Tech support scammers bite Chrome users with forgotten 2014 bug

Tech support scammers have started exploiting a two-year-old bug in Google Chrome to trick victims into believing their PC is infected with malware.

The bug was discovered in Chrome 35 in July 2014 in the history.pushState() HTML5 function, a way of adding web pages into the session history without actually loading the page in question.

The developer who reported the issue published code showing how to add so many items into Chrome’s history list that the browser would effectively freeze.

It’s taken a while for cybercriminals to get around to exploiting this bug, but they’re now using it in a new attack reported by researcher slipstream/RoL.

From the descriptions of those who fell foul of the attack, Chrome would pop up a Prevent this page from creating additional dialogs window, after which the browser would lock up.

At this point, a bogus Microsoft support page loaded to inform users that their system was infected while urging them to call the scammers’ toll-free phone number for help.

From screenshots, this looks convincing enough to fool some people some of the time – right down to its helpful technical details with only one typo near the end.

Microsoft Identification-Malware infected website visited. Malicious data transferred to system from unauthorized access. System Registry files may be changed and can be used for unethical activites. [sic]

System has been infected by Virus Trojan.worm!055BCCAC9FEC – Personal information (Bank Details, Credit Cards and Account Password) may be stolen.

Beating the attack isn’t hard. Users can either close Chrome using the Task Manager or, in cases where the browser is using up so much processor power that Task Manager doesn’t appear, by rebooting the computer.

Google was apparently told about the issue when it was discovered, but it remains unfixed in the latest version, Chrome 53.

The chances of encountering this particular scam are small – it’s only been spotted on a single website – but its existence underlines how small bugs that don’t seem terribly important may nevertheless be abused by cyercriminals down the line.

Web browsers have long been a source of intrigue for scammers – whether by hijacking, redirecting or, as in this case, locking up a session. By tricking your browser into misbehaving, the scammers can pressure you into thinking that what’s wrong is sufficiently dangerous that you should pay up for help.

Tech support scams go back many years but seem to have enjoyed a recent resurgence.

As Microsoft noted in a recent study, as many as 20% of users who encounter fake support scams lose money.

Ironically, the brand most abused by fake support criminals is Microsoft itself, precisely because people trust it.


Here’s a short podcast you can recommend to friends and family. We make it clear it clear that these guys are scammers (and why), and offer some practical advice on how to deal with them.

(Originally recorded 05 Nov 2010, duration 6’15”, download size 4.5MB)

Image courtesy of slipstream/RoL / Twitter.