Scammers use new obfuscation method to deceive victims

Nov 7, 2018 00:09 GMT  ·  By  ·  Comment  · 
Share:             
Tech support scam alert
3 photos
   Tech support scam alert

A new browser lock obfuscation technique which makes it possible for tech support scams to lock their victims' web browsers while at the same time completely avoiding detection has been observed in the wild by Malwarebytes' Jérôme Segura.

Browser lockers are a type of malicious attack designed to completely lock the victim's web browser, denying access to the desktop or blocking navigation to other websites.

This allows the bad actors behind it to induce a state of urgency, persuading the victim to call a tech support scam number, to pay a ransom, or to install a maliciously crafted extension that could drop a malware payload.

Unlike many of its brethren, the new browser locker discovered by Segura does not reside in the page designed to bait the victim, obfuscating itself using an ingenious new method instead of the run-of-the-mill BASE 64 or hex encoding employed by scammers who want to hide their tools from prying eyes.

To be more exact, this new browser locker Segura found in the wild takes obfuscation to another level by loading its code from another location and not having it included in the browlock's main page.

The browlock state is triggered after downloading, decoding, and executing the browser locker on the fly

Moreover, after the browser lock page is loaded, the browser loads the Zepto.js JavaScript library featuring a mostly jQuery-compatible API and the base64.min.js library used to decode Base64 encoded content in real time.

The browser locker code is loaded using a GET request from the source.php file stored on the same server as the main scam page, decoded into memory and executed by the web browser, triggering a browlock state.

"There is no denying that crooks are once again trying to play cat and mouse with defenders," says Segura. "Perhaps as a tongue-in-cheek gesture, they even created a bogus Google Analytics tracker ID: gtag(‘config’, ‘UA-8888888-x’), in addition to using the maps-google[.]us Google look-alike domain."

Even if users fall to these scams, they should know that they are not at all dangerous and most if not all of them can be dismissed by killing the web browser process using the operating system's process manager.

Photo Gallery (3 Images)

Tech support scam alert
Browlock in actionBrowser locker GET request
Open gallery
  Click to load comments
This enables Disqus, Inc. to process some of your data. Disqus privacy policy

Related Stories

Fresh Reviews

Latest News