Cyble Research and Intelligence Labs (CRIL) have detected a new wave of Tech Scam activity, with one notable case involving scammers creating a fictitious antivirus solution website to swindle users into paying for services that do not exist.
During the investigation of the campaign-linked phishing site, Cyble security researchers found that the site’s IP address was associated with multiple scam campaigns and linked to an underground DarkWeb marketplace.
Details of the fake antivirus tech scam
The antivirus tech scam unearthed in the latest Cyble blog detailed how scammers used phishing emails and websites in this campaign. The phishing emails were found to have malware-infected executable files.
The researchers revealed the discovery of a dropper that is accountable for disseminating multiple malware payloads, including CraxsRAT, a Downloader, and a modified version of Chaos ransomware.
The threat actor used these malicious tools to advance these Tech Scams.
The downloader is programmed to initiate the retrieval of four supplementary payloads. Following their activation, each of these payloads is employed to spread the misleading AntiVirus website.
The diagram below illustrates the progression of the infection sequence.
When executed, the file superimposes a persistent warning message on the victim’s desktop, as shown in the figure below.
The alert is deliberately designed to hinder users from closing it or using other applications. Moreover, the deceptive message coerces users into visiting a particular website or reaching out through Telegram, likely for malicious purposes.
Discoveries from the Antivirus Tech Scam Campaign
Several ransomware employed in this tech scam as found by CRIL researchers –
- The IP address of the phishing website was found to have connections with several other scams
- The malware found in the tech scam campaign included CraxsRAT, a variant of Chaos ransomware
- The ransomware encrypted files from the device and rename them with the .encp extension
- The ransom note was named “READ_ME.txt”
- The ransom note had the URL – www[.]bit[.]ly/secure-net
- The URL of the fraudulent antivirus website was – https[:]//alpaca_jade_265.pineapplebuilder[.]com/index
Promoted through the image above, the tech scam campaign touted antivirus solutions that were absent. They were priced at $99 for a basic version. $249 for a moderate version and $449 for the advanced antivirus.
While the antivirus promised to provide encryption, decryption, and firewall protection, it in fact did the opposite.
Dark web marketplace connected to the antivirus tech scam
“The IP address “185.199.110[.]153” was also found to be associated with the TORZON MARKETPLACE, a DarkWeb marketplace,” the Cyble blog stated. Scammers used images of models in the antivirus tech scam.
Launching ransomware attacks was also a part of this tech scam observed by CRIL researchers.
It is speculated that the scammers were part of a wider network since a connection with the TORZON MARKETPLACE was found.
Furthermore, the investigation revealed that the IP address involved in this antivirus tech scam was also linked to a phishing campaign identified as Chai Urgent Care.
The images of models were used to make fraudulent profiles of employees. These fabricated profiles were then utilized to post reviews endorsing the non-existent antivirus.
The intention behind this was to establish a sense of credibility when targeting potential victims of the antivirus tech scam via phishing websites.
“In one specific instance, the same image was even utilized for a Talent Acquisition profile on LinkedIn, indicating how some TAs leverage readily available images of models to deceive users,” the Cyble blog noted.
CRIL noted the following steps to spot and prevent tech scams
- Verify the identity of persons or organizations by contacting them all on all, including their social media platforms.
- Block phishing websites. These are also detected via phishing detection tools and solutions.
- Do not click on links in messages and emails especially if it is sudden, unexpected, or contrary to one’s used apps and solutions.
- Opt for advanced cybersecurity solutions that offer phishing detection, give early warnings about impending attacks, and make reporting simpler.
- Update all the software, especially the antivirus
- Avoid going for free or advertised software, gifts, and prices that appear on websites as pop-ups or as websites in Google search, etc.
- Read cybersecurity news to stay ahead of hackers and scammers and learn about how they are improving their attack mechanisms.