A new form of browser locker has recently surfaced. Browser-lockers are websites or pop-ups that redirect the browser to a website that locks-up the browser. The user is prevented from continuing any normal operation including closing the offending browser window, opening a new page, or closing the application itself.
This new browser locker calls itself Microsoft Official Support as seen in Figure 1. Of course, this page is in no way related to or endorsed by Microsoft.
Figure 1: Fake Microsoft Official Support Browser Locker
Unlike the more common browser lockers that doubles as a ransomware like the one discussed in this blog, this new form of browser-locker asks the user to call a support number.
Once this browser locker window pops up, the first thing that the user will see is a message that says that “Your Windows(Microsoft) Computer has been blocked” as seen in Figure 2 and 3.
Figure 2: Block message as seen in Internet Explorer
Figure 3: Block message as seen in Firefox
Looking closely, the block message contains the following message as seen in Figure 4.
Figure 4: Block message complete text
Aside from the pop-up message, the browser locker plays an audio message in an endless loop. Below is the transcript of the audio message.
“Important security message. Please call the number provided as soon as possible. You will be guided for the removal of adware spyware virus on your computer. Seeing these pop-ups means that you have a virus installed on your computer, which puts the security of your personal data at a serious risk. It is strongly advised that you call the number provided and get your computer fixed before you do any shopping online.”
Attempting to close the pop-up message will just fail. The browser locker will pop up a new one.
Fortunately, removing this browser locker is simple. If you are using Internet Explorer, just open Task Manager and terminate the Internet Explorer process. You can do this to all browsers. But Mozilla Firefox has a feature to beat browser lockers that employ this continuous pop-up technique, which I previously discussed in a post on Speaking of Security.
In Firefox, an option will appear in all subsequent pop-up windows, as seen in Figure 3, is closed by pressing OK. The second pop-up will have a tick box that says “Prevent this page from creating additional dialogs,” as seen in Figure 5. Ticking this box and pressing OK removes the pop-up and gives control back of the browser to the user.
Figure 5: Firefox anti pop-up feature
This is a relatively easy problem to address for informed users, but ultimately we must concede that the threat is designed for users who haven’t the know-how to solve these kinds of threats. For the non-technical user, a sudden panic induced by the thought of losing control of one’s machine could easily lead to a call to the “support” number. Such scams have been remarkably successful for years. Fraudsters continually innovate their schemes, discovering new ways to dupe users into clicking on a malicious link, downloading a malicious file, (or as in this case) inducing the victim to provide a credit card number or other personally identifiable information for subsequent exploitation.
The post Browser Locked? Call This Number. appeared first on Speaking of Security - The RSA Blog and Podcast.