Update (02/17):

We’re seeing an improved version of this subdomain switching technique. The original one was simplistic since it had to be hardcoded by the crooks and followed a predictable order (i.e. a,b,c,d,e,f etc.)

This new method randomly chooses a new subdomain:

random

Every time the user clicks on the ‘Leave this Page’ button, they get redirected to a new randomly selected subdomain:

warning

933443.servefail.tech
126922.servefail.tech
437132.servefail.tech
243705.servefail.tech
804169.servefail.tech
501994.servefail.tech
370579.servefail.tech
451847.servefail.tech
259033.servefail.tech
495803.servefail.tech
517275.servefail.tech
855709.servefail.tech
etc.

– –

These days, the vast majority of tech support scams are delivered via malvertising attacks pushing fake error notifications and preventing users from normally closing their browsers.

Because those warnings are very convincing and often accompanied by audio cues, many people will get desperate and panic when they realize they cannot close those pages.

Unfortunately, most browsers are defeated by simple snippets of JavaScript code that create infinite loops or other suck trickeries. In other cases, scammers combine code with social engineering to deliver a very frustrating user experience ultimately forcing many victims to call the rogue toll free number for assistance.

message

Here’s such an example, where a scam page uses the “Confirm Navigation” dialog typically displayed when a user is about to leave a page. Some browsers, like Google Chrome, may be able to detect and therefore block repeated attempts when a page is clearly preventing you from leaving.

To circumvent this protection, scammers are taking an interesting approach by loading a new URL each time you click on the “Leave Page” button. That URL points to a subdomain from the original scam page, which in turn repeats the process with another subdomain, in effect creating what looks like a never ending situation.

Flow3

Flow:

updatefailure2.info
 -> a.updatefailure2.info
  -> b.updatefailure2.info
   -> c.updatefailure2.info
    -> d.updatefailure2.info
     -> e.updatefailure2.info
      -> f.updatefailure2.info
       -> ...

Probably the most effective way of getting rid of such fake pages is to terminate the browser process using Windows’ TaskManager. Click the start button and type: taskmgr.exe and then press Enter. In the processes tab, find the process for whichever browser you are running: iexplore.exe, firefox.exe, chrome.exe, MicrosoftEdge.exe and then click End Process or Terminate.

We have reported this malicious domain to the hosting provider and added it to our blacklist.