Fake pharmacy sites gets crafty with modified goodbye messages

“Are you sure you don’t want to fall for a scam?”

Fake pharmacy sites gets crafty with modified goodbye messages

Fake pharmaceutical web services are always looking for new methods like Twitter warnings to trick unsuspecting users. They've since have adopted a clever new technique: modified goodbye messages that pop up whenever a user tries to close the window/tab.

We've all seen these dialog boxes before. They usually display whenever we attempt to navigate away from a site when we're in the middle of interacting with content, like writing a post or downloading a file.

H3fmw

Those boxes usually pop up as the result of JavaScript code, scripts which come in several forms.

One type is known as "beforeunload." This site goes into some detail about what the script is all about:

"The beforeunload event is fired when the window, the document and its resources are about to be unloaded. When a non-empty string is assigned to the returnValue Event property, a dialog box appears, asking the users for confirmation to leave the page (see example below). When no value is provided, the event is processed silently."

Essentially, whenever a user tries to close out a tab or window, they trigger the "beforeunload." That script then checks to see if anything needs to happen before the tab or window closes. Specifically, it looks to see if any function has been defined for "onbeforeunload" in the code, as is represented here: window.onbeforeunload = function().

Now fake pharma sites are abusing that feature to display parting messages whenever a user attempts to navigate away from their pages:

Script

Source: Malwarebytes

Pieter Arntz of Malwarebytes found most of these customized goodbye messages in Edge and Internet Explorer, whereas most other browsers simply displayed the standard "Stay or Leave" text.

To avoid coming across those messages, Arntz says users can disable JavaScript. But he's careful to point out that doing so would be a double-edged sword:

"Disabling JavaScript in your browser prevents this from happening, but you should realize that it does that in cases where you might have found it useful as well. It comes highly recommended though, especially for the browser that you generally use for surfing the Web."

Weigh those options carefully, and make sure you avoid visiting fake pharma websites by not clicking on suspicious links found on Skype, social media, and web forums.

Tags:

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

One Response

  1. for sure !Harry

    November 10, 2016 at 11:37 am #

    I remember this being used on early Rick'roll sites, you'd have to get through a hundred customised 'Are you sure?' alerts before you could exit, all the while with the delights of Rick Astley blaring out of your speakers

Leave a Reply