We’re seeing an improved version of this subdomain switching technique. The original one was simplistic since it had to be hardcoded by the crooks and followed a predictable order (i.e. a,b,c,d,e,f etc.)
This new method randomly chooses a new subdomain:
Every time the user clicks on the ‘Leave this Page’ button, they get redirected to a new randomly selected subdomain:
933443.servefail.tech 126922.servefail.tech 437132.servefail.tech 243705.servefail.tech 804169.servefail.tech 501994.servefail.tech 370579.servefail.tech 451847.servefail.tech 259033.servefail.tech 495803.servefail.tech 517275.servefail.tech 855709.servefail.tech etc.
These days, the vast majority of tech support scams are delivered via malvertising attacks pushing fake error notifications and preventing users from normally closing their browsers.
Because those warnings are very convincing and often accompanied by audio cues, many people will get desperate and panic when they realize they cannot close those pages.
Here’s such an example, where a scam page uses the “Confirm Navigation” dialog typically displayed when a user is about to leave a page. Some browsers, like Google Chrome, may be able to detect and therefore block repeated attempts when a page is clearly preventing you from leaving.
To circumvent this protection, scammers are taking an interesting approach by loading a new URL each time you click on the “Leave Page” button. That URL points to a subdomain from the original scam page, which in turn repeats the process with another subdomain, in effect creating what looks like a never ending situation.
updatefailure2.info -> a.updatefailure2.info -> b.updatefailure2.info -> c.updatefailure2.info -> d.updatefailure2.info -> e.updatefailure2.info -> f.updatefailure2.info -> ...
Probably the most effective way of getting rid of such fake pages is to terminate the browser process using Windows’ TaskManager. Click the start button and type: taskmgr.exe and then press Enter. In the processes tab, find the process for whichever browser you are running: iexplore.exe, firefox.exe, chrome.exe, MicrosoftEdge.exe and then click End Process or Terminate.
We have reported this malicious domain to the hosting provider and added it to our blacklist.