Comcast users hit with malvertising, malware and tech support scam all in one go

Another tech support scam / ransomware campaign combo has been launched at users, but this time the order of delivery is reversed.

The intended victims are the customers of Comcast, the largest home ISP in the United States. They are targeted via a malicious advert that has been showing on Comcast’s Xfinity search page.

“The advert for a review site called SatTvPro.com via Google AdWords appeared on some of Xfinity’s search results page. When people clicked on the ad, it launched the review site (running an outdated version of the Joomla CMS) but also silently loaded a series of redirects leading to the Nuclear exploit kit.

If the exploit kit managed to take advantage of a flaw in a software present on the victims’ computer, it would drop malware on it (Malwarebytes researchers think it more than likely that the malware is a ransomware variant).

But that was not enough for the crooks: they then redirected the users to a phishing website designed to look like the Xfinity portal, and it would display a warning that the “Comcast’s security plugin” detected that they might have been saddled with malware (click on the screenshot to enlarge it):

Comcast's security plugin

As it happens, this one time the warning is right, but it brings no relief to users. Those who call the offered toll free number will get in direct contact with the scammers, which will then try to make the user pay for help to get the computer clean again.

“Based on the evidence we collected, the tech support scam page was definitely tailored for Comcast users, and not simply the pop up alert but also the full screen iframe loading the Xfinity portal,” the researchers pointed out.

“The crooks who designed the phishing/scam page most likely exercised some control over the SatTvPro site since it was vulnerable and got hacked; but they also by chose to include web trackers directly calling back to it. Whether those same criminal actors also bought the ad via Google AdWords by impersonating the review site is not clear, but one thing is for sure: they definitely benefitted from it.”

Since the SatTvPro site was running on Joomla, it’s quite likely that it was compromised via the recently discovered and patched RCE zero-day flaw.

The site is now flagged as malicious by Google, but this will surely not be the last time that users will be hit with the malvertising > exploit kit > phishing-like page > tech support scam attack chain.