Tech support scams continue to be one of the top consumer threats in 2018, despite actions from security vendors and law enforcement. Scammers are constantly looking for new ways to reel in more victims, going beyond cold calls impersonating Microsoft to rogue tech support ads using the good name of legitimate brands, and of course, malicious pop-ups.
We have been monitoring a particular tech support scam campaign for some time which, like several others, relies on malvertising to redirect users to the well-known browser lockers (browlocks) pages. While it is common for crooks in this industry to reuse design templates, we were still able to isolate incidents pertaining to this group which we have been tracking under the name Partnerstroka.
However we caught up with the same campaign again recently and noticed that the fake alert pages contained what seemed to be a new browlock technique designed specifically for Google Chrome. In this blog post, we share some of our findings on this group and their latest techniques.
The threat actors use dozens of Gmail accounts following a somewhat predictable pattern.
Each email address is tied to anywhere from a few to several hundred .club (gTLD) browlock domains abusing the GoDaddy registrar/hosting platform, with whom we have shared our investigation.
We were able to extract over 16,000 malicious domains during a period of several months, but we believe the actual number is much higher. Indeed, our visibility into the depth of this campaign was partly tied to the email addresses we had cataloged and unfortunately, the new privacy laws around whois records hindered our research.
Traffic distributionWe observed different techniques to redirect unsuspecting users to the browlock pages, although malvertising was almost always an element in the chain. The likelihood of getting redirected to one of these browlocks is higher when visiting websites that have less than optimal advertising practices.
BlackTDSBlackTDS is a Traffic Distribution System (TDS) used by crooks to deliver web threats and avoid unwanted traffic (i.e. not real humans). The kind of traffic that comes out of it ranges from social engineering attacks to infections via exploit kits.
The Partnerstroka group used various ad networks to drive visitors to the browlock page, sometimes directly but often times via the intermediary of an .info gate.
Decoy sitesAnother technique the threat actors leveraged was redirects via decoy portals performing what we call "cloaking," a trick used to only serve malicious content to certain kinds of users and redirect others (non targets) to a benign-looking page instead.
Blogspot redirectsWe also came across a number of blogs hosted on Blogger (now owned by Google). These were either empty or only showed limited content, and again, their purpose was to perform redirects to the browlock pages.
Studying their redirection chain more closely, we found something interesting in how the browlock domain was being called. They used a marketing platform in between that would respond with the latest registered browlock domain:
Malvertising via injected sitesThe majority of activity we are observing lately comes from websites that have been injected with ad code. While some website owners do this purposely to monetize their traffic, it becomes a lot more suspicious when we find matching ad campaign identifiers across domains that have seemingly nothing in common. Thanks to @baberpervez2 for providing recent malvertising chains.
The evil cursorThere are many different documented techniques that can be used to prevent users from closing a tab or browser window, and often times those are specific to each browser. For instance, Edge and Firefox users will often get the authentication required prompt in a loop, while Chrome users are served with more nasty stuff, such as actual attempts to freeze the browser or trigger thousands of downloads.
In early September, we came across the Partnerstroka group again and noticed that they had incorporated a browser locker technique that was working against the latest version of Google Chrome (69.0.3497.81). Similar to other tricks, it effectively prevented from closing the offending page because the mouse cursor had been hijacked.
As can be seen in the animation above, the red dot represents what the user actually clicks on, even though the cursor itself seems to be way off. The code responsible for this unwanted behavior can be found within the HTML body tag:
The Base64 blurb decodes to a simple image of a low-resolution mouse cursor, but the important bit is the 128x128 transparent pixel, which essentially turns your cursor into a large box. We reported this issue via the Chromium bug tracker portal, and the first person who replied showed what that custom "evil" cursor looks like:
[caption id="attachment_25421" align="aligncenter" width="387"] The new cursor showing an actual (invisible) square[/caption]
This is one example of many such tricks that can be used against modern browsers. Often times, features that are either well-documented or more obscure turn into attack vectors used to further fool end users, causing them to dial up the scammers for assistance. Indeed, the sound of an alert and a browser that appears to be completely locked up triggers panic for many people. These are essentially the same scare tactics that have been used for ages and still work well.
Similar campaignsWe have noted an increase in tech support scams abusing the NameCheap registrar. While we cannot positively identify that this is also the Partnerstroka group (landing page reuse among scammers is a thing), they definitely share some common traits.
Domain Name: ukxhdp[.]club Registrar URL: http://www.namecheap.com Creation Date: 2018-08-21T15:06:23Z[caption id="attachment_25431" align="aligncenter" width="1045"] Browlock using the same cursor trick with a domain registered via Namecheap[/caption]
Domain Name: descorservicesavailoffer[.]club Registrar URL: http://www.namecheap.com Creation Date: 2018-08-22T12:16:07Z[caption id="attachment_25433" align="aligncenter" width="1039"] Browlock hosted on AWS S3 bucket[/caption]
MitigationsDue to the size and ever-changing nature of the infrastructure between different browser locker campaigns, applying a domain/IP database approach against them is not an effective solution. Although it does offer some coverage, scammers are always a step ahead because of their ability to register new (yet to be detected) domain names.
Here at Malwarebytes, we tackle this issue using both blacklist and, more importantly, heuristics techniques. Our browser extension (Beta) can detect and prevent browlocks:
Tech support scams have been going on for some time and followed various trends over the years. While social engineering is their main leverage, they often incorporate techniques that help with that effort. We can expect crooks to keep coming up with clever ways to disrupt the browsing experience and abuse advertising, registration, and hosting platforms along the way.
As defenders, we must also face new challenges in tracking threat actors that benefit from changes brought up by privacy protection laws. As we adapt to these new realities, sharing threat intelligence with involved parties becomes more important than ever to tackle the problem at a larger scale.
Indicators of CompromiseRecent .info redirectors
getshopea7[.]info meshopea4[.]info bestshopec97[.]infoRecent .club browlocks
ourtabta133[.]club xtabtec134[.]club doebase1089[.]club digivinta137[.]club 99shopez16[.]clubDecoy sites
allaboutsearching[.]com bestcookingonline[.]com best10traveltips[.]com thronetheater[.]com bestporngifs[.]org bestshockers[.]com toptipstotravel[.]com hddfilms[.]comBlogger redirects
part-added-to-a-book-document[.]blogspot.com best-account-in-world.blogspot[.]com thjdfk.blogspot[.]com webanalysesteam.blogspot[.]com latestdeliverystatusesofallyours[.]blogspot.com speechwordstominutes.blogspot[.]com templateanditwillalwaysservethe.blogspot[.]com themeswritingpadandcustomise.blogspot[.]com