The WoofLocker tech support scam campaign, which started in 2017, is still active and has evolved to be more resilient. It uses a complex traffic redirection scheme and targets compromised websites, particularly those containing adult content.
Diving into details
In contrast to typical tech support scam methods using malvertising, WoofLocker is distributed through a limited set of compromised websites.
- The attackers gain access to non-adult and adult traffic by distinguishing them through unique redirection URLs with "nad" and "ad" parameters.
- Malicious code in compromised sites fetches WoofLocker from a few domains. Its obfuscated code employs steganography, hiding data within images.
- Each visitor is fingerprinted to exclude virtual machines, certain browser extensions, and security tools. Legitimate residential IPs are considered, and their data is sent back as a hidden PNG image.
- Targeted users are redirected using a unique session-based URL to a browser locker screen with fake virus warnings, inspired by existing templates.
Why this matters
WoofLocker is a sophisticated fingerprinting and redirection tool seemingly designed for a specific client. Although it has the potential to serve various web threats for evasive purposes, it has predominantly facilitated tech support scams over the last six years.
- In contrast to methods involving ad purchases and constant battles with hosting providers, WoofLocker operates as a remarkably stable and easily managed enterprise.
- The compromised websites housing malicious code have remained compromised for extended periods, while the infrastructure for fingerprinting and browser lockers demonstrates reliability through a reputable registrar and hosting services.
The bottom line
In the realm of evolving cyber threats, the WoofLocker tech support scam campaign stands as a persistent and adaptable adversary, leveraging a sophisticated traffic redirection strategy to exploit compromised websites. Security analysts are advised to focus on regular website security audits to identify and address vulnerabilities. Implementing robust traffic analysis and anomaly detection mechanisms can help detect unusual redirection patterns, while continuous monitoring of website integrity can prevent unauthorized code injection.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/0e95_shutterstock_2272706843.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/64e8_shutterstock_1969771789.jpg)
