As we all know, tech support scammers like to use a variety of techniques to fool their victims into calling them up.
Some impersonate a target’s Internet Service Provider, while others warn a user’s hard drive will have its contents deleted unless they call straight away.
Clever, but not fool-proof.
Thanks to the help of public security awareness campaigns, users are getting wise to these scare tactics. As a result, many scammers aren’t placing as great an emphasis on scaring their victims. Instead they’re concentrating on denying them access to certain functions of their computer.
That’s what’s going on in this new scam.
The ruse makes use of a vulnerability that consumes 50 percent of a machine’s CPU, ramps up the RAM to 7 Mb/s, and most importantly causes the browser to hang but to not crash.
All it takes to exploit the bug is a simple but excruciatingly long
The flaw works by abusing history.pushState() in HTML5, a method which pushes data onto the session history stack with a title and URL (if provided).
Combine that with a fake Microsoft security warning screen, and you got yourself a scam that just won’t go away.
Microsoft.Inc Warning!System has been infected
Microsoft Identification-malware infected website visited.Malicious data transferred to system from unauthorized access.System Registry files may be changed and can be used for unethical activities.
System has been infected by Virus Trojan.worm!055BCCAC9FEC - Personal information (Bank Details, Credit Cards and Account Password) may be stolen.System IP address 126.96.36.199 is unmasked and can be accessed for virus spreading.Microsoft has reported to the connected ISP to implement new firewall.Users should call immediately to Technical Support 1-844-507-3556 for free system scan.
Think you can terminate the process using Task Manager? You might be able to…or not.
Jérôme Segura of Malwarebytes explains:
“Depending on your computer’s specifications you may or may not be able to launch Task Manager to kill the browser process. Otherwise your system will be brought to its knees and a hard reboot may be the only option left. Whatever you do, please do not call the phone number for support because it is not Microsoft’s but rather a group of scammers waiting to rob you of hundreds of dollars under false pretenses.”
Malwarebytes has contacted the Google Safebrowsing team about the bug. It might date back to 2014, but if attackers are exploiting it to trick unsuspecting users, it’s important to issue some sort of fix as soon as possible.
In the meantime, users can protect themselves against this scam by avoiding clicking on suspicious links, including those that might be shortened. If they come into contact with the scam, they can try to disable the browser process using the Task Manager. If that proves fruitless, they should reboot their computer.