Technical Support Scams

    Thursday, November 28, 2024 In: Threat Research Print

    Date: 11/28/2024

    Severity: High

    Summary

    This is an ongoing campaign, with tech support scams observed across multiple CDN services over the past year. Daily hits from these scams have risen significantly, from an average of 30 in August 2024 to 300 by November 2024. These scam sites are short-lived, as hosting providers often remove them quickly once detected. They are distributed through various methods, including ads and traffic distribution systems (TDS). Recently, most of these sites have featured Japanese text and phone numbers starting with (0101).

    Indicators of Compromise (IOC) List

    Domains\Urls :

    https://ayufgfyt23.z9.web.core.windows.net/werrx01USAHTML/?bcda=(0101)-85549-14992

    https://dadsda-secondary.z5.web.core.windows.net/werrx01USAHTML/?bcda=(0101)-88880-44640

    https://hjkxsxsxdcdyyjska65zs.z13.web.core.windows.net/?bcda=1-888-331-7870

    https://lbidl1-secondary.z8.web.core.windows.net/werrx01USAHTML/?bcda=(0101)-85549-14992

    https://mmnnjiuoo.z5.web.core.windows.net/werrx01USAHTML/?bcda=(0101)-85532-40973

    https://qqerrt6.z24.web.core.windows.net/werrx01USAHTML/?bcda=(0101)-84421-04568

    https://qqpplv2-secondary.z14.web.core.windows.net/werrx01USAHTML/?bcda=(0101)-84421-04568

    https://qqpplv2.z14.web.core.windows.net/werrx01USAHTML/?bcda=(0101)-88861-59081

    https://qqpplv3.z20.web.core.windows.net/werrx01USAHTML/?bcda=(0101)-84421-04568

    https://sooii15-secondary.z23.web.core.windows.net/werrx01USAHTML/?bcda=(0101)-85549-14992

    https://sooii17-secondary.z33.web.core.windows.net/werrx01USAHTML/?bcda=(0101)-84421-04568

    https://soso21-secondary.z33.web.core.windows.net/werrx01USAHTML/?bcda=(0101)-85549-14992

    https://soso37.z28.web.core.windows.net/werrx01USAHTML/?bcda=(0101)-88861-59081

    egerss03p01.club

    flurss03p01.club

    hitrss03p01.club

    oilrss03p01.club

    vanrss03p01.club

    adfpoint.com

    ​​t83v0zs.kib7z.com

    us.bluetides.xyz

    us.toromclk.com

    xml.exdirectopl.com

    xml.staradsmedia.com

    xml.userwave.com

    xml.webmedxml.com

    xml.rtxplatform.com

    https://xml.staradsmedia.com/search?format=json&feed=670947&auth=OmVngd&

    https://sidyg8-secondary.z7.web.core.windows.net/merrx01usahtml/?bcda=1-844-645-4749&

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\Urls 1 :

    userdomainname like "https://ayufgfyt23.z9.web.core.windows.net/werrx01USAHTML/?bcda=(0101)-85549-14992" or url like "https://ayufgfyt23.z9.web.core.windows.net/werrx01USAHTML/?bcda=(0101)-85549-14992" or userdomainname like "https://lbidl1-secondary.z8.web.core.windows.net/werrx01USAHTML/?bcda=(0101)-85549-14992" or url like "https://lbidl1-secondary.z8.web.core.windows.net/werrx01USAHTML/?bcda=(0101)-85549-14992" or userdomainname like "https://mmnnjiuoo.z5.web.core.windows.net/werrx01USAHTML/?bcda=(0101)-85532-40973" or url like "https://mmnnjiuoo.z5.web.core.windows.net/werrx01USAHTML/?bcda=(0101)-85532-40973" or userdomainname like "vanrss03p01.club" or url like "vanrss03p01.club" or userdomainname like "https://soso21-secondary.z33.web.core.windows.net/werrx01USAHTML/?bcda=(0101)-85549-14992" or url like "https://soso21-secondary.z33.web.core.windows.net/werrx01USAHTML/?bcda=(0101)-85549-14992" or userdomainname like "hitrss03p01.club" or url like "hitrss03p01.club" or userdomainname like "oilrss03p01.club" or url like "oilrss03p01.club" or userdomainname like "https://sooii15-secondary.z23.web.core.windows.net/werrx01USAHTML/?bcda=(0101)-85549-14992" or url like "https://sooii15-secondary.z23.web.core.windows.net/werrx01USAHTML/?bcda=(0101)-85549-14992" or userdomainname like "https://sooii17-secondary.z33.web.core.windows.net/werrx01USAHTML/?bcda=(0101)-84421-04568" or url like "https://sooii17-secondary.z33.web.core.windows.net/werrx01USAHTML/?bcda=(0101)-84421-04568" or userdomainname like "https://soso37.z28.web.core.windows.net/werrx01USAHTML/?bcda=(0101)-88861-59081" or url like "https://soso37.z28.web.core.windows.net/werrx01USAHTML/?bcda=(0101)-88861-59081" or userdomainname like "https://dadsda-secondary.z5.web.core.windows.net/werrx01USAHTML/?bcda=(0101)-88880-44640" or url like "https://dadsda-secondary.z5.web.core.windows.net/werrx01USAHTML/?bcda=(0101)-88880-44640" or userdomainname like "https://qqpplv2-secondary.z14.web.core.windows.net/werrx01USAHTML/?bcda=(0101)-84421-04568" or url like "https://qqpplv2-secondary.z14.web.core.windows.net/werrx01USAHTML/?bcda=(0101)-84421-04568" or userdomainname like "flurss03p01.club" or url like "flurss03p01.club" or userdomainname like "https://qqerrt6.z24.web.core.windows.net/werrx01USAHTML/?bcda=(0101)-84421-04568" or url like "https://qqerrt6.z24.web.core.windows.net/werrx01USAHTML/?bcda=(0101)-84421-04568"

    Domains\Urls 2 :

    userdomainname like "https://hjkxsxsxdcdyyjska65zs.z13.web.core.windows.net/?bcda=1-888-331-7870" or url like "https://hjkxsxsxdcdyyjska65zs.z13.web.core.windows.net/?bcda=1-888-331-7870" or userdomainname like "https://qqpplv2.z14.web.core.windows.net/werrx01USAHTML/?bcda=(0101)-88861-59081" or url like "https://qqpplv2.z14.web.core.windows.net/werrx01USAHTML/?bcda=(0101)-88861-59081" or userdomainname like "https://qqpplv3.z20.web.core.windows.net/werrx01USAHTML/?bcda=(0101)-84421-04568" or url like "https://qqpplv3.z20.web.core.windows.net/werrx01USAHTML/?bcda=(0101)-84421-04568" or userdomainname like "egerss03p01.club" or url like "egerss03p01.club" or userdomainname like "adfpoint.com" or url like "adfpoint.com" or userdomainname like "​​t83v0zs.kib7z.com" or url like "​​t83v0zs.kib7z.com" or userdomainname like "us.bluetides.xyz" or url like "us.bluetides.xyz" or userdomainname like "us.toromclk.com" or url like "us.toromclk.com" or userdomainname like "xml.exdirectopl.com" or url like "xml.exdirectopl.com" or userdomainname like "xml.staradsmedia.com" or url like "xml.staradsmedia.com" or userdomainname like "xml.userwave.com" or url like "xml.userwave.com" or userdomainname like "xml.webmedxml.com" or url like "xml.webmedxml.com" or userdomainname like "xml.rtxplatform.com" or url like "xml.rtxplatform.com" or userdomainname like "https://xml.staradsmedia.com/search?format=json&feed=670947&auth=OmVngd&" or url like "https://xml.staradsmedia.com/search?format=json&feed=670947&auth=OmVngd&" or userdomainname like "https://sidyg8-secondary.z7.web.core.windows.net/merrx01usahtml/?bcda=1-844-645-4749&" or url like "https://sidyg8-secondary.z7.web.core.windows.net/merrx01usahtml/?bcda=1-844-645-4749&"

    Reference:   

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-11-26-IOCs-for-tech-support-scams.txt


    Tags

    MalwareJapan

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.