Sophos Cloud Optix
Tech support scammers have started exploiting a two-year-old bug in Google Chrome to trick victims into believing their PC is infected with malware.
The bug was discovered in Chrome 35 in July 2014 in the history.pushState() HTML5 function, a way of adding web pages into the session history without actually loading the page in question.
The developer who reported the issue published code showing how to add so many items into Chrome’s history list that the browser would effectively freeze.
It’s taken a while for cybercriminals to get around to exploiting this bug, but they’re now using it in a new attack reported by researcher slipstream/RoL.
From the descriptions of those who fell foul of the attack, Chrome would pop up a Prevent this page from creating additional dialogs window, after which the browser would lock up.
At this point, a bogus Microsoft support page loaded to inform users that their system was infected while urging them to call the scammers’ toll-free phone number for help.
From screenshots, this looks convincing enough to fool some people some of the time – right down to its helpful technical details with only one typo near the end.
Microsoft Identification-Malware infected website visited. Malicious data transferred to system from unauthorized access. System Registry files may be changed and can be used for unethical activites. [sic]
System has been infected by Virus Trojan.worm!055BCCAC9FEC – Personal information (Bank Details, Credit Cards and Account Password) may be stolen.
Beating the attack isn’t hard. Users can either close Chrome using the Task Manager or, in cases where the browser is using up so much processor power that Task Manager doesn’t appear, by rebooting the computer.
Google was apparently told about the issue when it was discovered, but it remains unfixed in the latest version, Chrome 53.
The chances of encountering this particular scam are small – it’s only been spotted on a single website – but its existence underlines how small bugs that don’t seem terribly important may nevertheless be abused by cyercriminals down the line.
Web browsers have long been a source of intrigue for scammers – whether by hijacking, redirecting or, as in this case, locking up a session. By tricking your browser into misbehaving, the scammers can pressure you into thinking that what’s wrong is sufficiently dangerous that you should pay up for help.
Tech support scams go back many years but seem to have enjoyed a recent resurgence.
As Microsoft noted in a recent study, as many as 20% of users who encounter fake support scams lose money.
Ironically, the brand most abused by fake support criminals is Microsoft itself, precisely because people trust it.
DEALING WITH FAKE SUPPORT CALLS
Here’s a short podcast you can recommend to friends and family. We make it clear it clear that these guys are scammers (and why), and offer some practical advice on how to deal with them.
(Originally recorded 05 Nov 2010, duration 6’15”, download size 4.5MB)
Image courtesy of slipstream/RoL / Twitter.
2 years without a fix while bashing Microsoft for taking more than 7 days to release a patch. Sorry Google, but what is good for the goose is good for the gander. Get off of your butts and fix this hole NOW.
Don Funkhouser is 100% right. This is a clear case of double standards. Google needs some moral high ground before getting on its high horse.
Just encountered this yesterday. There is an audio component, a male voice telling you to call MicroSoft.