How Victims Are Redirected to IT Support Scareware Sites

Published: 2015-03-20
Last Updated: 2015-03-20 21:36:56 UTC
by Lenny Zeltser (Version: 1)
2 comment(s)

In the classic version of tech support scams, the fake technician initiated an unsolicited phone call to the victim. Now the awareness for this scheme has increased, scammers shifted tactics. Their latest approaches involve convincing the potential victim to be the one calling the impostor. I've seen this accomplished in two ways:

  • Scammers use bots to respond to Twitter users who mention PC problems or malware. The bots search for the appropriate keyboards and send messages that include a phone number of a tech support firm. I described this approach when exploring how scammers prescreen potential victims.
  • Scammers set up scareware websites that are designed to fool people into thinking their PC is infected, compelling visitors to call the fake tech support organization. Johannes Ullrich described a typo squatting variation of this technique in an earlier diary. Let’s take a look a domain redirection variation of this scam below.

In the following example, the victim visited a link that was once associated with a legitimate website: The owner of the domain appears to have allowed its registration to expire in early 2014. At that point, the domain was transferred to Name Management Group, according to DomainTools Whois records. The record was assigned DNS servers under the domains,, and eventually

Name Management Group seems to own over 13,000 domains (according to DomainTools Whois records), including numerous domains that DomainTools classifies as malicious, such as,,,,,,,,,,, etc. (Don't visit these domains.)

Landing on the Fake Malware Warning Site

Visiting the once-legitimate URL a few days ago landed the victim on a scammy scareware page, designed to persuade the person to contact "Microsoft Certified Live Technicians" at the specified toll-free phone number. The site employed social engineering techniques employed by rogue antivirus tools. Such schemes present victims with fake virus warnings, designed to scare people into submission.

The site in our example also played an auditory message, exclaiming:

"This is a Windows system warning! This is a Windows system warning! If you are hearing this warning message, the security of your Windows system has been compromised. Your Windows computer and data might be at risk because of adwares, spywares and malicious pop-ups! Your bank details, credit card information, email accounts, Facebook account, private photos and other sensitive files may be compromised. Please call the number mentioned now to resolve this issue."

To see and hear what the victim experienced, play the video clip below or watch it on YouTube.

Here are the redirection steps that brought the victim to the scareware site mentioned above:

http :// ->
https :// ->
http ://

You can see the source code to the final page on Pasebin, if you're interested. According to the code, it was mirrored from using the free non-malicious tool HTTrack Website Copier on 08 Jan 2015. (More on this interesting tidbit in my diary 
Who Develops Code for IT Support Scareware Websites?)

If you visited the top page of the website (don't go there), you would see a friendly, professional-looking page, gently inviting the visitor to "Call Now for Instant Support" by dialing 844-878-2550. Please don't call that number; however, if you'd like to hear a details account of what people experience when they do call, read my article Conversation With a Tech Support Scammer.

The nature of this page is in stark contrast to the scareware warnings-filled trap shown above, which redirection victims encountered.

Other Redirection Possibilities

The website hosting at the time of this writing redirects visitors to various places, perhaps randomly, perhaps based on the person’s geography or browser details. I encountered two other redirection flows that led to scareware websites set up for IT support scams.

One redirection flow employed, as the example above, but took the victim to (don't go there):

http :// -> ->
http ://

The resulting site is a bit more sophisticated than the one in the previous example, because it uses JavaScript to customize the web page to include the victim's ISP, browser name, IP address and Windows version. For instance:


You can see the source code of that page on Pastebin. Here's the screenshot of what the victim saw; in this example, the website didn't receive the victim's IP and other details and therefore didn't display this info:

Sometimes the victim was redirected using a longer trail to a different IT support scareware site (don't go there):

http :// ->
http :// ->
http :// ->
http :// ->
http :// ->
http :// ->
http :// ->
http ://

The redirection chain and the source code (you can see it on Pastebin) of the resulting site, as well as its look-and-feel were different from the examples above:

The design of this page matches closely the site Johannes Ullrich described in the typo squatting variation of this scenario on December 15. The latest page employed the sound file gp-msg.mp3 to scare visitors. VirusTotal has a record of this file, which was first uploaded to VirusTotal on December 11, 2014.

Who is Redirecting, Why and How?

We seem to be dealing with two different redirection engines and companies: and after the initial redirect.

The domain was registered by Team Internet AG, which is associated with over 44,000 domains, including several that DomainTools classifies as malicious:,,, etc. The domain is registered to MYADWISE LTD, which is associated with about 50 domains.

The companies behind these servers, as well as the firm presently controlling are probably receiving referral fees for their roles in the redirection scheme.

There's much to explore regarding the domain names, systems and companies involved in the schemes outlined above. If you have additional information about these entities, or would like to contribute towards this analysis, please leave a comment. If you decide to explore any of these systems, do so from an isolated laboratory environment.

Also, if you encounter a tech support scam, please register it with our database of such incidents.

-- Lenny Zeltser

Lenny Zeltser focuses on safeguarding customers' IT operations at NCR Corp. He also teaches how to analyze malware at SANS Institute. Lenny is active on Twitter and Google+. He also writes a security blog.

2 comment(s)


I've taken to blocking any domains that are "web ads / analytics" related whenever I run across them in a spyware/adware/malware investigation. And this post is a good example why. I *know* I've seen that domain before while digging in the DNS query logs for a system that we caught downloading some piece of crapware. Whenver we see an alert about an infected system, I go sift through the DNS query logs for the last second or two leading up to the download event. I often find queries for domains/hostnames that have no redeeming value as near as I can tell, and so I often decide to block them.

I know, some will say "How dare you" and "web ads fund content" etc. Well, tough. I've caught more than one banner-ad service serving up malicious flash/java/javascript before or redirecting to an exploit kit landing page. And I've gotten to where I don't care if it was an accident or not or if the original banner ad they agreed to serve was benign or not. If I catch 'em sending my users to hostile content or even related to (or monetising) sites hosting hostile content, I'll drop 'em in my DNS filters and be done with them.

It's caused no complaints so far and seems to help at least a little...
Yesterday this showed up.. it was pushed to AX fraud.

Dear Cardmembership,

An attempt was made to login to your Account.

This attempt was blocked and for your protection we have disabled your account.

Please click the link below to activate your account:

Activate Your Account ==> (DO NOT USE ADDRESS!!!!!)

This is an automated message.Please do not reply to this email.
Thank you for your continued Card Membership.

The American Express Customer Service Team

The headers.

Return-Path: <>
Received: from
(InterMail vM. 201-2343-100-167-20131028) with ESMTP
id <>
for <>; Thu, 19 Mar 2015 23:11:44 +0000
Return-Path: <>
Received: from [] ([]
by cdptpa-iedge03 (envelope-from <>)
(ecelerity r(Momo-dev:tip)) with ESMTP
id 26/8A-22105-0B75B055; Thu, 19 Mar 2015 23:11:44 +0000
Received: from localhost (localhost [])
by (Postfix) with ESMTP id 7567942BB15E;
Fri, 20 Mar 2015 01:11:43 +0200 (EET)
X-Quarantine-ID: <g-sbUzdpmD-B>
Received: from ([])
by localhost ( []) (amavisd-new, port 10024)
with ESMTP id g-sbUzdpmD-B; Fri, 20 Mar 2015 01:11:43 +0200 (EET)
Received: from riikka (unknown [])
by (Postfix) with ESMTP id 5B47C42BB156;
Fri, 20 Mar 2015 01:11:28 +0200 (EET)
Reply-To: <>
From: "American.Express"<>
Subject: Irregular Activity Detected XCYOXQUCXE
Date: Thu, 19 Mar 2015 20:11:34 -0300
MIME-Version: 1.0
Content-Type: text/html;
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1081
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1081
Message-Id: <>
To: undisclosed-recipients:;
X-Authority-Analysis: v=2.0 cv=WuCpwKjv c=1 sm=1 p=EeyebiKKAAAA:8 p=zwoigDAHFAr3muzOUH8A:9 p=Yfy1aCoo2AoA:10 p=tTD7qjiiRVwA:10 p=5BcD0ymsIHkA:10 a=61Z4K+ibLiJT6jLwhNwwdA==:17 a=Dyoqhi_TatcA:10 a=wPDyFdB5xvgA:10 a=rxA76bY6IJkA:10 a=Cfj4BQAnxiAA:10 a=v-Xpks9oaqIA:10 a=BqjLhEBqAAAA:8 a=emO1SXQWCLwA:10 a=SSmOFEACAAAA:8 a=Ft8UYL4EG9YA:10 a=_W_S_7VecoQA:10 a=C4PSEst5Od8A:10 a=1TM7i2lP1nUA:10 a=qiWi7Edwir4A:10 a=NWVoK91CQyQA:10 a=61Z4K+ibLiJT6jLwhNwwdA==:117
X-Cloudmark-Score: 100

Diary Archives