A cybercriminal group specializing in tech support scams has been employing an array of traffic distribution techniques, including malvertising, in order to reroute online users to browser locker pages.

The actor, “Partnerstroka” — named after one of its malicious code strings — has even adopted a novel technique for locking Chrome browsers that involves the concept of an “evil cursor” that doesn’t actually click where you think it clicks.

“The crooks have ensured that most browsers and operating systems are covered with their own landing page,” said Jerome Segura, head of investigations, malware intelligence, at Malwarebytes, in a company blog post detailing the gang and its latest exploits.

The operation is a rather sizable one, with Malwarebytes researchers over the last several months identifying more than 16,000 malicious browser lock domains tied to dozens of actor-created Gmail accounts. Segura believes the actual number of domains is much higher, but the exact figure is difficult to determine due to certain registrars restricting visibility into their Whois records. Registrars sometimes do this to “protect their customers from spam and phishing attacks,” said Segura in an interview with SC Media. But then the advent of European GDPR rules “changed access to Whois data even more drastically… Now we have to track these campaigns with more costly and less effective means, which of course hinders our ability to tackle scams.”

Partnerstroka’s ability to redirect users is largely made possible through malvertising on websites that have been injected with ad code, but also through use of tools like the BlackTDS traffic distribution system, decoy portals and malicious blogs.

According to Malwarebytes, the decoy portals utilize the process called cloaking by which some users are served the browser lock content, while others are simply sent to innocuous, ordinary-looking pages. Meanwhile, the malicious blogs — hosted via Google’s Blogger service — rely on a marketing platform to force redirection to the registered browlock domain.

While Partnerstroka targets a variety of browsers, locking them up while displaying “scareware”-type on-screen warnings that attempt to trick victims into contacting a fake customer support representative. “Messages vary, but usually it’s about fake infections or violations,” Segura told SC Media.

But Malwarebytes noted a particularly interesting and “evil” locking technique that Partnerstroka began using against version 69.0.3497.81 of Chrome this September. Essentially, when Chrome users are redirected to a lock page, their mouse cursors are invisibly transformed, via malicious code, into a large box. This means that users find themselves unable to control their navigation because the specific spot they are pointing to with their cursors is not where they are actually clicking.