Browser hanging? Don't call that support number! It's a scam!

Tech support scammers leverage annoying browser bug to trick users into calling.

Browser hanging? Don't call that support number! It's a scam!

As we all know, tech support scammers like to use a variety of techniques to fool their victims into calling them up.

Some impersonate a target's Internet Service Provider, while others warn a user's hard drive will have its contents deleted unless they call straight away.

Clever, but not fool-proof.

Thanks to the help of public security awareness campaigns, users are getting wise to these scare tactics. As a result, many scammers aren't placing as great an emphasis on scaring their victims. Instead they're concentrating on denying them access to certain functions of their computer.

That's what's going on in this new scam.

The ruse makes use of a vulnerability that consumes 50 percent of a machine's CPU, ramps up the RAM to 7 Mb/s, and most importantly causes the browser to hang but to not crash.

All it takes to exploit the bug is a simple but excruciatingly long for loop built in JavaScript.

Bug code

The flaw works by abusing history.pushState() in HTML5, a method which pushes data onto the session history stack with a title and URL (if provided).

Combine that with a fake Microsoft security warning screen, and you got yourself a scam that just won't go away.

Alert

Microsoft.Inc Warning!System has been infected

Microsoft Identification-malware infected website visited.Malicious data transferred to system from unauthorized access.System Registry files may be changed and can be used for unethical activities.

System has been infected by Virus Trojan.worm!055BCCAC9FEC - Personal information (Bank Details, Credit Cards and Account Password) may be stolen.System IP address 112.15.16.175 is unmasked and can be accessed for virus spreading.Microsoft has reported to the connected ISP to implement new firewall.Users should call immediately to Technical Support 1-844-507-3556 for free system scan.

Think you can terminate the process using Task Manager? You might be able to...or not.

Jérôme Segura of Malwarebytes explains:

"Depending on your computer’s specifications you may or may not be able to launch Task Manager to kill the browser process. Otherwise your system will be brought to its knees and a hard reboot may be the only option left. Whatever you do, please do not call the phone number for support because it is not Microsoft’s but rather a group of scammers waiting to rob you of hundreds of dollars under false pretenses."

Malwarebytes has contacted the Google Safebrowsing team about the bug. It might date back to 2014, but if attackers are exploiting it to trick unsuspecting users, it's important to issue some sort of fix as soon as possible.

In the meantime, users can protect themselves against this scam by avoiding clicking on suspicious links, including those that might be shortened. If they come into contact with the scam, they can try to disable the browser process using the Task Manager. If that proves fruitless, they should reboot their computer.

Tags: ,

Smashing Security audio podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Listen now

Subscribe to the free GCHQ newsletter

,

4 Responses

  1. Bruce

    November 4, 2016 at 12:35 pm #

    Which browsers? (Not IE/Edge, right?)

  2. JungleMartin

    November 4, 2016 at 4:19 pm #

    What does "ramps up the RAM to 7 Mb/s" mean?

    • l_Digi_Dude_l in reply to JungleMartin.

      November 5, 2016 at 10:57 pm #

      It most likely is talking about the data transfer speed. Its sending and receiving 7 Mb/s of data consistently and no stop. Though I think they meant to say 7 MB/s and that would come out to be 56 Mb/s. Either way that doesn't seem to be much, but that may be divided up per process and could be running multiple processes.

      • nelsoncbuttner000 in reply to l_Digi_Dude_l.

        February 25, 2017 at 10:30 pm #

        How do i get it off?

Leave a Reply