My next class:
Reverse-Engineering Malware: Advanced Code AnalysisOnline | Greenwich Mean TimeOct 28th - Nov 1st 2024

AV Phone Scan via Fake BSOD Web Pages

Published: 2015-10-13. Last Updated: 2015-10-14 10:37:04 UTC
by Xavier Mertens (Version: 1)
4 comment(s)

A few days ago, I found a malicious website which tries to lure the visitor by simulating a Microsoft Windows Blue Screen of Death (BSOD) and popping up error messages within their browser. This is not a brand new attack but it remains in the wild. For a while, we saw "Microsoft engineers" calling people to warn them about an important problem with their computer (I blogged about this last year). In this case, it is different: the computer itself warns the user about a security issue and users trust their computer! The following URL (it changes depending on the ongoing campaign) is accessed by the browser and:

  • Displays a fake BSOD
  • Displays constant Javascript pop-up messages containing technical information about a process failure
  • Plays a MP3 with a female voice asking you to not reboot your computer and to call a provided toll-free number

The URL contains also many parameters which, I presume, can help the attacker to identify his victim and adapt the social engineering scenario based on browser, location, etc. Here is an example of such URL:

hxxp://makeitfaster.website/blut924/?campaign=0f72fd0a-3507-4370-bf5c-21f9b8cd7643&os=Windows&domain=&isp=Wz%20Communications%20inc.&state=Florida&city=Miami&ip=<redacted>&tracking=vwwlv.voluumtrk.com&browser=Opera&browserversion=Opera%2020&voluumdata=vid..00000000-54a7-440a-8000-000000000000__vpid..7d250800-6905-11e5-8dee-e0e7be81898c__caid..0f72fd0a-3507-4370-bf5c-21f9b8cd7643__rt..H__lid..4c4a0d7d-d78e-48aa-9f68-f2dd9d51c91b__oid1..4dedcb41-feee-41c5-a0fd-ed93f8447dbc__oid2..13034530-ab85-4189-adbf-aea214fb4794__var1..2821__rd..astoob\.\org__aid..__sid..&source=2821&clickid=

The domain has been registered in July 2015 (whois details) and the index page calls an index.js file with obfuscated JavaScript. Here is the decoded content:

<table width="904" height="645" border="0" align="center" cellpadding="2" cellspacing="2">
<tbody><tr>
<td height="631" bgcolor="#000093"><div align="center" class="style1">
<p class="style5">0x000000CE DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS</p>
<p class="style6">&nbsp;</p>
<p class="style4">WINDOWS HEALTH IS CRITICAL<br>DO NOT RESTART</p>
<p class="style4">PLEASE CONTACT MICROSOFT-CERTIFIED TECHNICIANSS</p>
<p class="style2">BSOD: Error 333 Registry Failure of operating system - Host :<br>BLUE SCREEN ERROR 0x000000CE</p>
<p class="style4">Please contact microsoft-certified technicians Toll Free at:<br><script>document.write(var_number);</script></p>
<p class="style4">To Immediately Rectify issue to prevent Data Loss</p>
</div></td>
</tr>
</tbody></table>
<audio autoplay="autoplay" loop>
<source src="gp-msg.mp3" type="audio/mpeg">
</audio>
<div style="height:1px;width:1px;"><a style="height:1px;width:1px;" href="http://link.everythingfastagain.link/click/2">.</a></div>

Note the link to the MP3 file, which can be played as is (the link is a safe copy available from my blog). Interesting, the phone number displayed in message is customized and, in my cases, I received different numbers:

  • (855) 348 1197
  • (888) 725 1202

It was too tempting to call them. I picked up the first one and reached a call center broadcasting professional messages ("your call can be monitoring and recorded", "your call is very important to us"). After waiting for a few minutes, I spoke to a human guy (without Indian accent!) who presented himself as working for a premium technical support for computers. I explained to him my problem ("It seems that my computer is infected by a virus") but he was not able to help me!?  I did not test the second number but it has already been reported as malicious by other people.

This is not a brand new attack but it can make non-technical people scary. I also found that, since June 2015, Emerging Threats provides rules to detect this in their open rule set:

# grep "Fake AV Phone Scam" emerging-current_events.rules |awk 'match($0, /sid:[0-9]+/) { print substr($0, RSTART, RLENGTH)}'
sid:2021177
sid:2021181
sid:2021182
sid:2021183
sid:2021206
sid:2021207
sid:2021256
sid:2021255
sid:2021258
sid:2021285
sid:2021286
sid:2021287
sid:2021288
sid:2021294
sid:2021295
sid:2021357
sid:2021358
sid:2021359
sid:2021365
sid:2021366
sid:2021367
sid:2021368
sid:2021447
sid:2021448
sid:2021449
sid:2021500
sid:2021522
sid:2021811

I recorded a small video of the web page.

Xavier Mertens
ISC Handler - Freelance Security Consultant
rootshell.be
truesec.be

Keywords:
4 comment(s)
My next class:
Reverse-Engineering Malware: Advanced Code AnalysisOnline | Greenwich Mean TimeOct 28th - Nov 1st 2024

Comments

Perhaps it would have been more effective when trying to solicit the call-taker for help to say - rather than "I have a virus" - that you received a BSOD that told you to call this number. The call takers may have been instructed that they should only be handling calls specifically from this BSOD scam campaign; calls from old campaigns or that don't describe this fake issue may no longer be interesting to them or may be indicative to the scammers that someone who isn't just a common end user is probing their scam.
Maybe but he audio message says explicitely that the computer is infected... I'll try to call the 2nd one tonight (I'm in the GMT+1 timezone).
I experienced something similar. A user accidentally typed www.citibak.com and it redirected them to a webpage which acted like the Windows Blue Screen of Death with a BSOD driver error. The webpage even tried scaring the user with a fake Windows Defender notification. The pop-up asked the user to call Customer Service (1-877-452-9201).
I just called the second number ((888) 725 1202). After a welcome message and a few seconds, I was redirected to a call-center where the guy was clearly an indian guy. And the scenario started as usual. Here are some questions he asked me:
- My computer age
- The OS
- A number to call me back (in case of)
- My name (I'm always John Doe in such cases)
- If I was authorized to install software on my computer

I did not have a VM ready so I hung up but the scenario looks classic: download a RAT, connect to the computer, etc...

Diary Archives