Tech support scammers use subdomain trick to defeat blocking (updated)

Tech support scammers use subdomain trick to defeat blocking (updated)

Update (02/17):

We’re seeing an improved version of this subdomain switching technique. The original one was simplistic since it had to be hardcoded by the crooks and followed a predictable order (i.e. a,b,c,d,e,f etc.)

This new method randomly chooses a new subdomain:

random

Every time the user clicks on the ‘Leave this Page’ button, they get redirected to a new randomly selected subdomain:

warning

933443.servefail.tech 126922.servefail.tech 437132.servefail.tech 243705.servefail.tech 804169.servefail.tech 501994.servefail.tech 370579.servefail.tech 451847.servefail.tech 259033.servefail.tech 495803.servefail.tech 517275.servefail.tech 855709.servefail.tech etc.

– –

These days, the vast majority of tech support scams are delivered via malvertising attacks pushing fake error notifications and preventing users from normally closing their browsers.

Because those warnings are very convincing and often accompanied by audio cues, many people will get desperate and panic when they realize they cannot close those pages.

Unfortunately, most browsers are defeated by simple snippets of JavaScript code that create infinite loops or other suck trickeries. In other cases, scammers combine code with social engineering to deliver a very frustrating user experience ultimately forcing many victims to call the rogue toll free number for assistance.

message

Here’s such an example, where a scam page uses the “Confirm Navigation” dialog typically displayed when a user is about to leave a page. Some browsers, like Google Chrome, may be able to detect and therefore block repeated attempts when a page is clearly preventing you from leaving.

To circumvent this protection, scammers are taking an interesting approach by loading a new URL each time you click on the “Leave Page” button. That URL points to a subdomain from the original scam page, which in turn repeats the process with another subdomain, in effect creating what looks like a never ending situation.

Flow3

Flow:

updatefailure2.info  -> a.updatefailure2.info   -> b.updatefailure2.info    -> c.updatefailure2.info     -> d.updatefailure2.info      -> e.updatefailure2.info       -> f.updatefailure2.info        -> ...

Probably the most effective way of getting rid of such fake pages is to terminate the browser process using Windows’ TaskManager. Click the start button and type: taskmgr.exe and then press Enter. In the processes tab, find the process for whichever browser you are running: iexplore.exe, firefox.exe, chrome.exe, MicrosoftEdge.exe and then click End Process or Terminate.

We have reported this malicious domain to the hosting provider and added it to our blacklist.

ABOUT THE AUTHOR

Jérôme Segura

Principal Threat Researcher