Jérôme Segura reports (20th September 2018) for Malwarebytes on Mass WordPress compromises redirect to tech support scams. There have been high volumes of hijackings of sites using the WordPress content management system, especially sites using outdated plugins. Prominent among the client-side payloads observed by Malwarebytes are redirections to tech support scams. Segura notes that:
Jérôme Segura for Malwarebytes: Partnerstroka: Large tech support scam operation features latest browser locker – “We have been monitoring a particular tech support scam campaign for some time which, like several others, relies on malvertising to redirect users to the well-known browser lockers (browlocks) pages. … we were still able to isolate incidents pertaining to this group which we have been tracking under the name Partnerstrokam …. and noticed that the fake alert pages contained what seemed to be a new browlock technique designed specifically for Google Chrome.”
John E. Dunn for Sophos: Microsoft purges 3,000 tech support scams hiding on TechNet – “Microsoft has taken down thousands of ads for tech support scams that had infested the company’s TechNet support domain in a sly attempt to boost their search ranking….Microsoft’s site was home to around 3,000 of these ads, mostly associated with the gallery.technet.microsoft.com downloads section.
The ads covered a wide range of fraudulent support issues, from virtual currency sites to Google Wallet and Instagram. Johnston told ZDNet…”
For Malwarebytes, Jérôme Segura continues to fight the good fight against support scammers by warning us that ‘Tech support scammers find new way to jam Google Chrome‘. (If you saw this when it first appeared, note that it has been updated since.) By abusing an API, the scammers manage to freeze the browser in the hope that users will be panicked into calling the fake ‘helpline’ advertised on the pop-up or pop-under that accompanies the freeze.
However, he observes:
Since most of these browser lockers are distributed via malvertising, an effective mitigation method is to use an ad-blocker. As a last resort, the Windows Task Manager will allow you to forcefully quit the offending browser processes.
“The infamous Blue Screen of Death (BSOD) is one of the most-dreaded sights for Windows users. Adding insult to injury, a new malware is making the rounds that fakes a BSOD, and then tries to swindle victims into paying for tech support tools.”
Malwarebytes describes ‘Troubleshooter’ as a hijacker, but it’s one of those instances where a tech support scam edges close to ransomware.
Unusually, Microsoft has provided a patch for systems that are no longer supported, but are vulnerable to the Microsoft Security Bulletin MS17-010flaw exploited by WannaCryptor (a.k.a. WannaCrypt among other names). These include Windows XP, Windows 8, and Windows Server 2003. A patch for later operating systems (i.e. those versions of Windows still supported) was made available in March 2017.
If you didn’t take advantage of the patch for Windows 8.1 and later at the time, now would be a good time to do so. (A couple of days earlier would have been even better.)
If you’re running one of the unsupported Windows versions mentioned above (and yes, I appreciate that some people have to), I strongly recommend that you either upgrade or take advantage of the new patch.
Because of time issues, I added the malware ESET calls OSX/Filecoder.E to the Specific Ransomware Families and Types page but didn’t give it an article of its own here. Since there is important news (to potential victims) from Malwarebytes and Sophos, I’m repairing that omission here.
MARC-ETIENNE M.LÉVEILLÉ for ESET: New crypto-ransomware hits macOS – malware that calls itself ‘Patcher’, detected by ESET as OSX/Filecoder.E [22nd February 2017]
Thomas Reed’s follow-up: Decrypting after a Findzip ransomware infection. Very useful work on recovering data (the gang behind the ransomware will take your money, but can’t provide you with a way of decrypting it). [February 28th 2017]
Note that both Reed and Cluley sometimes refer to the malware as FileCoder. This is potentially misleading: while ESET, which first uncovered the thing, detects it as OSX/Filecoder.E, the term ‘Filecoder’ is used generically by the company to denote crypto-ransomware, so you/we need to use the full name ‘OSX/Filecoder.E’ to distinguish it from other, unrelated ransomware families.