Jump to content

Hijacked Web Browser


Recommended Posts

My wife opened a post in Facebook that hijacked her browser (Edge) with a flashing alert from Microsoft saying her PC was infected, sending spam emails, etc. A lot of junk stuff. All buttons were inop so it was necessary to restart the PC. I ran a Malwarebytes Scan and a Full System Norton scan which came up with nothing. Opening Edge again, took her to the same Alert. She restarted again and I sent her an email with a link to a website page and had her click on the link. That opened Edge on the page I sent her and you could see her home page and the Microsoft Alert tabs. I cleared her history and all is okay. I knew to do this from past experience. 

My question is: Why didn't Malwarebytes catch this? Doesn't it stop bad links inside Facebook?

Link to post
Share on other sites

 

Similar to these ?

I have created a 1series of videos generated from these kinds of fraud sites for the purposes of recognition and education.  They are all  videos from real web sites.  ALL are FRAUDS.

All these have one thing in common and they have nothing to do with any software on your PC.  They are all nefarious web sites meant to defraud you of money. The objective is to, falsely, goad you to make the phone call and pay for some service contract for an incident that never happened.  From there they may continue to charge your Credit Card for other services, remote into your computer and do real damage and/or exfiltrate your personal data and they may use the information they obtain from you to commit additional frauds.

MalwareScam.wmv
MalwareScam-1.wmv
MalwareScam-2.wmv
MalwareScam-3.wmv
MalwareScam-4.wmv
MalwareScam-5.wmv
MalwareScam-6.wmv

I have also created a PDF ScreenShow of a myriad of FakeAlert screens - FakeAlert-Screens.pdf  /  Flash Version

Malwarebytes and Norton AV did not block the site because they did not know the site.  You can help by submitting the FakeAlert web site to Malwarebytes in;  Newest IP or URL Threats  after reading;  READ ME: Purpose of this forum   This way the site can be blocked and others would not fall prey to it.

 


Reference:            
US FBI PSA - Tech Support Fraud
US FTC Consumer Information -  Tech Support Scams
US FTC - Tech Support Operators Agree to Settle Charges by FTC and the State of Ohio
US FTC - FTC and Federal, State and International Partners Announce Major Crackdown on Tech Support Scams
Malwarebytes' Blog - Search on - "tech support scams"
Malwarebytes' Blog - "Tech support scams: help and resource page"



1.  Also located at "My Online Security" - Some videos of typical tech support scams

 

 

Edited by David H. Lipman
Link to post
Share on other sites

Thanks for the quick response. I didn't now if "Maklasnow" or "ravicente.live" would direct anyone to the culprit? She clicked on the bold face print to get to open the hijack. I'm not familiar with Facebook so I don't know how to report it to them or if I even can??

Link to post
Share on other sites

FakeAlerts are a type of malvertisement.

Presumably the graphic and/or the "the bold face print" fronts a Link to a malvertiser who then redirected the Browser to the FakeAlert.

Therefore it is the Link behind that "the bold face print" that can lead to the malvertiser.

The Browser History will hold the actual link of the FakeAlert but, I am not going to ask you to go through the trouble of looking in the Browser's History around the time of said event to obtain the FakeAlert URL.

 

 

Link to post
Share on other sites

23 hours ago, Phxflyer said:

My wife opened a post in Facebook that hijacked her browser (Edge) with a flashing alert from Microsoft saying her PC was infected

Without using a different browser with an AD blocker, I suggest you inform her to stop clicking on "SPONSORED" posts.

 

2019-04-02_13h54_39.png

Edited by Porthos
Link to post
Share on other sites

I've cleared the browser history and cache in order to get rid of the alert, again, by having the browser open indirectly through an email link to a random webpage and then closing the bad tab and clearing the history. I'm sorry, I didn't note the bad URL before deleting.

And @Porthos. Thank you also. She is now aware not to open a sponsored link or if she sees anything from "Maklasnow" or "ravicente.live"

IF this happens again, IF being the operative word, and I write down the URL of the bad site, is this all Malwarebytes needs to know to stop this in the future?

Link to post
Share on other sites

I really don't need to keep this post going, but there's something I noticed on my wife's Facebook page. I don't use Facebook so I've never seen this.

She's been using Facebook for year's and this is the first time she's had a "browser hijack". If you look at the screenshot I posted, the name over the picture (Maklasnow) and the "link" below  the picture (Ravicente) don't match. I looked at a bunch of "sponsored" posts on her Facebook page and all the other ones I've seen have the SAME name above that matches a .com link under the picture. The bad one she clicked on doesn't say .com for the bottom link, but says .live and is a different name from the top one.

I can't say if this is a full proof method to detect a malware link but it sure gives one a possible clue. But I'm sure Facebook would know this? (I'm being facetious saying that.) And of course, she now knows not to use that as criteria for not clicking on it. 

Just curious since this the first time this has happened to her if other Facebook users have this problem on a more frequent basis. Or is Facebook really good about catching these things?

Link to post
Share on other sites

4 hours ago, Phxflyer said:

if other Facebook users have this problem on a more frequent basis.

None of my clients will use a MS browser after the dangers (what happened to your wife) have been explained to them. I personally have not used a MS browser since the Win 98 days. 

 

4 hours ago, Phxflyer said:

since this the first time this has happened to her

She has been lucky. The topic of that post(social engineering) got her attention and she clicked. Other topics with redirect issues might not have interested her. 

4 hours ago, Phxflyer said:

Or is Facebook really good about catching these things?

They do not care, They made their MONEY when the sponsored AD was submitted. 

Link to post
Share on other sites

On the bright side, with MS replacing the current version of Edge with a Chromium based solution in the near future, plugins/extensions/add-ons that work with Chrome should work with Microsoft's new browser as well, including all the ad blockers as well as the excellent Malwarebytes browser extension beta which is very good at blocking scams, ads, malware and many other online threats and annoyances beyond what is blocked by the Web Protection component in Malwarebytes Premium thanks to its behavior based blocking capabilities (since it works inside the browser, it is able to actually analyze page content to detect malicious patterns; something the Web Protection component, which ties directly into the network stack and can only see connections, not actual webpage layouts, cannot do).

If you're interested, you can find out more about the extension and download it at the following links for each compatible browser:

Chrome
Firefox

Link to post
Share on other sites

12 hours ago, Porthos said:

None of my clients will use a MS browser after the dangers (what happened to your wife) have been explained to them.

This sort of attack is not only tied to MS Browsers... it can happen with any browser, as they all have vulnerabilities.. If they didn't then they would not be releasing new versions.

Link to post
Share on other sites

1 hour ago, Firefox said:

This sort of attack is not only tied to MS Browsers... it can happen with any browser, as they all have vulnerabilities.. If they didn't then they would not be releasing new versions.

Too true.  In fact, based on my own experience, when set to its maximum setting the pop-up blocker built into Internet Explorer 11 can't be beat, not even by Chrome or Firefox (I use all 3 on a regular basis, and on some of the worst sites where I go hunting for threats, PUPs and scams, only IE is able to stop the worst of the pop-ups, though occasionally even it fails, though not nearly as often as Chrome or Firefox).  In fact, I'll often revisit a site where I receive many blocked pop-up notifications in IE with Chrome just to grab the pop-ups to report to Malwarebytes, at least if they're anything malicious such as tech support scams like the one being discussed in this thread, which they often are.  IE's cookie handling is also the most granular without needing any add-ons/extensions if configured to prompt for any first and third party cookies under its privacy settings.  Very useful if you don't like to be tracked while surfing, at least as far as cookies are concerned.

Link to post
Share on other sites

I am not stating that Firefox or Chrome alone is the full solution. I also install a custom configured Ublock Origin as well. I also am using as of late the MB extension as well for added protection.

This is in addition to Malwarebytes Premium as well.  

Link to post
Share on other sites

Sure, I myself use Adblock Plus, the Malwarebytes browser extension beta, Ghostery, Disconnect, DuckDuckGo Privacy Essentials, Windows Defender Browser Protection (basically SmartScreen for Chrome), CanvasFingerPrintBlock, Easy WebRTC Block; and that's on top of Malwarebytes Premium, a HOSTS file which currently contains over 950,000 entries for various threats, PUPs, ads, trackers and other undesirable content, as well as SpywareBlaster's passive protection of restricted sites, script blocking/ActiveX filtering and cookie blocking lists.

Even with all of this I still get the malicious pop-ups/ads, though thankfully Malwarebytes' browser extension does detect/block the bulk of the tech support scams these days (and when they do not I report it obviously).

Link to post
Share on other sites

Sorry to ask one more question about this but it may help me to understand a little more how MB Premium works.

With the redirected website on the screen blasting away to call support, your PC is locked, don't shut down, etc, I ran a MB threat scan and it showed no detections. I think I understand why MB Premium didn't stop her from going to the bad site, but I was under the impression that running a scan would remove the problem. Since it didn't, I can only assume the problem has to be "in" your PC and not on a website. But then again, I'm assuming, MB Premium wouldn't allow the malware (PUP or whatever) to get into your PC? 

Thanks for all the responses to this and for any future posts explaining how and why MB Premium protects you.

Link to post
Share on other sites

What David says is true; these tech support scam sites are just websites, they don't actually 'infect' systems with anything or install any software.  They just display an annoying website in the hopes that you will be deceived into believing that you are infected and call the fake support number they provide so that they can try to scam money out of you for their fake PC cleaning services.

Link to post
Share on other sites

34 minutes ago, exile360 said:

the hopes that you will be deceived into believing that you are infected and call the fake support number they provide so that they can try to scam money out of you for their fake PC cleaning services.

Not only that, once you call that number, they have your number.  If you hang up or tell them your not interested, they will keep calling back and escalating their scams to get you to bite.  Also they have been known to sell your phone number to others.

Link to post
Share on other sites

  • 2 weeks later...

Phxflyer, I suggest you look up scareware, although David H Lipman  explained it well.  As have Firefox and exile360 . It doesn't highjack your browser or install anything on your computer. It tries to trick you into doing that by calling them for their "fix". It does make it seem impossible to use your web browser though. 
In Windows you can use task manager to end the application. Ending the application will close your browser.  I believe Mac OS uses Activity Monitor.  As you found out a restart or if necessary turning off your computer will usually get rid of the pop up.
I've looked at the Maklasnow FB page and the RAVicente.live  web page (that is a WordPress web page basically a blog btw) and for the most part both seem safe.  Harmless stuff. I have an educated guess that the same Filipino maintains both. As far as I can tell the post (both on the FB page and the WordPress page) we are talking about is the only one to get redirected to a scareware loading page. I didn't find any other posts or photos that redirected me. He/she may have deleted it by now because I couldn't find it just now. 
It is possible that security is not being maintained very well on one or both. I don't know for sure but I have a hunch that internet security is more of an issue in some countries than others. I also don't know for sure where that post was uploaded from although I am thinking the Philippines. I noticed some Tagalog on the FB page.
You can also find Rookie's story by searching " rookie the dog raised by cow" or words to that effect. You can find written stories and videos.
I'm just an internet user. One that tries to find answers to the problems I have encountered over the years.

Link to post
Share on other sites

That post is still on Maklasnow's FB page. It is under the info and ads section. I sent a message. If whoever maintains the FB page and the RAvicente.live site are honest I hope they will delete both. And then repost the story if they want to.
I just have a feeling that an honest person got taken advantage of. I'll let you know if I get a reply. I might check on both and see if the post has been removed. Or I might just forget about it

 

Link to post
Share on other sites

Thanks for the replies, but it did hijack the browser. Restarting the PC or using task manager to close the browser did not stop it from coming right back when the browser was opened again. With the browser open, you are unable to click on any function in the browser (like closing a tab). I know it's a scam. And again, to get rid of it, I sent her an email with a random website link in it. By opening that link THRU her email, it opened the browser in a different tab which allowed me to then close the bad site's tab. I then cleared the history and cache. Problem solved.

Link to post
Share on other sites

Yes, that's how those scams work.  They use inbuilt functions in the browser to prevent access to the normal controls that would allow you to close or navigate away from the page.  The reason it kept showing up again when starting the browser was because the browser was configured to automatically recover/restore the last webpage that was open (this should be changed under the browser's settings to prevent this in the future).  Had it been actual malware installed in the browser then simply clicking on a link in an email to have the browser navigate away from the page would not have worked.  Sadly it's just the result of some poorly implemented browser recovery features that make these pages more persistent than they really should be often times.

Edited by exile360
Link to post
Share on other sites

It's a matter of semantics.  It really doesn't hijack the Browser.  It uses code to overwhelm the browser and make it use an ever increasing amount of resources.  That is to lend credulity to the concept of being infected and the PC needing service and to give the impetus to make the call.  When a Browser is hijacked, it is forced to not visit the web sites you want to go to, it goes to the web sites the malicious actor in control of the software wants you to visit and see the content of.

Killing the Browser process in a FakeAlert relieves the issue because the Browser is no longer hitting the FakeAlert web site and running its malicious code.  When a Browser is hijacked there is malicious code like a Browser Helper Object (BHO) or other form of DLL that is causing the Browser to act in a particular fashion.  Killing the Browser process does not change that fact.  Once the Browser is reloaded the Browser remains in the control of the software.  You have to remove that software that is plugged-into the Browser to stop the hijacking process.

So, because the FakeAlert is driven by HTML that is only loaded when one visits the FakeAlert site, this isn't really a "browser hijack" as that is truly a function of software that has infected the computer and controls the Browser.

One may state that I am splitting hairs and maybe I am.  I did not want to be pedant in pointing that out earlier in the thread because to the the victim, the ultimate effect is the Browser appears to be hijacked.  However because we have gotten into the minutia I think this fine point is worth detailing.  The vast majority, think that software on the PC drives the screens of the FakeAlert and they miss the fact that it is merely a form of malvertisement driven by a web page.  Since the actions of the Browser is merely HTML and Killing the Browser process ameliorates the problem, the Browser isn't hijacked.  To be hijacked, the Browser would still be affected when the Browser is restarted.

exile360 touches on an interesting point, as I believe the Browser authors could do a better job in thwarting the code most often used in making the Browser use an ever increasing amount of resources.  You would still see the content [  FakeAlert-Screens.pdf  /  Flash Version ] but the Browser would not become unresponsive and make the PC crawl like a snail.

 

Edited by David H. Lipman
Edited for content, clarity, spelling and grammar
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.