdomains on quickly changing IP addresses leave security researchers frustrated while filing countless abuse reports.
This crook was clearly having fun picking various domain names fitting his mood, as well as indulging in various condescending messages on the scam pages.
Most of these pages were pushed via malvertising and this activity peaked during the fall.
This actor was using large numbers of sub-domains for each malicious domain, a technique commonly observed in drive-by download attacks and exploit kits:
The originsThe Safe Browsing scam may have begun around May 2015 with fix-my-system.com (a domain registered on 2015-05-15) as shown below in a screenshot on May 20 (courtesy of the wayback machine).
If you compare the cross logo used on Amazon and fix-my-system.com, you notice they are the same file. When extracting the JPEG's metadata, it shows that image was created on May 14, just one day before fix-my-system.com was registered.
There were perhaps other similar scam pages floating around during the month of May. The same Google Analytics ID (UA-61342480-1) the scammer used to track stats during the AWS campaign, was first used on browsererror.co (registered on May 13) and documented in this Chromium thread.
From Amazon to RackspaceStrangely, we stopped seeing this particular campaign around late November / early December, at least via the traditional delivery mechanisms.
At the same time, we started noticing scam pages with an eerily familiar look, except they were not hosted on AWS. These ones have been taking root on another big cloud provider, Rackspace via the Akamai Content Delivery Network (CDN):
Here are some of the URLs/patterns:
The picture that represents the X at the top of the page is exactly the same as well (same metadata also):
This seems to be the case on Rackspace as well:
It's possible this is a different actor simply copying previous work (tech support scammers are notorious for stealing from each other, using the popular website copier program HTTrack).
Regardless, this means that the fight against tech support scammers continues on a different battlefield. We have already reported this particular campaign to Rackspace for takedown and will keep tracking it to see where it goes next.
Malwarebytes Anti-Malware Premium users are protected against many of these fraudulent pages thanks to our malicious sites blocking technology. The best defence against tech support scams remains awareness and common sense.
For more general information on this topic, please visit our Tech Support Scams resource page.