Tech Support Scammers exploit downloads trick again
Tech support scammers exploit a known issue once again that throws a massive number of downloads at browsers to freeze them according to a report on Bleeping Computer.
The exploit affects Google Chrome 67 as well as Firefox, Opera, Brave, Vivaldi and potentially other web browsers as well. Sites use JavaScript to create several thousand downloads which freeze browsers because the browsers are not designed to handle large number of downloads. Microsoft Edge and Internet Explorer are not affected by the issue.
The idea behind the scam is quite simple: display a support scam message to the user and make the browser freeze at the same time. Users cannot close the tab anymore or the browser because of the freeze which may make them call the fake phone number to get support for the issue.
The method pushes CPU load to the maximum so that it is quite difficult to get any reaction at all from the computer. The notification informs users that their PC has been blocked or that something else happened that requires them to call a support line to resolve the issue.
In one case, users were asked to call Microsoft but the number is not operated by Microsoft but by the scammers.
Users who are quick enough can close the tab before the downloads are unleashed as the script fires after the page has loaded fully.
Google fixed the issue in Google Chrome 65 but the issue appears to have resurfaced in the recently released Chrome 67. While it is probably only a matter of time until Google fixes the issue again, it is recommended to play it safe until then.
The February bug report on the Chromium site lists a proof of concept HTML file that interested users can run to test their browser against the vulnerability. It is recommended that you run tests in virtual environments or on spare PCs as you may need to force a restart of the system.
Since the method requires JavaScript, it is possible to deal with it by disallowing JavaScript to run on all sites but whitelisted ones. This can be achieved with extensions such as NoScript or uMatrix.
i use uBlock Origin to Block Javascript everywhere and whitelist any site i choose. i also use uMatrix, but i just let it block Javascript from all third parties.
window.navigator.msSaveOrOpenBlob and createObjectURL.(again, ?why)
-> JAVA 8, Windows 10 Home
restrict java with a white|black list utility
or just do not allow JavaScript to execute without user interventions
make note of the web site where the issue occurs and post that for all to see
Last year, the same thing happened to me with the exact same message shown in your article (above)— kind of a copy cat. Right off the bat, I knew it was a scam and I was able to take a screenshot of the critical message. After that, I powered down my PC, pulled out my rescue media disc for Macrium Reflect, powered the PC back on, and attached my portable Seagate HDD 1 TB which I never keep attached to my PC after backing up my system. I was able to roll back to a system image taken the day before.
All in all, I knew I played it really safe and there was no way whatever the scammers had the time to do would still be lurking on my computer.
This is why you always use NoScript or uMatrix and only allow JavaScripts for websites you trust. It’s better to also replace Windows with Linux.
It’s probably not a popular opinion here, but this isn’t onky a tech problem. It’s an education problem. The screenshot gives out so many red flags that you need to be naive and uneducated to fall for this.
If everyone is crying for browser makers to fix this, an important learning experience is being missed out.
While it is important to increase security in browsers, modern browsers are remarkable stable and every user with a slight understanding of the technology can use it to navigate safely through the web.
In more than 10 years of browsing I haven’t come across a website like this one.
Seriously, what kind of sites I need to browse to get into this kind of problems?
Rather ironic . . . on and on about Microsoft and how incompetent the system and techs are in general, but here we have an instance of a MS product presumably superior to other products that have been on the market for years and years.
How do these support scam messages appear? In the past they were popup windows, triggered after you clicked on something, such as trying to get a free download.
Stopping JavaScript works, but it will often break what many users are trying to do: downloading free movies and/or TV from sketchy sites that partner with these scumbags. Likewise, the DL process often won’t work with most adblockers or such running, that is without fussing with settings that may not work later, being that this is an evolving arms race of sorts.
Yet I’ve found that “Popup Blocker (strict)” works good. I keep it on most of the time with no issues. It usually doesn’t get detected as an adblocker, and can stop most popups. Also, if you need to allow a popup, it can allow it as need be, but then closes it before it fully opens, still giving you access to the download, if there is one, ha. Note what Martin said:
“Users who are quick enough can close the tab before the downloads are unleashed as the script fires after the page has loaded fully.”
Yet I have doubts “Popup Blocker (strict)” will stop this new threat, but IDK. For now I guess I will also sandbox my browser as need be.
Also note that I’ve had best success with “Popup Blocker (strict)” in Opera. About 6 months ago it didn’t work as well in Firefox for some reason. It may work better now though, IDK.
If this happens to you – hee’s what you need to do:
1 – TAKE YOUR HANDS OFF THE MOUSE AND STEP AWAY FROM THE KEY BOARD !!
2 – Remove the power cord from your modem or router – thereby disconnecting yourself from the internet. (My Linksys router has an on/off switch in the back, which makes this step easy)
3 – Reboot your computer normally – wait until it’s fully functional.
4 – Clear the cache and cookies from your browsers, and flush the DNS cache.
5 – Reconnect your modem and router – wait for Windows to shake hands with them and reactivate your internet connection.
6 – You’re good to go.
These types of attackers rely heavily upon that first wave of panic and fear – and assume you will try to use your mouse and keyboard to close the browser or try to run another progeam, like task manager.
Remember – they can’t do anything to your computer if you are not connected to the internet.
Web browsers nowdays filled with a tons of unneccessary features, open many exploit for people to do dirty things. This and anti-adblock become a thing, many way to track only users is the problem that they called them “new features” cause.
The reason why this trick is exploitable is because of window.navigator.msSaveOrOpenBlob and createObjectURL.
I agree that NoScript may become a thing nowdays, and ways to prevent WebRTC, canvas fingerprint from tracking users.
Source: https://bugzilla.mozilla.org/attachment.cgi?id=8950967&action=edit
Got to give these guys a call some day, seriously, I wonder what they will do to a locked machine where you can’t run cmd, event viewer, msconfig, task manager, etc. And set the whole OS to Russian to make everything difficult to be taken out of context.
To my knowledge, all the scams play the same. After connecting via something like TeamViewer (or alternatives), they walk you through CMD, with the folder listing command “tree”, claiming they “scan” your computer, or netstat and claim “hackers” are connected to your machine from “foreign IP’s” (even 127.0.0.1, lol); they tell you that Event Viewer errors (which are normal to how Windows operates) are because of a virus; they tell you that services are stopped, as seen on msconfig, again, because of a virus (oh, I’d love to see a machine running all those at the same time, you probably need one of those servers with like 30 cores, lol); lie about product key being expired, etc.
In essence, this is all they do. Oh, and if they detect something a bit odd about you, kind of realising you’re playing with them, they will run SysKey and lock you out (or if you refuse to pay).
Here are a few funny ones:
youtube.com/watch?v=kjKjyMKj3n4
youtube.com/watch?v=GVQoAlQrnSg
youtube.com/watch?v=Uelf3Bxj2Os
People not speaking English, are probably safe, since it is the only foreign language they seem to be able to understand (to some degree). So if you end up calling and speaking in other language, they’ll probably just hang up the call. Still, it would be funny to talk to them in English, but have them connected to your Cyrillic displaying VM :) Kind of curious what they would come up with.
Yes, this. This is the main reason why I feel so strongly that this push to make browsers into an operating system equivalent. It can only end in tears, and I strongly wish that browser manufacturers would knock it off. The enhanced security that is being built into browsers will not be able to keep pace with the continuing expansion of the attack surface. I consider all of the browsers that people think of as “modern” to be serious security risks in their own right.
If this happens to you, run this from the run box (Windows+R):
taskkill -f -im chrome.exe
When you restart chrome, DON’T let it open closed tabs, or it will happen again.
I think we should crowd-source spamming these scammer numbers, so victims can’t get through.