Tech support scams and ransomware usually don’t go together, but there’s a first time for everything.
Symantec researchers have spotted a generic tech support scam hitting mostly US, UK and Canadian PC users, showing them pop-up windows warning of infection, and leading them to a web page showing instructions on how to fix the problem.
Potential victims are instructed to call a toll-free number for help, but what they don’t know is that it’s manned by scammers.
Another thing they will probably not notice is that the scam’s web page includes an iframe that will silently redirect them to a server hosting the Nuclear exploit kit.
If they have the added misfortune of using outdated software that’s vulnerable to one of the exploits flinged by the exploit kit, they will be saddled either with the Cryptowall ransomware or an information-stealing Trojan.
“We’ve seen tech support scammers dabble with basic ransomware techniques in the past, so it would not be a major jump for them to use more advanced ransomware. However, while the theory of tech support scammers and exploit kit attackers joining forces is plausible, there could be a more banal explanation for this situation,” researcher Deepak Singh noted.
It is possible that the group using the Nuclear exploit kit has simply compromised a web server hosting the tech support scam page, and has injected it with redirecting frames, without being aware of the nature of the page.
“If this proves to be an effective combination, we are likely to see more of this in the future,” Singh concluded.