AV Phone Scan via Fake BSOD Web Pages
A few days ago, I found a malicious website which tries to lure the visitor by simulating a Microsoft Windows Blue Screen of Death (BSOD) and popping up error messages within their browser. This is not a brand new attack but it remains in the wild. For a while, we saw "Microsoft engineers" calling people to warn them about an important problem with their computer (I blogged about this last year). In this case, it is different: the computer itself warns the user about a security issue and users trust their computer! The following URL (it changes depending on the ongoing campaign) is accessed by the browser and:
- Displays a fake BSOD
- Displays constant Javascript pop-up messages containing technical information about a process failure
- Plays a MP3 with a female voice asking you to not reboot your computer and to call a provided toll-free number
The URL contains also many parameters which, I presume, can help the attacker to identify his victim and adapt the social engineering scenario based on browser, location, etc. Here is an example of such URL:
The domain has been registered in July 2015 (whois details) and the index page calls an index.js file with obfuscated JavaScript. Here is the decoded content:
<tbody><tr>
<td height="631" bgcolor="#000093"><div align="center" class="style1">
<p class="style5">0x000000CE DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS</p>
<p class="style6"> </p>
<p class="style4">WINDOWS HEALTH IS CRITICAL<br>DO NOT RESTART</p>
<p class="style4">PLEASE CONTACT MICROSOFT-CERTIFIED TECHNICIANSS</p>
<p class="style2">BSOD: Error 333 Registry Failure of operating system - Host :<br>BLUE SCREEN ERROR 0x000000CE</p>
<p class="style4">Please contact microsoft-certified technicians Toll Free at:<br><script>document.write(var_number);</script></p>
<p class="style4">To Immediately Rectify issue to prevent Data Loss</p>
</div></td>
</tr>
</tbody></table>
<audio autoplay="autoplay" loop>
<source src="gp-msg.mp3" type="audio/mpeg">
</audio>
<div style="height:1px;width:1px;"><a style="height:1px;width:1px;" href="http://link.everythingfastagain.link/click/2">.</a></div>
Note the link to the MP3 file, which can be played as is (the link is a safe copy available from my blog). Interesting, the phone number displayed in message is customized and, in my cases, I received different numbers:
- (855) 348 1197
- (888) 725 1202
It was too tempting to call them. I picked up the first one and reached a call center broadcasting professional messages ("your call can be monitoring and recorded", "your call is very important to us"). After waiting for a few minutes, I spoke to a human guy (without Indian accent!) who presented himself as working for a premium technical support for computers. I explained to him my problem ("It seems that my computer is infected by a virus") but he was not able to help me!? I did not test the second number but it has already been reported as malicious by other people.
This is not a brand new attack but it can make non-technical people scary. I also found that, since June 2015, Emerging Threats provides rules to detect this in their open rule set:
sid:2021177
sid:2021181
sid:2021182
sid:2021183
sid:2021206
sid:2021207
sid:2021256
sid:2021255
sid:2021258
sid:2021285
sid:2021286
sid:2021287
sid:2021288
sid:2021294
sid:2021295
sid:2021357
sid:2021358
sid:2021359
sid:2021365
sid:2021366
sid:2021367
sid:2021368
sid:2021447
sid:2021448
sid:2021449
sid:2021500
sid:2021522
sid:2021811
I recorded a small video of the web page.
Xavier Mertens
ISC Handler - Freelance Security Consultant
rootshell.be
truesec.be
Reverse-Engineering Malware: Advanced Code Analysis | Online | Greenwich Mean Time | Oct 28th - Nov 1st 2024 |
Comments
Anonymous
Oct 14th 2015
9 years ago
Anonymous
Oct 14th 2015
9 years ago
Anonymous
Oct 14th 2015
9 years ago
- My computer age
- The OS
- A number to call me back (in case of)
- My name (I'm always John Doe in such cases)
- If I was authorized to install software on my computer
I did not have a VM ready so I hung up but the scenario looks classic: download a RAT, connect to the computer, etc...
Anonymous
Oct 14th 2015
9 years ago