Tech Support Scammers may freeze your browser
Tech support scams come in many forms; from basic popup messages or fake screenshots posted on websites to sophisticated operations that try to block users from leaving a site or closing a popup.
Malwarebytes discovered a new sophisticated tech support scam operation recently that affects Chrome, Firefox, Brave and probably other web browsers as well.
The scam uses a public API that browser's support to overload it with file downloads to increase CPU and memory usage so that the browser freezes and becomes unresponsive.
The Blob constructor coupled with the window.navigator.msSaveOrOpenBlob method lets you save files locally and, as you may have guessed, is what is being abused here.
A script is executed when a user visits a specially prepared web page. This script initiates more than 2000 downloads at once which freeze the browser so that it cannot be closed anymore through normal means.
While some browsers have protections in place to block too many downloads from happening at once, Malwarebytes notes that the initiation of downloads happens so quickly that the prompt never displays. This happened on Windows 7 and Windows 10 systems running the latest stable version of Google Chrome.
The scam page in question displays a prompt to the user that you see on the screenshot above. This message attempts to scare the user by stating that information such as the Facebook login, credit card details or photos on the PC, is being stolen.
A "Call Microsoft" call to action is attached to the prompt to get affected users to call the listed support number which is not an official Microsoft number of course. Users should not call that number under any circumstances.
Malwarebytes notes that the scam attacks users through so-called malvertising campaigns. This involves abusing advertisement on websites to trick users into opening the support scam page.
Any content blocker worth its salt should block these ads and the script that runs on the support scam page. If you are affected, try opening the Task Manager to close Chrome this way, or use the power or reset button on the computer and restart the PC afterward.
Now You: Have you been affected by malvertising campaigns in the past?
Related articles
- Firefox and Chrome extensions that block add-on management
- Google to block third-party code injections in Chrome
- Malwarebytes 3.2 promises better memory usage and stability
- Malwarebytes for Firefox extension
- You should disable automatic downloads in Chrome right now
- WebAPI Manager: limit website access to Web APIs
This solution is what I have always done and works for me…
The minute one of those “(whatever the problem is) call tech support” screens pops up, I just pull the power cord right out of the back of the damn computer,
then > https://docs.google.com/document/d/15tdLuqwyrFhzVkOtKZF2ipusNT3Leg2jgsgSPpEYmYw/edit?usp=sharing
I cannot tell for sure, but available Chrome 65.0.3325.51 beta x64 may help mitigate this problem. More documentation on this released beta running under Windows 10 desktop may be available in the next day or so.
I think that using some type of content blocker is a necessity in preventing malware and goes a long way towards preventing undesirable website visits but even with that redirects, popups and popunders can still be a problem. If you land on a ‘malicious’ website without having inline and 1st-party javascript disabled there will likely be some unwanted excitement. The example in this article would need more than 3rd-party js blocked by uBO.
Which is why in FF based browsers I use an extension to automagically disable javascript when visiting a new website and on most websites you can still view the content without js being enabled. If I land on a new website that requires js be enabled to view the content I usually just leave.
One thing I like about chromium browsers is the ability to globally block javascript and then I can whitelist TLDs like com, net and org by using [*.]com, [*.]net and [*.]org. And then I have a small handful of websites that use other TLDs that I’ve whitelisted. The tech support scam site in this article using the ‘info’ TLD would have had javascript disabled. You can also disallow all sites from downloading multiple files automatically but I don’t know how well that would work in the above example, I don’t use chromium browsers that much.
If and when I run into stuff like the article is talking about, I just very quickly ‘pull the plug’, kill the power, period. Then reboot, deal with that, then run various malware scans. If necessary use system restore.
Slightly related to this topic… There doesn’t seem to be a way to prevent Firefox from automatically downloading files before clicking on OK:
https://security.stackexchange.com/questions/30310/firefox-pre-downloading
One commenter claims: “Firefox isn’t “pre-downloadingâ€. You chose to start downloading by selecting “Save Link As†in the menu, or left-clicking on a link…”
…but that’s not necessarily the case. What if I just want to find out the size of a file, and then decide based on that?
“A script is executed when a user visits a specially prepared web page.”
Yes – but – If you’re running the NoScript add-on, this should never happen – right…?
Right.
>>>Now You: Have you been affected by malvertising campaigns in the past?
Feb 5th – How to Beat Malvertising
==========================
www . business.com/articles/how-to-beat-malvertising/
‘Adlergic’ consumers on the rise
=======
www . warc.com/newsandopinion/news/adlergic_consumers_on_the_rise/39897
You bet we are.
I found a rather bothersome thing too, with :
phys.org / news/2018-02-online-anti-ad-blocking-previously-thought [dot] html
….that I’m not sure if others will find? I found extraordinary ‘climbing’ memory consumption on the part of Waterfox, “if” Javascript was enabled, while accessing the above link.
Actually, what alerted me to this, was a very ‘unusually’ sluggish Waterfox. When I looked, it had consumed over 2GB of RAM, and was basically dying! Just from this link alone.
Turning of JS stopped such behaviour completely, and I was able to read the article.
It just makes you wonder what scripts these guys are running, on innocuous looking sites, and makes you realise that we are in a constant battle to protect ourselves from unwanted actions/scripts, running on certain websites.
Bottom line….is it any wonder we are blocking all their crap.
Yes, this cat-and-mouse game isn’t new at all. It’s been an ongoing battle ever since advertisers started to take a serious interest in the web and, I think, it will never end.
This is the primary reason why I don’t allow much in the way of client-side scripts to run in my browsers.
Talking about Malvertising….led me to this…….
phys.org / news/2018-02-online-anti-ad-blocking-previously-thought [dot] html
and this………
homepage.divms.uiowa.edu / ~mshafiq/files/adblock-ndss2018 [dot] pdf
The PDF file is : “Measuring and Disrupting Anti-Adblockers Using Differential Execution Analysis”
They’re fighting back, basically…..
(Forgive spacing out the links, its just that Ghacks posts often fail to appear if links are inserted!)
All the articles I have read about this fail to mention what happens if you enable “Always ask me where to save files”
I get the impression this happens even when you enable that, because it says the dialogs don’t “even” have time to appear.
At the very least……….. a full Hosts setup using something like : mvpshostsnews.blogspot.com
+
uBO with several well-chosen filters + third party scripts blocked…. should sort it.