Tech support scammers borrow drive-by cryptomining tactic for lock screen

  • Liam Tung (CSO Online)
  • 22 December, 2017 02:24
Sneaky pop-under only shows "Stay" option
Sneaky pop-under only shows "Stay" option

Tech support scammers are using tiny pop-under windows in a new technique to lock Chrome users on bogus security warning pages. 

Browser locks are a popular method of scaring users into believing they have a security issue that can be fixed by bogus tech support help.  

Microsoft and Google have made changes to their respective browsers to stop scammers from abusing JavaScript to create pop-up loops that are difficult to close.  

Despite these new protections, scammers have figured out a way around Chrome protections, as Jerome Segura, a researcher at Malwarebytes discovered

This fake tech support browser lock puts Chrome into full screen mode when the victim clicks anywhere on the page. Pressing the Escape key should normally make Chrome exit full screen mode, but the scammers rigged the page so that Escape triggers an endless pop-up loop.

Part of the trick used is a pop-under that appears on the bottom right of the screen. The pop-under should display a Chrome dialogue box that gives the user the option to click “Leave” or “Stay”. However, the pop-under has been positioned on the screen so that only the “Stay” part of the dialogue box is visible and clickable. 

This browser lock has three layers working in tandem, including the full screen mode background window, a superimposed window that appears after clicking the Escape key, and the pop-under. The ultimate goal is convince the user it’s impossible to leave and call the hotline for help, at which point they would be hit up for a few hundred dollars for a security product they don't need. 

The pop-under is a different application of the same technique recently found on a web-based drive-by cryptocurrency miner attack. The pop-under window was sized and positioned so as to be concealed behind the task bar on Windows, allowing the browser miner to consume the CPU surreptitiously.  

Segura notes it is possible to close the tech support windows by clicking on the Chrome window’s X button before it goes into fun screen mode. After that the only way to close the windows is by killing the process in Windows Task Manager. 

“The rule of thumb here is to avoid panicking and simply close the browser via the Task Manager (if all else fails). Remember that the pop-ups themselves are usually harmless. You are safe as long as you haven’t dialed the toll-free number that is being advertised,” he noted. 

Scammers are running combined campaigns that spread tech support scams alongside cryptocurrency miners. Researchers at Trench Micro in September found 990 compromised sites that triggered redirects to tech support scam site. While the victim is on the scam site, which locks the browser to a bogus  Microsoft Windows notification, the webpage launches a JavaScript cryptocurrency miner.