Researchers at Malwarebytes have reported an online threat targeted at Comcast users. The attack combines elements of malicious advertising, an exploit kit, phishing and a tech support scam, making it more complex than a typical malware campaign. Comcast is the largest home internet provider in the US, delivering services to over 19 million home internet customers.  

The attack began on Comcast’s Xfinity platform for digital television, internet, and phone services. The platform’s search results are provided by Google and include advertising from the Google AdWords network. One of the advertisements, in this case one for “DirectTV compared to Comcast TV” directed users to a website called “SatTVPro” which silently loaded the Nuclear Exploit Kit onto the user’s machine –  a program which searches the user’s computer for known software vulnerabilities. Such vulnerabilities are typically the result of outdated or unpatched programs such as Adobe Flash, Microsoft Word, PDF readers or web browsers. If the user’s computer contained one or more of these vulnerabilities, the exploit kit selected the correct malware and installed it on the user’s computer. 

Subsequently, another website designed to look like an official Comcast Xfinity page opened on the user’s computer. This is a fake phishing page intended to convince users that they are still navigating an official Comcast property. This page displays an error message purporting to be from Comcast, advising the user to contact the listed phone number for assistance: “Comcast’s security plugin has detected some suspicious activity from your IP address.  Some Spyware may have caused a security breach at your network location.  Call Toll Free 1-866-319-7176 for technical assistance.” The number would likely lead users to a tech support scam, with an operator who requires them to pay a significant upfront fee or subscribe to a long term service to receive ineffectual advice or have their computer compromised in additional ways.

This malware campaign combines a number of popular methodologies for targeting users. The phishing aspects, as attackers pose as Comcast, could prove to be the most troublesome as infected users can be coerced into contacting the technical support phone number and divulging financial information. As the scam originates in a piece of malicious advertising, perhaps cases such as this provide a reasonable argument for installing an ad-blocker.