Malware Hoax / Tech Support Scam

Recently a few of my friends have been hit by tech support scams while browsing online. In short, the maliciously crafted webpage displays shocking messages. Let’s see what it does.

Analysis

Before I jump into it, here is the (generated) page source in all its glory. It is notable that the original script is written in php, so who knows what else is up their sleeve.

 

Right near the top, we can see that the webpage pretends to be a message from ESET security products. Interestingly enough, it even has Google Analytics. Getting information on victims/day?

Line 23 is interesting. I’m not sure what effect is intended there, but something interesting will occur if you’re able to click on the webpage. Normally you can’t, since interaction with the page/browser is blocked with the modular authentication prompt! (Refer screenshot above.)

Then you have this really obnoxious robotic audio voice playing in the background, reiterating what is already on your screen: “Your computer has been blocked…”

This file is really interesting. The metadata attached shows that it’s a text-to-speech audio generated back in July!

For extra scare, here’s another alert with the same message – call them!

Finally, we see the bit of code that arguably is the heart of the page: staying persistently on the page. Once the user clicked OK/Cancel on the authentication prompt, this code causes the page to be reloaded, hence serving a fresh prompt. This blocks the browser from doing much.

Solution

Luckily there exists a relatively simple solution to this malware hoax. The key idea is realising it is just a webpage. It is then a question of quitting your browser and making sure your browser does not reload opened pages on startup.

Additionally, for safe measures I reported the link as malicious to Google.

What could have happened?

I got a peek of this hoax as my friend contacted me immediately after seeing it. Another friend of mine actually called the number. (It was another hoax but similar webpage technique.)

Over the phone he was walked through a setup to enable them remote access. They then proceeded to carry out more sketchy stuffs. Being non tech-savvy, he didn’t know what is going on, and I ultimately formatted his computer for him, to get rid of any spyware or malware they put in.

Do you have any similar experience? Share them below!

Leave a Reply

Your email address will not be published. Required fields are marked *