Tech support scams continue to be one of the top consumer threats in 2018, despite actions from security vendors and law enforcement. Scammers are constantly looking for new ways to reel in more victims, going beyond cold calls impersonating Microsoft to rogue tech support ads using the good name of legitimate brands, and of course, malicious pop-ups.
We have been monitoring a particular tech support scam campaign for some time which, like several others, relies on malvertising to redirect users to the well-known browser lockers (browlocks) pages. While it is common for crooks in this industry to reuse design templates, we were still able to isolate incidents pertaining to this group which we have been tracking under the name Partnerstroka.
However we caught up with the same campaign again recently and noticed that the fake alert pages contained what seemed to be a new browlock technique designed specifically for Google Chrome. In this blog post, we share some of our findings on this group and their latest techniques.
Different templates for the same browlock domain
Campaign identification via redirects, TLD and registrar
The threat actors use dozens of Gmail accounts following a somewhat predictable pattern.
Registrants emails tied to the Partnerstroka campaign
Each email address is tied to anywhere from a few to several hundred .club (gTLD) browlock domains abusing the GoDaddy registrar/hosting platform, with whom we have shared our investigation.
A view of the domains belonging to one email address
We were able to extract over 16,000 malicious domains during a period of several months, but we believe the actual number is much higher. Indeed, our visibility into the depth of this campaign was partly tied to the email addresses we had cataloged and unfortunately, the new privacy laws around whois records hindered our research.
We observed different techniques to redirect unsuspecting users to the browlock pages, although malvertising was almost always an element in the chain. The likelihood of getting redirected to one of these browlocks is higher when visiting websites that have less than optimal advertising practices.
BlackTDS is a Traffic Distribution System (TDS) used by crooks to deliver web threats and avoid unwanted traffic (i.e. not real humans). The kind of traffic that comes out of it ranges from social engineering attacks to infections via exploit kits.
The Partnerstroka group used various ad networks to drive visitors to the browlock page, sometimes directly but often times via the intermediary of an .info gate.
BlackTDS traffic, malvertising, .info gate, and .club browlock
Another technique the threat actors leveraged was redirects via decoy portals performing what we call “cloaking,” a trick used to only serve malicious content to certain kinds of users and redirect others (non targets) to a benign-looking page instead.
Traffic from decoy sites leading to .club browlock
We also came across a number of blogs hosted on Blogger (now owned by Google). These were either empty or only showed limited content, and again, their purpose was to perform redirects to the browlock pages.
Rogue Blogspot pages used for redirects
Studying their redirection chain more closely, we found something interesting in how the browlock domain was being called. They used a marketing tracker in between that would respond with the latest registered browlock domain:
Redirect from Blogspot to the browlock
Malvertising via injected sites
The majority of activity we are observing lately comes from websites that have been injected with ad code. While some website owners do this purposely to monetize their traffic, it becomes a lot more suspicious when we find matching ad campaign identifiers across domains that have seemingly nothing in common.
Browser locker for Edge on Windows 10 from a malvertising chain
The evil cursor
There are many different documented techniques that can be used to prevent users from closing a tab or browser window, and often times those are specific to each browser. For instance, Edge and Firefox users will often get the authentication required prompt in a loop, while Chrome users are served with more nasty stuff, such as actual attempts to freeze the browser or trigger thousands of downloads.
In early September, we came across the Partnerstroka group again and noticed that they had incorporated a browser locker technique that was working against the latest version of Google Chrome (69.0.3497.81). Similar to other tricks, it effectively prevented from closing the offending page because the mouse cursor had been hijacked.
As can be seen in the animation above, the red dot represents what the user actually clicks on, even though the cursor itself seems to be way off. The code responsible for this unwanted behavior can be found within the HTML body tag:
A few lines of code to alter the mouse cursor
The Base64 blurb decodes to a simple image of a low-resolution mouse cursor, but the important bit is the 128×128 transparent pixel, which essentially turns your cursor into a large box. We reported this issue via the Chromium bug tracker portal, and the first person who replied showed what that custom “evil” cursor looks like:
The new cursor showing an actual (invisible) square
This is one example of many such tricks that can be used against modern browsers. Often times, features that are either well-documented or more obscure turn into attack vectors used to further fool end users, causing them to dial up the scammers for assistance. Indeed, the sound of an alert and a browser that appears to be completely locked up triggers panic for many people. These are essentially the same scare tactics that have been used for ages and still work well.
We have noted an increase in tech support scams abusing the NameCheap registrar. While we cannot positively identify that this is also the Partnerstroka group (landing page reuse among scammers is a thing), they definitely share some common traits.
Domain Name: ukxhdp[.]club
Registrar URL: http://www.namecheap.com
Creation Date: 2018-08-21T15:06:23Z