Cyble Research & Intelligence Labs (CRIL) uncovered a mass tech support scam ecosystem that uses phishing sites impersonating Microsoft and Apple support to push fake Windows Defender alerts. Victims who contact the fake helplines are then compromised via remote access tools to steal data and deploy additional malware.
#Cyble #CRIL #WindowsDefender #Microsoft #Apple #TrojanSpyware #RAT #Phishing #TechSupportScam #India
#Cyble #CRIL #WindowsDefender #Microsoft #Apple #TrojanSpyware #RAT #Phishing #TechSupportScam #India
Keypoints
- CRIL identified a new ongoing tech support scam with phishing websites pretending to be official Microsoft support sites showing fake Windows Defender alerts.
- More than 50 phishing sites have been observed since September 2022, with the related IP 68.178.145[.]199 located in India, aligning with studies that many such IPs originate in India.
- The phishing site displays a “Quick Scan” popup and a Threat Scan result to convince victims their machine is infected with multiple threats.
- Phishing pages also show a fake block message and claim Trojan spyware, along with compromised credentials and sensitive data.
- Victims are urged to call a provided support number; scammers then gain access via third‑party remote desktop tools to perform fraudulent transactions or install RATs/stealers.
- The scam also targets iPhone users with Apple‑themed phishing domains (e.g., 0044winsupportonline.xyz).
MITRE Techniques
- [T1566.002] Phishing: Spearphishing Link – Phishing sites pretending to be Microsoft/Apple support lure users via links and prompts, e.g., “phishing websites that pretend to be Microsoft support sites that show a fake Windows defender alert.”
- [T1036] Masquerading – The scammers masquerade as legitimate security alerts and support portals (e.g., Windows Defender/official brand sites) to deceive victims, including “Windows Defender Security Center” prompts.
- [T1204.002] User Execution: Malicious Link – The fake alerts and prompts on the phishing site prompt the user to take action, such as calling a support number.
- [T1021.001] Remote Services – Attackers gain access to the victim’s system using third‑party remote desktop applications.
Indicators of Compromise
- [URL] Phishing site – hxxp://0088winsupportonline[.]xyz/, hxxp://7878winsupportonline[.]xyz/, hxxps://4545winsupportonlinehelp[.]xyz/
- [IP Address] IP address – 68.178.145[.]199 (located in India)
Read more: https://blog.cyble.com/2022/10/11/massive-tech-support-scam-exposed/