Tech support scammers have created an innovative new way to freeze browsers, leveraging iframes and pop-up authentications to create a loop from which users struggle to escape upon visiting a malicious URL.
Trend Micro wrote in an April 29 blog post that the campaign's URLs are designed to impersonate a Microsoft support page. These web pages open two pop-up windows, one requesting user authentication and the other recommending that the user to seek technical support. If victims attempt to click the authentication pop-up's "Cancel" button, they are directed right back to the URL. Any other buttons, meanwhile, are nonfunctional and are only there for appearances.
The trick works, Trend Micro said, "by setting iframe as the page’s showLogin, making it appear when the URL is entered. Iframe’s source or contents, in turn, is the authentication page URL and therefore just returns the user to the URL." The ultimate goal is to frustrate or scare victims into calling the phony tech support number. At that point, in a typical tech support scam, the criminals would attempt to trick the victims into paying for a fix or even installing malicious software on their computers.
Normally, tech support scam URL leverage the JavaScript codes alert() and confirm() to trap users in a loop, but because this method is newer, it could help the scammers evade detect, Trend Micro explained.
The malicious URLs, which display different formats depending on the browser used to view them, have been visited as frequently as 575 times in a single day. Trend Micro theorized that these URL are distributed via online advertisements.
The company suggested users be wary of suspicious web pages featuring "unfamiliar URLs, pop-ups asking for authentication, or any sort of information and messages that raise panic and alarm," according to the blog post. If trapped in a loop, users can typically escape by closing the browser using Task Manager, the report continued.