Jump to content

Win7 system hijacked through Firefox


GorhamME

Recommended Posts

Greetings,

Windows 7 Pro (but sadly not for much longer) 64 bit, Firefox v. 71 (64 bit), ESET Nod 32, Malwarebytes Pro, 1Password

First off, I have ESET Nod 32 antivirus and Malwarebytes Pro running at maximum protection and I don't think any software was installed. I was (I think) checking my emails and suddenly at screen came up with all manor of alarms and threats. I wasn't tempted in the least to click on anything but I wasn't able to navigate; everything was frozen. Finally using various attempts to access task manager, I did get back enough to get a printscreen and shut down regularly (as opposed to just hitting power off).

hijack_ed.thumb.png.9a0bc912ca00cd06db04a8adc03c9c5b.png

I tried windows in safe mode but couldn't find anything amiss. I don't know what sort of scan I should be performing now.

I tried googling the address (countermanding.xyz/en) but came up empty. That was surprising.

So. I'd like to know what the gurus here think I should have done and what I should do now. Also, should I report the attempt and if so, where?

Thanks much - for being here and for your help.

GME

Link to post

Greetings,

The website you encountered was a scam.  You can learn more about these types of sites on this Malwarebytes Labs page which describes what they are and how they work in great detail.

With that said, if you have not yet installed Malwarebytes Browser Guard I would highly recommend doing so.  It is available for both Chrome and Firefox and likely would have stopped that site before you ever saw it because it uses behavior based detection, not just a targeted blacklist to block tech support scam sites like the one you encountered.  You can learn more and download Malwarebytes Browser Guard here.  It is free and works well alongside Malwarebytes Premium.

Edited by exile360
Link to post

I did discover browser guard just as I was preparing to submit my issue. I installed it right away and assumed it would have caught the page in question. Also, as I said, I realized it was a hoax - misspellings and all! But I just wanted to be sure I didn't need to report it or do anything about it.

Thanks for the screenshot of browser guard. Good to know what it would look like.

Did I miss a mailing that announced it?

Thanks for the responses.

GME

Link to post
On 12/27/2019 at 4:57 PM, GorhamME said:

the address (countermanding.xyz/en)

That differs from what's in the screenshot.

Now:

Website blocked due to hijack

Website blocked: countermandable.xyz

Malwarebytes Browser Guard blocked this website because it may contain malware activity.

– maybe the block was added following your report.

There are records e.g. https://whois.domaintools.com/countermandable.xyz for the recently created domain but from here, it can't be found.

$ uname ; drill countermandable.xyz
FreeBSD
;; ->>HEADER<<- opcode: QUERY, rcode: SERVFAIL, id: 50206
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; countermandable.xyz. IN      A

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 4005 msec
;; SERVER: 192.168.1.1
;; WHEN: Sun Dec 29 14:54:47 2019
;; MSG SIZE  rcvd: 37
$ 

 

Link to post
2 hours ago, grahamperrin said:

That differs from what's in the screenshot.

Probably the classification was changed when it was reported and as usual with all these sites they are taken down by the hosts within 72-96 hours.

And it differs depending if you add the ( /en ) to the end.

Most sites with the .xyz TLD are blocked by default for your safety whether they are good or not.

Edited by Porthos
Link to post

Interesting the way these minds work. But their ploys do work far more than one would expect.

Think is, I don't understand how they could freeze my computer but not install anything. Should I be looking for some sinister anomaly?

As usual, thank you all for applying your brains to my issue. Once upon a time I'd have been able to reciprocate but my days of being "in the loop" and "up to snuff" are gone. I can still tinker inside a PC and work in the day to day of my tech doings. And some of that will change as I'm forced to go to Windows 10.

Speaking of which, I have a lifetime subscription. Do I need to download anything or do anything once I have a W10 machine?

Thanks much.

GME

Link to post
37 minutes ago, GorhamME said:

Interesting the way these minds work. But their ploys do work far more than one would expect.

That why they still do it.

38 minutes ago, GorhamME said:

I don't understand how they could freeze my computer but not install anything.

It locked the browser from closing not freeze the actual computer.

 

39 minutes ago, GorhamME said:

Should I be looking for some sinister anomaly?

Not really.

Link to post

It actually did freeze the computer for a time in that I couldn't get to task manager, start menu, etc. It eventually resolved to the point that I did a shut down/restart. Today's browsers are (disturbingly) powerful I'm thinking.

Yeah and so are today's creative bad-guys. I stay alert and do pretty well with my brain and my safeguards. But I have friends who are less protected and a whole lot less savvy. How many gullible responses to this kind of thing never get reported? Or even noticed?

Sorry. That sounded a lot like a soapbox.

 

GME

Link to post

It is possible that they did something to place a high load on the CPU to render the system unresponsive (such as running a crypto-currency miner or some bad javascript in the browser designed to ramp up CPU usage) in order to make it seem more realistic that your system was infected.  Unfortunately I've seen such behavior from badly written websites that weren't even scams or malicious at all, just bad coding and I could certainly see the bad guys taking up a similar tactic just to push the 'realism' of the lie they are trying to present to their potential victims (especially since many users are now at least somewhat aware of these types of scans and know to kill their browsers/use Task Manager etc.).

Unfortunately their prominence is evidence that these scams must be quite successful on many occasions because the only reason they would continue to persist so much would be if they were turning a decent profit for the perpetrators.  This also means that many users are unaware that they got taken in by scammers and believed the fake techs when they remoted into their systems to 'fix' them, and likely trusted them with their credit card info to pay for their 'services'.  Unfortunately those same users will eventually find suspicious charges to their accounts as one of the biggest reasons for pulling these scams isn't just for the payment up front for the 'virus cleanup'; it is to get those credit card numbers so that they may make fraudulent purchases as well as withdraw cash from their victims' accounts.

As you can see by all of the articles and info published by Malwarebytes on the subject (refer to the link in my first reply to this thread), it is such a common issue these days that Malwarebytes has dedicated an entire area of their support site to informing users about it and have published many articles on the subject as well as created Malwarebytes Browser Guard itself to combat these scams.  I was on the Product Management team for Malwarebytes for several years and just before leaving, the final project I worked on was Malwarebytes Browser Guard.  I saw how prevalent these scams were as well as how similar their methods were to one another and thought there must be some kind of way to behaviorally block them based on their common patterns and similarities and so I worked with one of Malwarebytes' Developers to spec out what eventually became Malwarebytes Browser Guard.  The scope of the project was obviously expanded beyond just tech support scams, however blocking those was its original purpose and it does its job quite well.  It is an awesome tool and I am proud of the work we did on it and I am glad that they have kept it free for everyone to use.

Link to post

We always say in the repair shop business that it amazing how victims of these scams (thanks to the scare tactics) are willing to pay $300+ to  these scammers but balk about $100 to us legitimate repair shops for computer service. 

Side note, These scams bring business to us and frequently.

Edited by Porthos
Link to post

Thanks everyone.

https://forums.malwarebytes.com/topic/255169-win7-system-hijacked-through-firefox/?do=findComment&comment=1353145 above is the likeliest explanation for the original symptoms.

Rapid take-downs of offending sites are welcome but I expect some such sites to remain. See for example July's post by Malwarebytes Labs and this month's post by The Spamhaus Project:

Whether bullet-proofing is (or will be) popular for tech support scams and the like, I have no idea.

Today, for a variety of reasons, I decided to enable NoScript. General discussion at https://forums.informaction.com/ plus a Malwarebytes Forums-specific question.

Link to post

Pretty much since the beginning Malwarebytes has had the policy of blocking malware-friendly/criminal-friendly hosting providers which fail to act on abuse reports, blocking all of their servers/entire IP ranges outright, both in the Web Protection component in Malwarebytes Premium as well as in Malwarebytes Browser Guard, so I suspect that their 'bullet-proof hosting' isn't quite so 'bullet-proof', at least when it comes to Malwarebytes.

Link to post
5 hours ago, grahamperrin said:

...

Today, for a variety of reasons, I decided to enable NoScript. General discussion at https://forums.informaction.com/ plus a Malwarebytes Forums-specific question.

#grahamperrin, do you recommend enabling NoScript along with Browser Guard? I ask because I've just added the latter and haven't seen it in action yet. Do the two overlap or get in each other's way?

Seconding your comment, thanks everyone for your consideration and response to my initial post. There are some nasty tech-threats out there and it's quite comforting to know there are those who can - and are willing to - help. 👏

GME

Link to post
9 hours ago, exile360 said:

Pretty much since the beginning Malwarebytes has had the policy of blocking malware-friendly/criminal-friendly hosting providers …

👍

Some of what I find appears in the Research Centre.

Some of the more recent findings are much more troublesome – domains not to be disclosed, I sent a private message to a member of staff. From this, I imagine seven or more site blocks plus maybe a block of at least one hosting provider.

Link to post
8 hours ago, GorhamME said:

NoScript

No Script is not for the average user. I used to use it but have not had the need to bother with it in a very long time.

I would never use it on a clients computer unless I wanted daily non compensated service calls.

Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.