Cyber Incident Victim: Comcast
Date:
Dec 2015
Location:
United States of America
Summary
Comcast customers were targeted through a sophisticated malvertising attack originating from ads on the Xfinity search portal, which redirected users to the SatTvPro review site. This site silently loaded the Nuclear exploit kit, potentially delivering ransomware such as CryptoWall to vulnerable systems, while also triggering a fraudulent tech support scam mimicking the Xfinity interface. The scam page included tracking elements linking it to the initial malvertising operation, indicating coordination between the exploit kit deployment and phishing components. The attack chain combined malvertising, exploit kit exploitation, and a tailored tech support fraud scheme designed to deceive victims into believing their devices were compromised. Security researchers reported the incident to both Google and Comcast, leading to the malicious site being flagged for hosting dangerous redirects.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In December 2015, Comcast Xfinity customers were targeted through a multi-stage malvertising attack originating from ads displayed on Comcast’s search portal. The attack began when users performing searches via Xfinity encountered a Google AdWords advertisement promoting "DirectTV compared to Comcast TV," which directed them to SatTvPro.com—a review site running an outdated Joomla content management system. Upon clicking the ad, victims were silently redirected through a series of intermediate pages to the Nuclear exploit kit, which scanned for vulnerabilities in their systems. Although the exact malware payload was not confirmed during Malwarebytes' investigation, systems lacking patches would likely have been infected with ransomware such as CryptoWall. Following this initial compromise, a separate phishing domain mimicking Comcast’s Xfinity portal immediately loaded a full-screen warning alleging a security breach on the user’s device, designed to coerce victims into contacting fraudulent technical support services.
Malwarebytes identified technical linkages between the malvertising campaign and the scam operation, including web beacons hosted on SatTvPro.com that loaded within the phishing page, confirming a deliberate connection between the initial ad, the exploit kit, and the tech support scam. The attackers tailored the phishing interface to replicate Xfinity’s branding and portal layout precisely. Following Malwarebytes’ disclosure, Google flagged SatTvPro.com via its Safebrowsing service for redirecting users to malicious domains like canyouexpla.com, while the site’s operators migrated from Joomla to an updated WordPress installation, suggesting remediation efforts. Symantec concurrently documented a related but distinct tech support scam leveraging the Nuclear exploit kit, though the Comcast incident represented the first observed integration of malvertising, exploit kits, phishing interfaces, and technical support fraud into a single attack chain. The attackers likely profited from dual revenue streams—referral commissions from both the exploit kit operators and the scam page operators—though definitive attribution of the malvertising purchase or SatTvPro.com’s compromise remained unclear despite evidence of coordination between these components.