{"id":7926,"date":"2017-06-13T07:10:31","date_gmt":"2017-06-13T15:10:31","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/06\/13\/news-1707\/"},"modified":"2017-06-13T07:10:31","modified_gmt":"2017-06-13T15:10:31","slug":"news-1707","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/06\/13\/news-1707\/","title":{"rendered":"The numeric Tech Support Scam campaign"},"content":{"rendered":"

Credit to Author: J\u00e9r\u00f4me Segura| Date: Tue, 13 Jun 2017 14:00:21 +0000<\/strong><\/p>\n

There are many\u00a0different tech support scam (TSS) campaigns active at any given moment, the majority of them are\u00a0fueled by malicious adverts (the browser lockers), or bundled software (the screen lockers).<\/p>\n

Something interesting happened recently, where legitimate – but hacked – websites would redirect to a tech support scam page, not only via malvertising but also from hacked websites bearing the mark of a popular website infection.<\/p>\n

What was particularly striking was the fact that visitors from the US (and some other locations), running Internet Explorer, were being targeted and redirected to the scam page instead of what we would normally expect: an exploit kit landing page.<\/p>\n

In this blog, we will focus on the US campaign that is pushed both via malvertising and\u00a0compromised sites and recognizable by its use of numeric domain names.<\/p>\n

Numeric TSS<\/h3>\n

This latest tech support scam scheme can be identified by the use of only digits within its domain name. While they may look odd at first, numeric domains – as they are known –\u00a0work just like any other domain names.<\/p>\n

They can be quite expensive if kept short as they can represent a brand or have special meanings (i.e. containing the number 8, popular in Chinese culture<\/a>), but are otherwise a cheap commodity.<\/p>\n

In fact, each domain we encountered as part of this attack was registered for a mere $0.88 and\u00a0came with free WhoisGuard protection for anonymity:<\/p>\n

\"\"<\/a><\/p>\n

The numeric TSS has been around since at least early April based on this urlQuery report<\/a>, with some of those domains registered at the end of March.<\/p>\n

Domain name Creation date  6473819564947657419.win 2017-03-31  7598437654236982.win 2017-03-31<\/pre>\n
Browser lockers<\/h3>\n
Almost all browsers fail to mitigate the fake alert used by the numeric TSS, by not allowing you to normally close the page and instead of leaving little choice other than resorting to using the Task Manager to kill the offending process.<\/p>\n
Internet Explorer<\/strong><\/h4>\n
For Internet Explorer, the crooks are using mouse events to load the dialog message. Each time the mouse moves over a certain area, the same popup will reappear. You can close the page using keyboard shortcuts only (provided you do not move your cursor) but this is not something most users would be aware of.<\/p>\n
\"\"<\/a><\/p>\n
Code:<\/p>\n
\"\"<\/a><\/p>\n
Google Chrome<\/strong><\/h4>\n
The Google Chrome version of this campaign still uses the history.pushState()<\/em> trick we reported<\/a> back in Nov. 2016 to freeze the browser by maxing out the CPU. This affects Chrome on Windows and Mac and is by far the most disruptive experience across various browsers.<\/p>\n
\"\"<\/a><\/p>\n
Code:<\/p>\n
\"\"<\/a><\/p>\n
Firefox<\/strong><\/h4>\n
Firefox visitors are prompted with a username and password when the page is shown, which abuses HTTP basic access authentication<\/a> to lock the browser by reloading that\u00a0authentication dialog repeatedly.<\/p>\n
\"\"<\/a><\/p>\n
Code:<\/p>\n
\"\"<\/a><\/p>\n
Edge<\/strong><\/h4>\n
Edge is actually the only browser that lets you close the page ‘cleanly’ without resorting to Task Manager or other quick shortcut combinations.<\/p>\n
\"\"<\/a><\/p>\n
Code:<\/p>\n
\"\"<\/a><\/p>\n
Distribution part 1: Malvertising<\/h3>\n
We caught a few malvertising chains\u00a0involved in the numeric TSS but the most notable one was served from the AdsTerra ad network. One interesting thing is that we expected to see\u00a0a different TSS campaign here (one that is hosted on\u00a0Amazon S3).<\/p>\n
\"\"<\/a><\/p>\n
Distribution part 2: Compromised websites<\/h3>\n
EITest<\/a> is one of several campaigns that leverages compromised sites to monetize traffic via malicious redirections, typically to exploit kits such as RIG EK. It is also one of the few that is not only longstanding<\/a> but has diversified itself with social engineering schemes already, such as the fake font trick<\/a>.<\/p>\n
In late May,\u00a0@nao_sec<\/a>\u00a0blogged<\/a> about some cloaking with EITest, in particular for certain geolocations. It quickly became clear that the multi-purpose EITest had yet another trick up its sleeve which was observed<\/a> by others, such as Brad Duncan<\/a>.<\/p>\n
A large blurb is injected into compromised sites\u00a0right before the <\/body><\/em> tag with a URL to the numeric TSS page. What is quite noteworthy is that the URL could have been for an ad network or even one of the gates we mentioned earlier. But instead, EITest generates the right URL directly, suggesting some kind of access to the same API used in the malvertising campaigns.<\/p>\n
\"\"<\/a><\/p>\n
There are times when the API fails (perhaps because of takedowns) and we caught this happening:<\/p>\n
\"\"<\/a><\/p>\n
Brad Duncan also captured<\/a> a similar case\u00a0via EITest, where the injected coded had a blank numeric domain but also a link to a RIG EK landing page (bug, A\/B testing?).<\/p>\n
Tech support scam<\/h3>\n
This campaign seems to fuel various call centers in India, with phone numbers generated on-the-fly and based on geolocation. While the fake alerts are an easy lead-in to scam unsuspected users for hundreds of dollars, we noticed some differences in how the scam goes down. Some call centers are outright fraudulent and go straight for the money, but others still take the time to walk you through a ‘diagnostic’.<\/p>\n
\"\"<\/p>\n
Regardless, Microsoft would never use such ways\u00a0to contact people that may be infected so you can rest assured that any phone number that appears out of the blue on your machine is not to be trusted.<\/p>\n
Mitigation<\/h3>\n
The easiest way to get rid of a browser locker (AKA browlock) is to terminate (‘End task’) the associated browser process using the Task Manager. There are various ways to launch it depending on your operating system, but typically you can type it in the search bar (bottom left near Windows logo in Windows 10, or inside the Start Menu in Windows 7).<\/p>\n
\"\"<\/p>\n
This does not damage your computer but you will lose\u00a0websites you had opened. Having said that, the browser lock doesn’t give you much chance either to recover those anyway. After forcefully killing the browser process, you may be asked if you want to recover the pages from the ‘crash’. You are better off saying ‘no’, or else you will be back to square one dealing with the locker once again.<\/p>\n
Conclusion<\/h3>\n
The delivery of tech support scams via compromised websites is\u00a0worrisome because ad-blockers will be ineffective here, since there is no middle man (advertiser) involved to be blocked.\u00a0This is why browsers play such a big role, but also where they fall short. Maintaining a blacklist of such sites is almost counter productive as the rogue domains rotate so quickly. There could be improvements on how to defeat browser lockers to give users a way out, but also perhaps to flag such pages as potentially malicious, simply based on their behaviour.<\/p>\n
The growing number of social engineering schemes from malware campaigns is\u00a0a sign that exploit kits are failing to generate enough victims these days, mainly due to their reliance on older vulnerabilities that have long been patched. Another factor is Google Chrome’s market share (c<\/a>lose to 60%<\/a>) while most current exploits are still very much Internet Explorer-centric.<\/p>\n
Until\u00a0attackers can get their hands on newer exploits, they will continue to design creative lures and adapt them to specific targets\u00a0for the most impact.<\/p>\n
\n
Tech Support Scams – Help & Resource Page<\/a><\/p>\n<\/blockquote>\n