Tech Support Scammers may freeze your browser

Martin Brinkmann
Feb 8, 2018
Updated • Feb 8, 2018
Internet
|
15

Tech support scams come in many forms; from basic popup messages or fake screenshots posted on websites to sophisticated operations that try to block users from leaving a site or closing a popup.

Malwarebytes discovered a new sophisticated tech support scam operation recently that affects Chrome, Firefox, Brave and probably other web browsers as well.

The scam uses a public API that browser's support to overload it with file downloads to increase CPU and memory usage so that the browser freezes and becomes unresponsive.

The Blob constructor coupled with the window.navigator.msSaveOrOpenBlob method lets you save files locally and, as you may have guessed, is what is being abused here.

malwarebytes browser freeze
via Malwarebytes

A script is executed when a user visits a specially prepared web page. This script initiates more than 2000 downloads at once which freeze the browser so that it cannot be closed anymore through normal means.

While some browsers have protections in place to block too many downloads from happening at once, Malwarebytes notes that the initiation of downloads happens so quickly that the prompt never displays. This happened on Windows 7 and Windows 10 systems running the latest stable version of Google Chrome.

The scam page in question displays a prompt to the user that you see on the screenshot above. This message attempts to scare the user by stating that information such as the Facebook login, credit card details or photos on the PC, is being stolen.

A "Call Microsoft" call to action is attached to the prompt to get affected users to call the listed support number which is not an official Microsoft number of course. Users should not call that number under any circumstances.

Malwarebytes notes that the scam attacks users through so-called malvertising campaigns. This involves abusing advertisement on websites to trick users into opening the support scam page.

Any content blocker worth its salt should block these ads and the script that runs on the support scam page.  If you are affected, try opening the Task Manager to close Chrome this way, or use the power or reset button on the computer and restart the PC afterward.

Now You: Have you been affected by malvertising campaigns in the past?

Related articles

Summary
Tech Support Scammers may freeze your browser
Article Name
Tech Support Scammers may freeze your browser
Description
Malwarebytes discovered a new sophisticated tech support scam operation recently that affects Chrome, Firefox, Brave and probably other web browsers as well.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Illa Considerit said on February 11, 2018 at 11:36 am
    Reply

    This solution is what I have always done and works for me…
    The minute one of those “(whatever the problem is) call tech support” screens pops up, I just pull the power cord right out of the back of the damn computer,
    then > https://docs.google.com/document/d/15tdLuqwyrFhzVkOtKZF2ipusNT3Leg2jgsgSPpEYmYw/edit?usp=sharing

  2. chesscanoe said on February 8, 2018 at 11:42 pm
    Reply

    I cannot tell for sure, but available Chrome 65.0.3325.51 beta x64 may help mitigate this problem. More documentation on this released beta running under Windows 10 desktop may be available in the next day or so.

  3. Richard Allen said on February 8, 2018 at 9:43 pm
    Reply

    I think that using some type of content blocker is a necessity in preventing malware and goes a long way towards preventing undesirable website visits but even with that redirects, popups and popunders can still be a problem. If you land on a ‘malicious’ website without having inline and 1st-party javascript disabled there will likely be some unwanted excitement. The example in this article would need more than 3rd-party js blocked by uBO.

    Which is why in FF based browsers I use an extension to automagically disable javascript when visiting a new website and on most websites you can still view the content without js being enabled. If I land on a new website that requires js be enabled to view the content I usually just leave.

    One thing I like about chromium browsers is the ability to globally block javascript and then I can whitelist TLDs like com, net and org by using [*.]com, [*.]net and [*.]org. And then I have a small handful of websites that use other TLDs that I’ve whitelisted. The tech support scam site in this article using the ‘info’ TLD would have had javascript disabled. You can also disallow all sites from downloading multiple files automatically but I don’t know how well that would work in the above example, I don’t use chromium browsers that much.

  4. Charlie said on February 8, 2018 at 3:30 pm
    Reply

    If and when I run into stuff like the article is talking about, I just very quickly ‘pull the plug’, kill the power, period. Then reboot, deal with that, then run various malware scans. If necessary use system restore.

  5. anon3 said on February 8, 2018 at 3:22 pm
    Reply

    Slightly related to this topic… There doesn’t seem to be a way to prevent Firefox from automatically downloading files before clicking on OK:
    https://security.stackexchange.com/questions/30310/firefox-pre-downloading

    One commenter claims: “Firefox isn’t “pre-downloading”. You chose to start downloading by selecting “Save Link As” in the menu, or left-clicking on a link…”
    …but that’s not necessarily the case. What if I just want to find out the size of a file, and then decide based on that?

  6. Straspey said on February 8, 2018 at 2:42 pm
    Reply

    “A script is executed when a user visits a specially prepared web page.”

    Yes – but – If you’re running the NoScript add-on, this should never happen – right…?

    1. Martin Brinkmann said on February 8, 2018 at 3:02 pm
      Reply

      Right.

  7. Sophie said on February 8, 2018 at 1:24 pm
    Reply

    >>>Now You: Have you been affected by malvertising campaigns in the past?

    Feb 5th – How to Beat Malvertising
    ==========================

    www . business.com/articles/how-to-beat-malvertising/

  8. Sophie said on February 8, 2018 at 1:12 pm
    Reply

    ‘Adlergic’ consumers on the rise
    =======

    www . warc.com/newsandopinion/news/adlergic_consumers_on_the_rise/39897

    You bet we are.

  9. Sophie said on February 8, 2018 at 12:57 pm
    Reply

    I found a rather bothersome thing too, with :

    phys.org / news/2018-02-online-anti-ad-blocking-previously-thought [dot] html

    ….that I’m not sure if others will find? I found extraordinary ‘climbing’ memory consumption on the part of Waterfox, “if” Javascript was enabled, while accessing the above link.

    Actually, what alerted me to this, was a very ‘unusually’ sluggish Waterfox. When I looked, it had consumed over 2GB of RAM, and was basically dying! Just from this link alone.

    Turning of JS stopped such behaviour completely, and I was able to read the article.

    It just makes you wonder what scripts these guys are running, on innocuous looking sites, and makes you realise that we are in a constant battle to protect ourselves from unwanted actions/scripts, running on certain websites.

    Bottom line….is it any wonder we are blocking all their crap.

    1. John Fenderson said on February 9, 2018 at 1:29 am
      Reply

      Yes, this cat-and-mouse game isn’t new at all. It’s been an ongoing battle ever since advertisers started to take a serious interest in the web and, I think, it will never end.

      This is the primary reason why I don’t allow much in the way of client-side scripts to run in my browsers.

  10. Sophie said on February 8, 2018 at 12:49 pm
    Reply

    Talking about Malvertising….led me to this…….

    phys.org / news/2018-02-online-anti-ad-blocking-previously-thought [dot] html

    and this………

    homepage.divms.uiowa.edu / ~mshafiq/files/adblock-ndss2018 [dot] pdf

    The PDF file is : “Measuring and Disrupting Anti-Adblockers Using Differential Execution Analysis”

    They’re fighting back, basically…..

    (Forgive spacing out the links, its just that Ghacks posts often fail to appear if links are inserted!)

  11. someone said on February 8, 2018 at 12:01 pm
    Reply

    All the articles I have read about this fail to mention what happens if you enable “Always ask me where to save files”

    1. Paul's Dad. said on February 8, 2018 at 5:15 pm
      Reply

      I get the impression this happens even when you enable that, because it says the dialogs don’t “even” have time to appear.

  12. Sophie said on February 8, 2018 at 11:13 am
    Reply

    At the very least……….. a full Hosts setup using something like : mvpshostsnews.blogspot.com

    +

    uBO with several well-chosen filters + third party scripts blocked…. should sort it.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.