There are many different tech support scam (TSS) campaigns active at any given moment, the majority of them are fueled by malicious adverts (the browser lockers), or bundled software (the screen lockers).
Something interesting happened recently, where legitimate – but hacked – websites would redirect to a tech support scam page, not only via malvertising but also from hacked websites bearing the mark of a popular website infection.
What was particularly striking was the fact that visitors from the US (and some other locations), running Internet Explorer, were being targeted and redirected to the scam page instead of what we would normally expect: an exploit kit landing page.
In this blog, we will focus on the US campaign that is pushed both via malvertising and compromised sites and recognizable by its use of numeric domain names.
This latest tech support scam scheme can be identified by the use of only digits within its domain name. While they may look odd at first, numeric domains – as they are known – work just like any other domain names.
They can be quite expensive if kept short as they can represent a brand or have special meanings (i.e. containing the number 8, popular in Chinese culture), but are otherwise a cheap commodity.
In fact, each domain we encountered as part of this attack was registered for a mere $0.88 and came with free WhoisGuard protection for anonymity:
The numeric TSS has been around since at least early April based on this urlQuery report, with some of those domains registered at the end of March.
Domain name Creation date 6473819564947657419.win 2017-03-31 7598437654236982.win 2017-03-31
Almost all browsers fail to mitigate the fake alert used by the numeric TSS, by not allowing you to normally close the page and instead of leaving little choice other than resorting to using the Task Manager to kill the offending process.
For Internet Explorer, the crooks are using mouse events to load the dialog message. Each time the mouse moves over a certain area, the same popup will reappear. You can close the page using keyboard shortcuts only (provided you do not move your cursor) but this is not something most users would be aware of.
The Google Chrome version of this campaign still uses the history.pushState() trick we reported back in Nov. 2016 to freeze the browser by maxing out the CPU. This affects Chrome on Windows and Mac and is by far the most disruptive experience across various browsers.
Firefox visitors are prompted with a username and password when the page is shown, which abuses HTTP basic access authentication to lock the browser by reloading that authentication dialog repeatedly.
Edge is actually the only browser that lets you close the page ‘cleanly’ without resorting to Task Manager or other quick shortcut combinations.
Distribution part 1: Malvertising
We caught a few malvertising chains involved in the numeric TSS but the most notable one was served from the AdsTerra ad network. One interesting thing is that we expected to see a different TSS campaign here (one that is hosted on Amazon S3).
Distribution part 2: Compromised websites
EITest is one of several campaigns that leverages compromised sites to monetize traffic via malicious redirections, typically to exploit kits such as RIG EK. It is also one of the few that is not only longstanding but has diversified itself with social engineering schemes already, such as the fake font trick.
In late May, @nao_sec blogged about some cloaking with EITest, in particular for certain geolocations. It quickly became clear that the multi-purpose EITest had yet another trick up its sleeve which was observed by others, such as Brad Duncan.
A large blurb is injected into compromised sites right before the </body> tag with a URL to the numeric TSS page. What is quite noteworthy is that the URL could have been for an ad network or even one of the gates we mentioned earlier. But instead, EITest generates the right URL directly, suggesting some kind of access to the same API used in the malvertising campaigns.
There are times when the API fails (perhaps because of takedowns) and we caught this happening:
Brad Duncan also captured a similar case via EITest, where the injected coded had a blank numeric domain but also a link to a RIG EK landing page (bug, A/B testing?).
Tech support scam
This campaign seems to fuel various call centers in India, with phone numbers generated on-the-fly and based on geolocation. While the fake alerts are an easy lead-in to scam unsuspected users for hundreds of dollars, we noticed some differences in how the scam goes down. Some call centers are outright fraudulent and go straight for the money, but others still take the time to walk you through a ‘diagnostic’.
Regardless, Microsoft would never use such ways to contact people that may be infected so you can rest assured that any phone number that appears out of the blue on your machine is not to be trusted.
The easiest way to get rid of a browser locker (AKA browlock) is to terminate (‘End task’) the associated browser process using the Task Manager. There are various ways to launch it depending on your operating system, but typically you can type it in the search bar (bottom left near Windows logo in Windows 10, or inside the Start Menu in Windows 7).
This does not damage your computer but you will lose websites you had opened. Having said that, the browser lock doesn’t give you much chance either to recover those anyway. After forcefully killing the browser process, you may be asked if you want to recover the pages from the ‘crash’. You are better off saying ‘no’, or else you will be back to square one dealing with the locker once again.
The delivery of tech support scams via compromised websites is worrisome because ad-blockers will be ineffective here, since there is no middle man (advertiser) involved to be blocked. This is why browsers play such a big role, but also where they fall short. Maintaining a blacklist of such sites is almost counter productive as the rogue domains rotate so quickly. There could be improvements on how to defeat browser lockers to give users a way out, but also perhaps to flag such pages as potentially malicious, simply based on their behaviour.
The growing number of social engineering schemes from malware campaigns is a sign that exploit kits are failing to generate enough victims these days, mainly due to their reliance on older vulnerabilities that have long been patched. Another factor is Google Chrome’s market share (close to 60%) while most current exploits are still very much Internet Explorer-centric.
Until attackers can get their hands on newer exploits, they will continue to design creative lures and adapt them to specific targets for the most impact.
Some examples of numeric TSS domain names:
6473819564947657419.win 7598437654236982.win 75894326984785657.win 089808456012319849851.win 28769437645567160.review 1367465423548945466.win 36546876516465456.win 15467448788975.win 1652546334798534.win 42165448125463151.win 544789942631624685.win 1317587423345278789.win 462781647864529375896239.win 547566458877948786467.win 14567996453586879.review 1894063121084890231894080.win 212655432897895349795160.win 45610897897984561087802.site 0789085614050105453286405572454.win 1987561230989456165016547084564189075132104897789415128287129.win 236846723674238468.site 712653651726438762364523546823.site 068923772895474564121755216.review
Windows Defender Alert : Zeus Virus Detected In Your Computer !! Please Do Not Shut Down or Reset Your Computer. The following data will be compromised if you continue: 1. Passwords 2. Browser History 3. Credit Card Information 4.Local Hard Disk Files. This virus is well known for complete identity and credit card theft. Further action through this computer or any computer on the network will reveal private information and involve serious risks. </br></br>Call Microsoft Technical Department: (888)