Researchers at Malwarebytes spotted a unique malvertising attack targeting Comcast customers that also included an exploit kit (EK), a phishing-like page and a tech support scam.
The malicious ad was displayed on Comcast's Xfinity search page via Google AdWords and was disguised as an ad that compared DirecTV to Comcast, according to a Dec. 14 blog post.
Upon clicking the link, people were redirected to a site called SatTvPro.com that silently infected them with a Nuclear EK. For some victims, an additional phishing site designed to mimic the Xfinity portal would pop up and display a “critical warning” informing the user that their device had been infected and instructing them to call a toll free number for phony "tech assistance."
Researchers didn't collect the malware payload from the attack but noted in the post that vulnerable machines were most likely infected with Cryptowall ransomware or another variant. They also noted that the tech support scam page was hosted on a completely separate domain from the SatTVPro site but added that both sites contained interesting artifacts linking the two together.
“Web beacons, in the form of 1×1 pixel images typically used for tracking the number of visits to a site, were directly loading from SatTvPro.com, therefore establishing a relationship between the initial advert, the review site and the scam page,” researchers wrote.
Google and Comcast were notified about the attack and SatTvPro has been flagged by Google's Safebrowsing, the blog post said.