Apparently tech support scams never get old. But they have gotten more aggressive, according to a Symantec blog post penned by researcher Deepak Singh.
“We've recently seen many instances where attackers serve tech support scams and the Nuclear exploit kit almost simultaneously,” Singh wrote. “We found that the scam's web pages include an iframe redirecting users to a server hosting the Nuclear exploit kit” that takes “advantage of the Adobe Flash Player Unspecified Remote Code Execution Vulnerability (CVE-2015-7645), among other security flaws.”
When a user lands on the scam page, the Nuclear EK tries to exploit vulnerabilities on the potential victim's computer. If successful, the kit then drops Trojan.Cryptowall ransomware or Trojan.Miuref.B that steals information, Singh said, calling the attack “a serious problem for users” primarily because they're distracted by the fake warnings while the ransomware is busy at work trying to find and encrypt files. “Unfortunate victims could end up paying both the fake tech support scam for “help” and the ransom to decrypt their files,” the researcher said.
Researchers are unsure whether tech support scammers have “upped their game” or if “there could be a more banal explanation,” the blog post noted. “Given the way that exploit kit attackers operate, it is quite possible that the tech support scammers' own web servers got compromised by a separate group who are using the Nuclear exploit kit.”
Because the attackers inject an iframe into the scam page, either possibility is plausible, Singh explained, though it's likely a moot point. “Regardless, this is the first time we've seen tech support scams running in tandem with the Nuclear exploit kit to deliver ransomware and if this proves to be an effective combination, we are likely to see more of this in the future.”