Comcast Users Hit by Malvertising, Exploit Kit, Tech Support Scam in One Go

Share this…

Trio of threats assaults unsuspecting Comcast Xfinity users. Some users visiting the Comcast Xfinity portal faced a triple threat these past days, being taken on a wild ride by a malicious ad to a page serving ransomware via an exploit kit, and later trying to trick them into calling a phone number in a classic tech support scam.

Researchers from Malwarebytes have detailed their most recently spotted malware campaign, one that affected users searching for content inside Comcast’s portal for Xfinity customers.

Malicious ad delivered via AdWords on the Xfinity portal

Apparently, in some search results, a malicious ad was displayed via Google’s AdWords service, which read, “DirectTV compared to Comcast TV.”

If users clicked on the ad, they would be redirected to the website, where the Nuclear Exploit Kit was hosted. This application, often employed by cyber-criminals, scanned the user’s computer for vulnerabilities and infected it with malware. Malwarebytes claims that, most of the times, the CryptoWall ransomware was dished out.

But things didn’t stop here, as right after the user’s computer was infected, the malicious website would also load another site, designed to look like the real Xfinity portal.

Tech support scam served via a fake Xfinity portal

This second website served its part in a tech support scam, where the user would be shown a warning message that read, “Comcast’s security plugin has detected some suspicious activity from your IP address. Some Spyware may have caused a security breach at your network location. Call Toll Free 1-866-319-[redacted] for technical assistance.”

Malwarebytes contacted both Google and Comcast about the attacks, and Google removed the malicious ad from its service.

The researchers also contacted the owner of the, who, even if he did not respond via email to Malwarebytes, proceeded to upgrade his site from a vulnerable Joomla 2.x CMS to WordPress, effectively removing the infection.

This is not the first time a security vendor observes tech support sites being combined with malvertising and exploit kits. Symantec reported on a similar incident at the start of December.

Malvertising campaign infection steps

Malvertising campaign infection steps