BROWSER HANGING MALWARE WITH VICIOUS MICROSOFT CURE LINK

If you find that your browser is hanging, and you receive what appears to be a solution to the problem, DO NOT CLICK THE LINK ONTO THE SOLUTION AS THIS WILL ONLY LINK YOU TO FURTHER MALWARE PROBLEMS.

The Graham Cluley computer security service have published the following warning:

Browser hanging? Don’t call that support number! It’s a scam!

Tech support scammers leverage annoying browser bug to trick users into calling.

Browser hanging? Don't call that support number! It's a scam!

As we all know, tech support scammers like to use a variety of techniques to fool their victims into calling them up.

Some impersonate a target’s Internet Service Provider, while others warn a user’s hard drive will have its contents deleted unless they call straight away.

Clever, but not fool-proof.

Thanks to the help of public security awareness campaigns, users are getting wise to these scare tactics. As a result, many scammers aren’t placing as great an emphasis on scaring their victims. Instead they’re concentrating on denying them access to certain functions of their computer.

That’s what’s going on in this new scam.

The ruse makes use of a vulnerability that consumes 50 percent of a machine’s CPU, ramps up the RAM to 7 Mb/s, and most importantly causes the browser to hang but to not crash.

All it takes to exploit the bug is a simple but excruciatingly long for loop built in JavaScript.

Bug code

The flaw works by abusing history.pushState() in HTML5, a method which pushes data onto the session history stack with a title and URL (if provided).

Combine that with a fake Microsoft security warning screen, and you got yourself a scam that just won’t go away.

Alert

Microsoft.Inc Warning!System has been infected

Microsoft Identification-malware infected website visited.Malicious data transferred to system from unauthorized access.System Registry files may be changed and can be used for unethical activities.

System has been infected by Virus Trojan.worm!055BCCAC9FEC – Personal information (Bank Details, Credit Cards and Account Password) may be stolen.System IP address 112.15.16.175 is unmasked and can be accessed for virus spreading.Microsoft has reported to the connected ISP to implement new firewall.Users should call immediately to Technical Support 1-844-507-3556 for free system scan.

Think you can terminate the process using Task Manager? You might be able to…or not.

Jérôme Segura of Malwarebytes explains:

“Depending on your computer’s specifications you may or may not be able to launch Task Manager to kill the browser process. Otherwise your system will be brought to its knees and a hard reboot may be the only option left. Whatever you do, please do not call the phone number for support because it is not Microsoft’s but rather a group of scammers waiting to rob you of hundreds of dollars under false pretenses.”

Malwarebytes has contacted the Google Safebrowsing team about the bug. It might date back to 2014, but if attackers are exploiting it to trick unsuspecting users, it’s important to issue some sort of fix as soon as possible.

In the meantime, users can protect themselves against this scam by avoiding clicking on suspicious links, including those that might be shortened. If they come into contact with the scam, they can try to disable the browser process using the Task Manager. If that proves fruitless, they should reboot their computer.

This article was from the Graham Cluley computer security service

Advertisements

About Mr. Bloggy

I am a disabled volunteer community blogger. My real name is Mark Mapstone, I am an ex Royal Marine and was a consultant to the commercial mailing and distribution industry. Why not visit some of my other blogsites?

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s