This Microsoft Tech Support Scam aims to make users believe their computer crashed and need a repair, offering a fake local Microsoft technical support phone number. When the users call, they’re received by a fake Microsoft agent who tells them that in order to repair their computer they must install a remote access software (usually TeamViewer). Once the operator connects it installs a fake AV and offers several subscription plans for it, telling the users that they have to pay for the service AND a subscription plan for the fake AV.
We’ve been investigating how this particular scam works under the hood and it seems to use Ad networks to reach a host that acts as gateway that simply redirects users to several Amazon S3 buckets which host the scam. This is how it looks:
Illustration 1 - Microsoft Tech Support Scam
We got to reproduce the scam just by visiting online streaming websites. When we tried to see any movie, a chain of redirects starting on a “grey” Ad network is triggered before the stream.
An Ad Network provides services like a CDN, but it’s used for Ads. It provides storage for the Ads the customers want to publish so the customers don’t have to worry about hosting the Ads themselves. Also, the Ads reach out to more people because they will be displayed on every site that uses the Ad network as funding source. Depending on the subscription fee or the money you spend on campaigns, the display rate of your Ads will be higher. There are many cases on which Ad networks are used to redirect users to scams like this, phishing sites or even distribute malware.
So here we are trying to see a “PowerPuff Girls” episode, we click on “View now” and we find a first request to a
codeonclick.com Ad proxy, which will redirect us to the Ad he has to show before starting the stream:
Illustration 2 - First request to the Ad Network
Passed this point, we see a redirect chain between several Ad networks that ends with a request to
hxxp://cfjlr.com/?pid=NzdkzNVYKag. This is also a gateway, but it is used to trigger the last redirection to the Amazon S3 bucket containing the scam:
Illustration 3 - Last request to the scam gateway
The domain resolves to an Amazon IP. Also, the
pid parameter could be omitted because you get redirected even if you don’t use it at all. This is a key piece in the scam because regardless of the number of redirects and Ad proxies, this is the only one who finally redirects the users to the scam. In the next screenshot we show another request to
cfjlr.com which redirects us to a different Amazon S3 bucket (
error-711127-46 instead of
Illustration 4 - Redirect to another S3 bucket
The parameters used in the final request are the following:
n: corresponds to the phone number the user has to call in order to receive “help”.
e: error code shown in the scam.
c: Google Analytics campaign ID as we can see in the code:
Illustration 5 - getURLParameter(‘c’) + ‘S3’ used as Google Analytics campaign
lang: we think it’s used to set the scam language, but changing it does nothing.
clid: unknown, skippable
vol: unknown, skippable
We’ve also seen that they use geolocalization services in order to identify the user’s origin and change the scam language accordingly. They even left their API key for one of those services in plain text:
Illustration 6 - API Key used on geolocalization services