Go to listing page

New Tech Support Scam (TSS) campaign use iframes to lock web browsers

New Tech Support Scam (TSS) campaign use iframes to lock web browsers
  • Tech support scammers are using iframes to lock web browsers and tricking users into calling their fake support hotlines disguised as legitimate services to get their computers fixed.
  • Trend Micro recorded that the URLs related to this campaign have been visited almost 575 times in a day.

What is the issue?

Tech support scammers are using iframes to lock web browsers and tricking users into calling their fake support hotlines disguised as legitimate services to get their computers fixed.

The big picture

A security researcher from Trend Micro, Samuel P Wang uncovered a new technical support scam (TSS) campaign that attempts to pass up the scammers’ fake support hotline as an official Microsoft support one.

  • Tech support scammers lock users’ web browsers and display fake alert pop-ups purporting to come from companies such as Google and Microsoft.
  • The alert pop-ups warn users that their computers have been infected or blocked.
  • The scammers then trick users into calling their support hotlines.
  • The interesting part of the scam is that users cannot close the alert pop-ups.
  • Clicking on the ‘Close’ or ‘Cancel’ button will take them back to the same pop-up page.

“Its URLs show a webpage disguised to look like a typical Microsoft tech support page. However, it hides several different functions. Entering any of the involved URLs will open two pop-up windows: One that asks for user authentication and another that simply urges users to ask for technical support. By then the user has unknowingly entered a loop,” Wang said.

How does this work

In a typical TSS campaign, cybercriminals use the basic JavaScript codes to put the users in a loop, wherein clicking on any pop-up button would simply take them back to the same pop-up page.

  • However, in this specific TSS campaign, scammers are using iframes (an HTML document embedded in another HTML document).
  • Scammers set up iframe as the page’s showLogin, making it appear when the URL is entered.
  • Iframe’s source is the authentication page URL and therefore just takes the user back to the URL.

Worth noting?

Trend Micro recorded that the URLs related to this campaign have been visited almost 575 times in a day

What you should do

  • It is always best to ensure the authenticity of the URL or the web page.
  • It is recommended to install a good security program.
  • In case if you encounter any such issue, it is best to close the browser using Task Manager.

“Fortunately, the success of TSS attacks largely depends on how users respond to their tricks. As has been highlighted in this new campaign, users can look out for suspicious characteristics of a webpage, such as unfamiliar URLs, pop-ups asking for authentication, or any sort of information and messages that raise panic and alarm,” the researcher said in a blog.

Cyware Publisher

Publisher

Cyware