Researchers at security firm Malwarebytes have uncovered a new malvertising campaign attacking Comcast customers.
The company explained in a blog post that the malicious ad was displayed as a pop-up on Comcast’s Xfinity page via Google AdWords, disguised as a promotion comparing DirectTV and Comcast.
On clicking the link provided in the ad, users were redirected to a site called SatTvPro.com, running an outdated version of the Joomla CMS (updated to WordPress in more recent versions). The site was then used to load a series of redirects to inject the Nuclear exploit kit onto the target’s system. According to Malwarebytes, some customers were also presented with a phishing-like page which copied the design of the Xfinity portal. The message would pop up displaying a ‘critical warning’ which falsely reported that the user’s system had been infected and advised them to call a toll free number to receive ‘tech assistance.’
The warning reads: ‘Comcast’s security plugin has detected some suspicious activity from your IP address. Some Spyware may have caused a security breach at your network location. Call Toll Free 1-866-319-7176 for technical assistance.’
While the researchers state that they did not collect the malware payload in this instance, they noted that devices had most likely been infected with Cryptowall ransomware or another similar variant. They also explained that the technical support scam had been hosted on a domain separate from the SatTVPro site, but confirmed that both contained features which linked the two.
‘Web beacons, in the form of 1×1 pixel images typically used for tracking the number of visits to a site, were directly loading from SatTvPro.com, therefore establishing a relationship between the initial advert, the review site and the scam page,’ the research team wrote in Monday’s blog post.
Both Google and Comcast were alerted to the attack and SatTvPro was immediately flagged by Google’s Safebrowsing technology.