urlscan.io logo urlscan.io

urlscan.io Blog

Remote Access Scams

Structural Analysis of 'Live Support' Campaigns

– urlscan Threat Research Team

Australia Banking Crypto Europe Phishing Phishing-kit Research Telecommunication Uk Us

urlscan Pro Report New

This is a public version of a report first published as an Intel Report on the urlscan Pro platform. The urlscan Pro version contains a more detailed look into the activity as well as more complex searches to cluster the activity. The urlscan Pro report also benefits from added visibility of Unlisted scans.

Over the last couple of years, the urlscan Threat Research Team have observed repeated, near-identical “live support” webpages used to socially-engineer victims into installing legitimate remote access tools (AnyDesk, ConnectWise/ScreenConnect, TeamViewer, etc.). Threat actors pair these pages with cold calls impersonating banks, telcos, or crypto services and attempt to install screen sharing software. Once connected they take control of sessions and facilitate fraudulent transfers.

Vishing: the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as bank details and credit card numbers.

A Typical Attack Flow

These campaigns usually begin with a cold call where the threat actor impersonates a trusted entity. The victim is directed to a single purpose landing page designed to look like a legitimate “live support” or “chat assistance” portal. From this page, the victim is instructed to download and install a legitimate remote access tool, most commonly AnyDesk, TeamViewer, or ConnectWise.

Once the software is installed, the threat actor requests the session code or in some cases guides the victim through installing a preconfigured client, enabling full remote access to the victim’s desktop.

At this stage, the threat actor may social-engineer the victim into logging into their bank or approving actions such as MFA prompts or payment confirmations. Because the activity originates from the victim’s own device and browser, fraudulent transactions often appear indistinguishable from normal user behavior.

  • The software involved is legitimate and widely used for real IT support, which is a common tactic employed by threat actors, meaning behavioral fingerprints are harder to spot, as the actions of the remote desktop tool isn’t obscure.
  • Financial transactions are executed through the genuine account holder’s account from their usual device and location, which means behavioral fraud detection systems often fail to trigger alerts.


Technical Clusters

Below are the structural clusters we use to group and hunt these setups. Each cluster includes the behavioral/structural signatures.

‘index/config.js’ Cluster

Pages use a consistent combination of index.js and config.js filenames. config.js frequently contains direct or proxied links for the remote desktop installer.

The index.js file produces the download buttons for Windows and Mac based on the visitor’s browser. It is notable in the cluster that Windows and Mac operating systems are differentiated in the download.

  import { WIN_DOWNLOAD_LINK, MAC_DOWNLOAD_LINK } from '../config.js';

  document.addEventListener('DOMContentLoaded', function () {
    const downloadButtons = document.querySelectorAll('.dl-btn');
    const winIcons = document.querySelectorAll('.dl-win');
    const macIcons = document.querySelectorAll('.dl-mac');
    const isMac = navigator.platform.startsWith('Mac');

    winIcons.forEach((icon) => icon.classList[isMac ? 'add' : 'remove']('hidden'));
    macIcons.forEach((icon) => icon.classList[isMac ? 'remove' : 'add']('hidden'));

    downloadButtons.forEach((button) => {
      button.addEventListener('click', function () {
        const downloadLink = isMac ? MAC_DOWNLOAD_LINK : WIN_DOWNLOAD_LINK;
        const link = document.createElement('a');
        link.href = downloadLink;
        document.body.appendChild(link);
        link.click();
        document.body.removeChild(link);
      });
    });
  });

The config.js file is a very basic file which points the index.js file to the executable download locations on the domain.

  export const WIN_DOWNLOAD_LINK = '/path/to/win.exe';
  export const MAC_DOWNLOAD_LINK = '/path/to/mac.dmg';

The brands targeted by this cluster are predominantly banking and financial companies.

Observed brands within this cluster are:


‘OSname’ Cluster

Pages which are part of this cluster include a small JavaScript snippet that inspects navigator.appVersion and assigns OSName, sets the dlButton text and href.

This cluster also looks for the operating system and then adapts the button text to the corresponding name

  $(document).ready(function () {
      if (navigator.appVersion.indexOf("Win") != -1) {
          OSName = "Windows";
          $("#dlButton").text("Open Live chat on Windows");
          $("#dlButton").attr("href", "https://download.anydesk.com/AnyDesk.exe");
      } else if (navigator.appVersion.indexOf("Mac") != -1) {
          OSName = "macOS";
          $("#dlButton").text("Open Live chat on Mac");
          $("#dlButton").attr("href", "https://download.anydesk.com/anydesk.dmg");
      } else {
          OSName = "Unknown";
          $("#dlButton").text("Not Available");
          $("#dlButton").attr("href", "javascript:void(0);");
      }
  });

A large number of brands are used as lures in this cluster. A sample set of brands from different verticals observed are:


The simplest of the clusters has static HTML templates linking directly to the official AnyDesk download page on download.anydesk.com. This is really useful as using urlscan it is trivial to quickly spot copycats sites abusing the web links.

Predominantly financial institutions are targeted by this cluster. A small section of the brands associated are:

It should be noted that the OSname and Direct-link clusters share very similar code. This similarity may indicate a newer generation of the kit or the emergence of a splinter group. However, this does not preclude the presence of two distinct clusters, each with its own unique fingerprint.


The ‘killer’ Cluster

The pages in this cluster implement an initial anti-bot filter step using a geo filter and custom allowlist. Additionally, these pages use a backend, often Supabase, before loading the final “support” page. config.js usually exports constants like ENTRY_FILE, ACCESS_KEY, SUPABASE_URL, SUPABASE_KEY. The token names/strings often reuse terms like killer or brand shortcodes (e.g. anzkiller).

Representative config.js file:

  export const ENTRY_FILE = '/anz/index.html';
  export const ACCESS_KEY = 'anzkiller';
  export const SUPABASE_URL = 'https://xnixjkzqyaynqblknxcz.supabase.co';
  export const SUPABASE_KEY = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...';

There are multiple searches which can be used to find the pages associated with this cluster. Searches can also be refined to look for the initial landing pages which in some cases, depending on how the scan was performed, has been redirected, or searching for the page content on the anti-bot page. Due to the way the redirection logic is built, scans can still be hunted and matched.

The brands observed are predominantly geographically targeted with Australia and The United Kingdom being targeted the most. A sample of brands identified in this cluster are:


Conclusion

The analysis of live support campaigns reveals a persistent threat model centered on social engineering and the abuse of legitimate remote access tools such as AnyDesk and TeamViewer. This approach allows threat actors to bypass traditional fraud detection mechanisms by initiating fraudulent transactions directly from the victim’s own, trusted device and location.

The campaigns exhibit a scalable structure, identifiable through four distinct technical clusters - the index/config.js cluster, the OSName cluster, the Direct-link cluster, and the regionally-focused "killer" cluster - which provide actionable signatures for defense. While various brands are impersonated, the core objective remains financially motivated, with a heavy emphasis on targeting banking and financial institutions, particularly in regions like the US, Australia and the UK.

More on urlscan Pro

If you want to learn about the urlscan Pro platform and how it might be valuable for your organization feel free to reach out to us! We offer free trials with no strings attached. We would be happy to give you a passionate demo of what our platform can do for you. Reach out to us at sales@urlscan.io.