Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Customized Support Scam Supported by Typo Squatting InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Customized Support Scam Supported by Typo Squatting

Published: 2014-12-15
Last Updated: 2014-12-15 21:11:59 UTC
by Johannes Ullrich (Version: 1)
7 comment(s)

This attack got it "all", and shows how hard it can be for a non ISC reader to evade some of these tech support scams. The URL used, http://login.microsoftlonine.com is only one letter off from the legit Microsoft Office 365 login page (you noticed the extra letter?).

The content you will get back varies. But here is a screenshot submitted by our reader Daniel:

The user was redirected to warning.netsecurityalerts.com (the site appears down right now), and to bolster the site's credibility, it displays the user's correct ISP (we all know this is an easy whois lookup, but a user confronted with this message is much more likely to fall for it then a recent message).

Calling the 800 number now will lead to a sales system trying to sell you a medial alert button if you are 50 years or older. 

 

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
7 comment(s)
Diary Archives