Nom001.site

By GoldSparrow in Adware

Translate To:

The Nom001.site domain is associated with a technical support tactic that was reported on November 24th, 2017. An investigation into the network profile of Nom001.site revealed the site has many clones such as Nom002[.]site, Nom003[.]site, Nom004[.]site and others. Many of the pages related to the Nom001.site tech support tactic appears to be registered to the 104.18.44.99 and the 104.18.44.99 IP addresses. The list of IPs and content linked to Nom001.site includes more than addresses as far as we are aware but the con artists using the site may have access to more pages then we know of. The Nom001.site domain hosts a specially crafted page that has Flash animations, which resemble loading notifications from AV programs. The Nom001.site notifications are generated via a pop-up loop and prevent users from leaving Nom001.site. Once you open Nom001.site, the following text is shown:

‘Notice: Your Windows is infected. Virus Found!
0 minutes and 21 seconds
Your Windows device has been infected by the latest unpatched malware. This virus is highly dangerous and can
cause severe damage to your machine.
IMMEDIATE REMOVAL REQUIRED TO AVOID PERMANENT DAMAGE.
*This tool is free to download
[Download and Repair|BUTTON]’

A second message is generated on the screen shortly after loading Nom001.site, which reads:

‘WARNING!

The last website you visited has infected your computer with a virus.
Click OK to begin repair process.
**If you leave this site your computer will remain damaged and vulnerable**
[OK|BUTTON]’

Don't believe the Nom001.site messages and avoid the download of any programs promoted via 'WARNING!' and 'Your Computer is Infected' pop-up windows. The threat actors seek to trick users into loading a remote desktop client on their machines and convince them to call a fake technical support line. We have found that Nom001.site and many of its clones are designed to reroute the Web traffic via portals like h[tt]p://oomiz.voluumtrk[.]com/click to phishing pages and compromised sites. Apparently, the con artists are using the Voluum[.]com Web analytics tools to operate their horde of redirect-gateways. Statistics show that the relays used in the Nom001.site tech support tactic use URLs that are made following the pattern:

h[tt]p://[five random chars].voluumtrk[.]com/[unique string]={clickid}&aff_sub2={clickid}&cid={clickid}&sub_id2={clickid}&sub_id={clickid}&sub_id1={clickid}

AV companies and browser vendors are working 24/7 to block access to corrupted pages and insecure resources utilized in unlawful tech support campaigns. Web users who may stumble upon Nom001.site should close their browser and report the address to their browser manufacturer. AV engines are known to block connections to known phishing domains and may display alerts that feature the following detection names::

HTML/FakeAlert.MF
JS:ScriptIP-inf [Trj]
Suspicious_GEN.F47V1002
Trojan.FakeAlert!8.56B (topis:teSV6BOzF2J)
Trojan.HTML.FakeAlert

Enigma Software Group Prevails Over Malwarebytes at the Ninth Circuit

Search

Change Region

Nom001.site

Submit Comment

Trending

'YouPorn' Email Scam

Safe Search Eng

Findtheirreport.com

Most Viewed

Is Lookmovie.io Safe?

How To Fix 'Printer Driver is Unavailable' Error

Discord Shows Black Screen when Sharing Screen