Endpoint Protection

 View Only

Tech support scams redirect to Nuclear EK to spread ransomware 

Dec 01, 2015 07:28 AM


Tech support scammers have been observed using the Nuclear exploit kit to drop ransomware onto victims’ computers, as well as displaying misleading pop-up windows. The scammers’ messages may distract the user while the malware encrypts files on the computer, potentially allowing the attackers to increase their chances of earning money from the victim.

Evolution of tech support scams
Despite being years old, tech support scams are still targeting hundreds of thousands of people worldwide on a daily basis. Recent Symantec data shows that the attacks are most prevalent in North America.

Original tech support scams involved call center workers cold calling users, selling support packages to address non-existent problems on victims’ computers. Over the years, the scams have evolved into something a bit more technical. The modern-day version works by displaying endless fake warning messages to victims, urging them to call a toll-free number for help.

Figure 1. Tech support scammers target hundreds of thousands of users each day.

If a victim falls for the scam and dials the number, professional-sounding call center staff members use the opportunity to install malware or potentially unwanted applications (PUAs) onto the user’s computer. The scammers claim that this software will fix the user’s computer. In other instances, the attackers try to force the victims to pay to have their computer unlocked.

A double whammy
Most tech support scams that currently operate are browser-based annoyances that can be easily resolved if the victim knows how. By manually closing and reopening the browser through Windows Task Manager, users can make their browser useable again. This workaround is likely to be responsible for a lower conversion rate for the scammers.

But what if the scammers made their schemes more aggressive? What if they hooked up with an exploit kit to install ransomware that could potentially increase the chances of generating more revenue?

We’ve recently seen many instances where attackers serve tech support scams and the Nuclear exploit kit almost simultaneously. We found that the scam’s web pages include an iframe redirecting users to a server hosting the Nuclear exploit kit. The kit has been seen taking advantage of the Adobe Flash Player Unspecified Remote Code Execution Vulnerability (CVE-2015-7645), among other security flaws.

Figure 2. The tech support scam page includes an iframe redirecting to the Nuclear exploit kit

Once a user arrives at this tech support scam page, the Nuclear exploit kit attempts to take advantage of vulnerabilities on their computer. If the kit succeeds, then it either drops Trojan.Cryptowall (ransomware) or Trojan.Miuref.B (information-stealing Trojan).

The combination of the tech support scam displaying pop-up windows and the Nuclear exploit kit installing ransomware in the background makes this attack a serious problem for users. The fake warnings distract the user while the more dangerous ransomware searches for and encrypts files.

Figure 3. Fake tech support scam pop-up window warns users of serious problems

Unfortunate victims could end up paying both the fake tech support scam for “help” and the ransom to decrypt their files.

Have tech support scammers upped their game or is this a coincidence?
We’ve seen tech support scammers dabble with basic ransomware techniques in the past, so it would not be a major jump for them to use more advanced ransomware. However, while the theory of tech support scammers and exploit kit attackers joining forces is plausible, there could be a more banal explanation for this situation.

We know that exploit kit attackers actively seek out and compromise many different web servers, injecting iframes into the web pages hosted on them. These iframes simply direct browsers to the exploit kit servers. Given the way that exploit kit attackers operate, it is quite possible that the tech support scammers’ own web servers got compromised by a separate group who are using the Nuclear exploit kit.

Either possibility can be supported by the fact that an iframe has been injected into the tech support scam page. Regardless, this is the first time we’ve seen tech support scams running in tandem with the Nuclear exploit kit to deliver ransomware and if this proves to be an effective combination, we are likely to see more of this in the future.


  • Use a comprehensive security solution to help block attacks
  • Regularly update software to prevent attackers from exploiting known vulnerabilities
  • If impacted by these scams, do not call the number in the pop-up windows
  • Perform regular backups of important files
  • Do not pay any ransom demands as doing so may encourage the cybercriminals. Additionally, file decryption is not guaranteed to work

Norton Security, Symantec Endpoint Protection, and other Symantec security products protect users against these attacks through the following detections:

Intrusion prevention


0 Favorited
0 Files

Tags and Keywords

Related Entries and Links

No Related Resource entered.