A recently uncovered tech support scam campaign has compromised thousands of websites with malicious ad injections that redirect users to a browser locker page that claims their computers are infected. Moreover, the attackers have doubled their efforts by using the malicious “Traffic Distribution System” BlackTDS as a secondary method of redirection.
Jerome Segura, lead malware intelligence analyst at Malwarebytes, explains in a May 8 company blog post that the scam was first reported by affected site owners late last year, but has since grown in scope. Victims are routed to the browser locker via a number of ad networks, followed by a redirector page that designed to look like an online apparel store called Shoppers Stop. For that reason, Malwarebytes refers to this campaign as the Shoppers Stop tech scam.
Segura writes that the browser locker is an “spinoff of the Google Chrome Safebrowsing warning.” It prevents users from closing the browser tab or window by inundating them with authentication pop-ups, and attempts to scare them into calling a toll-free number by adding a five-minute countdown clock that suggests the hard drive is about to be wiped for safety reasons.
“In many cases the only way out is to use the task manager to kill the running processes,” Segura told SC Media in an interview. “Often times, the scammers will add fake close buttons that actually full-screen the browser instead or create a popunder that constantly refreshes the main opened tab.”
Malwarebytes believes that website operators are infecting themselves with the scam campaign’s ad code injections by downloading trojanized plug-ins disguised as free, pirated versions of content management system themes.
“Cracked premium WordPress — or other CMS [platforms] for that matter — plugins, also known as “Nulled,” can easily be found in various online portals, and can be downloaded via links from free file hosting websites,” Segura told SC Media. “The most popular plugins are usually paid themes that typically are a fraction of the cost of fixing your website once it has been compromised.”
The malicious server-side PHP code, which was first reported via tweet by Sucuri researcher Denis Sinegubko, is identified as rogueads.unwanted_ads, and in some cases has redirected victims to exploit kits instead of a browser lock page.
As an alternative tactic, the attackers can also redirect users to the browser locker via BlackTDS, a tool, available since at least last December, that performs malicious drive-by attacks as a service to paying cybercriminals.
According to a Mar. 13 blog post from Proofpoint, the makers of the tool claim that their cloud-based Traffic Distribution System offers social engineering, redirection to exploit kits, and access to clean domains, while preventing detection by researchers and sandboxes.
“BlackTDS is a different attack vector, independent of the ad injections, but malvertising is involved in both cases,” Segura told SC Media. “It’s quite possible it is the work of the threat actors behind this campaigns or one of their affiliates, driving traffic to the same browser locker landing pages.”
The Shoppers Stop redirection site seemingly borrows the brand name of an actual India-based apparel retail chain, and even includes merchandise images, even though victims do not actually get to see its content. (Malwarebytes theorizes the attackers may have created this site as a demo, or to set up a fake online store.)
In another connection to India, the IP address listed on the browser locker’s warning screen does not actually correspond to the victim; rather it is an Indian IP address that belongs to the original creator of the page.
Malwarebytes further reports that the Shoppers Stop site pushes victims to the browser locker via a technique called a 301 redirect or permanent redirect, and is registered to a number of unusual top-level domains such as .accountant, which frequently rotate in order to throw off blacklisting efforts. Researchers have also linked the Shoppers Stop template to a number of other seemingly suspicious domains, including one for what was formerly a so-called tech support site.