Jump to content

Faking it: the thriving business of “fake alert” web scams

Recommended Posts

Faking it: the thriving business of “fake alert” web scams




For nearly as long there have been web advertising networks, there have been malicious web ads. While the major web advertising networks and browser developers have made major efforts to reduce the danger of malicious content spread through legitimate websites, less scrupulous ad networks fail to screen content too frequently, and allow “pop-under” ads that evade browsers’ pop-up blocking features. And some of these “pop-unders” leverage JavaScript and Cascading Style Sheet features to convince unwary browser users that something is very, very wrong with their devices.

“Fake alert” web pages have frequently used advertising networks as the distribution scheme for potentially unwanted applications—particularly with the Bundlore family of PUAs.

Technical support scams have also been around for years. But they’ve evolved—what began as a cold-call telemarketing scam has gradually evolved over the past few years into more of a “pull” based model—using web content to bring the victims to the call center. Using embedded JavaScript code, tricks with web stylesheets and malicious server-side code, tech support scam fake alert pages try to make it difficult for the target of the attack to navigate away.

Following up on our recent research on websites exploiting a recently-patched bug in Firefox browsers, we found a number of examples of tech support fake alert pages that execute similar attacks on other browsers being spread through pop-under ads. While these scams have largely focused on English-speaking targets in the past, we found versions of these “browser lock” attacks that target Japanese, German and French language users. These attack pages all make it difficult to navigate away from them in various ways, including variations on the “evil cursor” (making the mouse pointer appear to be pointing somewhere it isn’t, or rendering it invisible) and “infinite download” attacks that overwhelm the browser.

A Windows tech support scam site using browser-locking code targeting German users.
A Safari-targeted fake alert from the same German support scam kit.
A Japanese Windows support scam site using browser-locking code.
A Japanese-language MacOS-targeted tech support scam site.



** Much more information information  in the Sophos article.

US FBI PSA - Tech Support Fraud
US FTC Consumer Information -  Tech Support Scams
US FTC - Tech Support Operators Agree to Settle Charges by FTC and the State of Ohio
US FTC - FTC and Federal, State and International Partners Announce Major Crackdown on Tech Support Scams
Malwarebytes' Blog - Search on - "tech support scams"
Malwarebytes' Blog - "Tech support scams: help and resource page"


Edited by David H. Lipman
Edited for content, clarity, spelling and grammar
Link to post
Share on other sites

  • Staff

I would also add that, while it is generally true that tech support scam sites are updated too frequently for tools using static block lists (such as standard ad blockers, malicious web filters, HOSTS files etc.) to usually be able to keep up with them and actually prevent/block them preemptively, Malwarebytes own Malwarebytes Browser Guard, which is available for Firefox and Chrome/Chromium based browsers, includes behavior based detection and blocking for tech support scam sites which does not rely on any sort of block lists and does not target such sites based on IP address or URL/domain name, but instead analyzes how the page looks and acts to quickly determine if it is a tech support scam site/pop-up and block it on the spot.  It's a powerful and effective piece of tech and I highly recommend it for everyone.

Edited by exile360
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.