Monday, March 30, 2015

Tech Support "pop-ups"

There is a new trap on the Internet that seems to be growing in popularity in the form of a Tech Support pop-up Window.  The first of these I saw was last Tuesday, March 24, 2015.

Norton Scam


While reviewing some pharmaceutical spam web pages, we were suddenly forwarded to the page:

alert.norton.com.pctechhelpforyou.com/index-15mac.html

Immediately after this page rendering, a pop-up window is repeatedly displayed insisting that we need to call the telephone number 1-888-884-7058, ringing a bell each time the window is displayed.  The pop-up is so insistent that it is very difficult to get past the pop-up to close the browser.

Despite the fact that this pop-up is warning me about my APPLE COMPUTER, the original trigger that we encountered was in a Windows 7 Virtual Machine.

Looking at the source code for the page we see that we are dealing with JavaScript that has several tricks, including "right-click disable" and an annoying command "window.onbeforeunload = PopIt".  Actions such as "document.onmouseup" and "document.captureEvents(event.MOUSEDOWN)" help to keep control of the window, making it nearly impossible to close the browser, which also sets itself to appear in the Center of the screen, obscuring other opportunities to deal with the warning.

iPad / Mac Pop-ups


This weekend, I found myself looking at a very similar variant, this time on an iPad, where it was even more difficult to get rid of the pop-up!

Because of the lack of mouse or keyboard on the iPad, this version of the browser pop-up was especially hard to deal with.  The pop-up prevented me from being able to exit Safari!  In the end, it was necessary to power off the iPad, power back on, and then use the "Settings" tab to clear my history and settings.  By default an iPad Safari browser returns you to the most recently visited page, which unfortunately was this pop-up!

As I explored this version, I found that the current domain was hosted on the IP address 198.143.166.36.   This same IP address was also hosting a great number of other suspicious domain names,which began to show up on March 9, 2015, according to the Passive DNS service from Internet Identity.  Checking several of these domains on the Apple forums indicates that victims are charged between $150 and $399 to clean-up an imaginary malware attack.

  • mac-issue-online.com -- https://discussions.apple.com/thread/6684596 (800 680 4131)
  • apple-alert-online.com -- https://discussions.apple.com/thread/6850245
  • safarisecurityissue.com -- https://discussions.apple.com/thread/6516787
  • mac-security-alerts.com -- https://discussions.apple.com/thread/6897787
  • online-window-security.com -- (Windows - see below)
  • window-system-error.com -- suspended (why only this one??)
  • mac-pc-alerts.com -
  • safarisystemalert.com
  • online-system-alerts.com
  • safarialerts.com
  • window-security-issues.com
  • instantcomputerfix.com -- https://discussions.apple.com/thread/6669786
  • techcarelive.com -- https://discussions.apple.com/thread/6527487
  • safarisystemissue.com
  • online-warning-support.com
  • quickbo0ks.com
  • iexpertstech.com
  • ixperts.net
  • joinremote.me
  • i-xperts.us
 The last several of the links on that page appear to belong to a company that does support for Intuit Quickbooks, however "JoinRemote.me" is a remote control tool.  When the telephone number is called, the tech support person walks the customer through entering a tech support code by visiting "JoinRemote.me":
When that is done, the customer service technician is provided remote control access to the computer to "clean it up."

A friend from MalwareBytes has documented similar scammy behavior where a tax-season Intuit helper website ends up charging for a malware removal.  See Jerome's blog here:  https://blog.malwarebytes.org/fraud-scam/2014/03/the-tax-season-tech-support-scam/


By reviewing the Apple Discussion boards, we also saw evidence that several other people were struggling with these pop-up messages:

 


 Continuing to explore through the Apple discussion forums, we found evidence that this was also discussed back on September 2, 2014 in this post by Carlton Chin:

The September file had a different domain name, and a different telephone number, but could it be shown to be the same scammers?  Was applesecurityalert.com on 1-866-782-9808 related to safarisystemissue.com on 1-800-632-9078?

Back to Passive DNS to try to find out.

According to the Internet Identity Passive DNS system, AppleSecurityAlert.com was hosted on the IP address 50.87.153.101 beginning on August 8, 2014.

That IP address ALSO hosted i-xperts.us, ixperts.net, joinremote.me, and quickbo0ks.com, all of which were also found on both the August/September IP (50.87.153.101) and the March 2015 IP (198.143.166.36).

Several of the attack sites that share these IP addresses are Microsoft imitators rather than Apple.  One example is "online-window-security.com" pictured below:

Imitating Microsoft Security Essentials

Bottom line - anyone seeing one of these pop-ups suggesting that a telephone number be called for support is DEFINITELY dealing with a scammer and should terminate the session immediately.