Threat Management, Incident Response, Network Security, TDR

Researchers discover customized support scams that detect IPs

Researchers have discovered tech support scams in which attackers send customized malvertising email messages that appear to as if they were sent from the targets' internet service providers. The campaigns identify potential victim's IP address and then create realistic landing pages that imitate a webpage on the site of the targets' internet service provider.

A Malwarebytes Labs blog post discovered webpages that impersonate popular North American service providers, including Verizon, AT&T, Cox Communications, Comcast Xfinity, Shaw Communications, Eastlink, and others. All of the pages directed victims to call the same phone number. “The calls were handled by a tech support company out of India that goes by the name of Credence Incorporation,” wrote Malwarebytes Senior Security Researcher Jérôme Segura.

All of the phishing pages displayed an identical toll-free number. When called the phone number listed on the Malwarebytes post, the call was answered by a call center representative who said she was employed by “Virus Eraser,” a company that she claimed “provided independent tech support for Microsoft.” When asked whether “Virus Eraser” was related to “Credence Incorporation,” the representative offered to transfer the call to a supervisor, then dropped the call.

A reverse lookup query on found that the toll-free number was an unlisted private number.

The tech support malvertising campaign follows similar attempts by ransomware attackers that contained customizable functionality including ransom email messages that appeared in the language of the victim (or in some cases, did not load the ransomware), based on the attackers' detection of the victim's location.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.