Monday, March 30, 2015

Tech Support "pop-ups"

There is a new trap on the Internet that seems to be growing in popularity in the form of a Tech Support pop-up Window.  The first of these I saw was last Tuesday, March 24, 2015.

Norton Scam


While reviewing some pharmaceutical spam web pages, we were suddenly forwarded to the page:

alert.norton.com.pctechhelpforyou.com/index-15mac.html

Immediately after this page rendering, a pop-up window is repeatedly displayed insisting that we need to call the telephone number 1-888-884-7058, ringing a bell each time the window is displayed.  The pop-up is so insistent that it is very difficult to get past the pop-up to close the browser.

Despite the fact that this pop-up is warning me about my APPLE COMPUTER, the original trigger that we encountered was in a Windows 7 Virtual Machine.

Looking at the source code for the page we see that we are dealing with JavaScript that has several tricks, including "right-click disable" and an annoying command "window.onbeforeunload = PopIt".  Actions such as "document.onmouseup" and "document.captureEvents(event.MOUSEDOWN)" help to keep control of the window, making it nearly impossible to close the browser, which also sets itself to appear in the Center of the screen, obscuring other opportunities to deal with the warning.

iPad / Mac Pop-ups


This weekend, I found myself looking at a very similar variant, this time on an iPad, where it was even more difficult to get rid of the pop-up!

Because of the lack of mouse or keyboard on the iPad, this version of the browser pop-up was especially hard to deal with.  The pop-up prevented me from being able to exit Safari!  In the end, it was necessary to power off the iPad, power back on, and then use the "Settings" tab to clear my history and settings.  By default an iPad Safari browser returns you to the most recently visited page, which unfortunately was this pop-up!

As I explored this version, I found that the current domain was hosted on the IP address 198.143.166.36.   This same IP address was also hosting a great number of other suspicious domain names,which began to show up on March 9, 2015, according to the Passive DNS service from Internet Identity.  Checking several of these domains on the Apple forums indicates that victims are charged between $150 and $399 to clean-up an imaginary malware attack.

  • mac-issue-online.com -- https://discussions.apple.com/thread/6684596 (800 680 4131)
  • apple-alert-online.com -- https://discussions.apple.com/thread/6850245
  • safarisecurityissue.com -- https://discussions.apple.com/thread/6516787
  • mac-security-alerts.com -- https://discussions.apple.com/thread/6897787
  • online-window-security.com -- (Windows - see below)
  • window-system-error.com -- suspended (why only this one??)
  • mac-pc-alerts.com -
  • safarisystemalert.com
  • online-system-alerts.com
  • safarialerts.com
  • window-security-issues.com
  • instantcomputerfix.com -- https://discussions.apple.com/thread/6669786
  • techcarelive.com -- https://discussions.apple.com/thread/6527487
  • safarisystemissue.com
  • online-warning-support.com
  • quickbo0ks.com
  • iexpertstech.com
  • ixperts.net
  • joinremote.me
  • i-xperts.us
 The last several of the links on that page appear to belong to a company that does support for Intuit Quickbooks, however "JoinRemote.me" is a remote control tool.  When the telephone number is called, the tech support person walks the customer through entering a tech support code by visiting "JoinRemote.me":
When that is done, the customer service technician is provided remote control access to the computer to "clean it up."

A friend from MalwareBytes has documented similar scammy behavior where a tax-season Intuit helper website ends up charging for a malware removal.  See Jerome's blog here:  https://blog.malwarebytes.org/fraud-scam/2014/03/the-tax-season-tech-support-scam/


By reviewing the Apple Discussion boards, we also saw evidence that several other people were struggling with these pop-up messages:

 


 Continuing to explore through the Apple discussion forums, we found evidence that this was also discussed back on September 2, 2014 in this post by Carlton Chin:

The September file had a different domain name, and a different telephone number, but could it be shown to be the same scammers?  Was applesecurityalert.com on 1-866-782-9808 related to safarisystemissue.com on 1-800-632-9078?

Back to Passive DNS to try to find out.

According to the Internet Identity Passive DNS system, AppleSecurityAlert.com was hosted on the IP address 50.87.153.101 beginning on August 8, 2014.

That IP address ALSO hosted i-xperts.us, ixperts.net, joinremote.me, and quickbo0ks.com, all of which were also found on both the August/September IP (50.87.153.101) and the March 2015 IP (198.143.166.36).

Several of the attack sites that share these IP addresses are Microsoft imitators rather than Apple.  One example is "online-window-security.com" pictured below:

Imitating Microsoft Security Essentials

Bottom line - anyone seeing one of these pop-ups suggesting that a telephone number be called for support is DEFINITELY dealing with a scammer and should terminate the session immediately.
















6 comments:

  1. Thanks for the explanation. I hope that phone number gets shut down soon.

    ReplyDelete
    Replies
    1. Hi guys, few days back I noticed that my system was not responding well and after scanning through antivirus it detected CouponGiant Ads. This adware infection changed my browser settings automatically without notifying me. I was shocked when I launched browser and found unknown search engine and homepage. Each time I open the browser I found numerous advertisements that redirect me to other sites when I click them to close. My browser started hanging and it also slow down the Internet speed. Therefore, in order to protect my system from further harm I searched a useful and effective antivirus software "Automatic Removal Tool". Through this software I scanned my whole system and deleted this adware infection completely.

      To accommodate more information about this software, click here - http://www.howtouninstallamalware.com/how-to-uninstall-coupongiant-ads-malwarevirus-and-adware-windows-xp7810

      Delete
  2. So is any personal information compromised? I've already begun changing passwords

    ReplyDelete
  3. When I was trying to open the browser then it automatically redirects on windows-support-online-services.com website and suggest me to call a toll free number to get online technical support. I was facing troubles due to this malicious page, then i removed this web worm from the browser.

    ReplyDelete
  4. Despite the advice given I have called the numbers on the popup notices.
    Not to give them my business but a piece of my nasty mind instead.
    I have gotten rude or obnoxious with them,insulted them and cussed them out, then hung up.
    I try to do this with them as often as possible.

    I think that if enough people will do this they may
    back off and stop doing this.
    How long will it take for them to quit if they get enough calls from irate people telling them off?
    It's certainly not going to make their day a good one to have to listen to hundreds of people yelling at them and verbally abusing them.
    That's not the kind of job I want to work at.
    Furthermore if they aren't making any money either then there is even less incentive to put up with this.

    We should start a movement or campaign to do this.
    Call these fake tech support scammers up and verbally abuse them in every possible way.
    It will be a form of harassment and it would be guaranteed to make their jobs anything but idyllic.

    ReplyDelete
  5. Anonymous4:25 AM

    Thanks a lot once i have also encountered with the same type of pop-ups call with my window computer. But thanks to HP support number which i have my pc got fixed with genuine technician without paying any fees.

    ReplyDelete

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.