Rewterz Threat Alert – Tech Support Scam Employs New Trick by Using Iframe to Freeze Browsers

Severity

Medium

Analysis Summary

A new technical support scam (TSS) campaign surfaced using iframe in combination with basic pop-up authentication to freeze a user’s browser. This new technique also serves as a tool for evading detection for the threat actors. Just like other TSS campaigns disguising themselves as legitimate or well-known brand’s service providers, this campaign in particular uses Microsoft to lure victims and to establish a fake legitimacy. Following is a preview of the pop-up authentication on a spoofed Microsoft webpage.

Indicators of Compromise

URLs

• hxxp[:]//140[.]82[.]36[.]155/assests/eng_edge_new[.]html
• hxxp[:]//140[.]82[.]38[.]211/assests/eng_edge_new[.]html
• hxxp[:]//140[.]82[.]42[.]6/assests/eng_edge_new[.]html
• hxxp[:]//140[.]82[.]46[.]46/assests/eng_edge_new[.]html
• hxxp[:]//140[.]82[.]9[.]45/assests/eng_edge_new[.]html
• hxxp[:]//149[.]28[.]36[.]182/assests/eng_edge_new[.]html
• hxxp[:]//149[.]28[.]45[.]200/assests/eng_edge_new[.]html
• hxxp[:]//149[.]28[.]56[.]4/assests/eng_edge_new[.]html
• hxxp[:]//18[.]206[.]159[.]176/assests/eng_edge_new[.]html
• hxxp[:]//199[.]247[.]3[.]159/assests/eng_edge_new[.]html
• hxxp[:]//207[.]246[.]127[.]175/assests/eng_edge_new[.]html
• hxxp[:]//216[.]155[.]135[.]180/assests/eng_edge_new[.]html
• hxxp[:]//45[.]32[.]156[.]135/assests/eng_edge_new[.]html
• hxxp[:]//45[.]32[.]205[.]54/assests/eng_edge_new[.]html
• hxxp[:]//45[.]76[.]166[.]173/assests/eng_edge_new[.]html
• hxxp[:]//45[.]76[.]166[.]231/assests/eng_edge_new[.]html
• hxxp[:]//45[.]76[.]2[.]215/assests/eng_edge_new[.]html
• hxxp[:]//45[.]76[.]4[.]128/assests/eng_edge_new[.]html
• hxxp[:]//45[.]76[.]6[.]92/assests/eng_edge_new[.]html
• hxxp[:]//45[.]77[.]109[.]221/assests/eng_edge_new[.]html
• hxxp[:]//45[.]77[.]149[.]225/assests/eng_edge_new[.]html
• hxxp[:]//45[.]77[.]154[.]214/assests/eng_edge_new[.]html
• hxxp[:]//45[.]77[.]218[.]239/assests/eng_edge_new[.]html
• hxxp[:]//45[.]77[.]64[.]207/assests/eng_edge_new[.]html
• hxxp[:]//45[.]77[.]67[.]129/assests/eng_edge_new[.]html
• hxxp[:]//80[.]240[.]16[.]81/assests/eng_edge_new[.]html
• hxxp[:]//80[.]240[.]19[.]216/assests/eng_edge_new[.]html
• hxxp[:]//95[.]179[.]167[.]173/assests/eng_edge_new[.]html
• hxxp[:]//95[.]179[.]168[.]138/assests/eng_edge_new[.]html

Remediation

• Block the threat indicators at their respective controls.
• Do not respond to pop-ups that raise panic and alarm. Instead, contact a legitimate source to confirm the security status of your computer.
• Always check for errors or spelling mistakes in the URLs to ensure its legitimacy.