Tech support scams prey on users genuine fears that their computer could be compromised.
Tech support scams prey on users genuine fears that their computer could be compromised.

Tech support scammers have found a new online base of operations to push their particular breed of malware.

Jerome Segura, senior security researcher at Malwarebytes blogged that an on-going tech support scam is now using Rackspace's managed cloud network and the Akamai Content Delivery network to spread pop-- up ads that pose as warnings that a site is infected and to click on the ad for help. Originally Malwarebytes became aware of this scam in May 2015 when it used the Amazon Web Services cloud in conjunction with the Google Safe Browsing Template.

Segura noted that the Amazon/Rackspace support scam is particularly nasty and tough for security staffers to recognize because it is more advanced than what is normally seen in the wild.

“Some differences include caution to use anonymizer services, disabling Google indexing, and HTML code obfuscation of the scam page. In addition, the crooks managing these campaigns rely on those cloud services to frequently rotate IP addresses and point them to countless different domains and sub-domains,” Segura told SCMagazine.com in an email Wednesday.

Not only are security pros given fits by this scam, but the general public is also more susceptible because they run directly in the browser and prey on people's well-founded computer security fears by displaying fake warnings.

“What makes it even more effective is the fact that the scam page triggers a continuous series of pop up alerts preventing the user from closing the page. Out of desperation, users may end up calling the toll free number to get the situation resolved,” Segura said.

The next step has the victim being told by someone posing as a tech support person from a major company that for a fee they will fix the problem. Microsoft estimates that about 3.3 million people will fall victim to scammers in 2015 and pay out more than $1.5 billion to the perpetrators.

Segura said Malwarebytes has reported the campaign to Rackspace for takedown and will continue tracking it to see where it goes next.