The browlock state is triggered after downloading, decoding, and executing the browser locker on the fly
Moreover, after the browser lock page is loaded, the browser loads the Zepto.js JavaScript library featuring a mostly jQuery-compatible API and the base64.min.js library used to decode Base64 encoded content in real time.
The browser locker code is loaded using a GET request from the source.php file stored on the same server as the main scam page, decoded into memory and executed by the web browser, triggering a browlock state.
"There is no denying that crooks are once again trying to play cat and mouse with defenders," says Segura. "Perhaps as a tongue-in-cheek gesture, they even created a bogus Google Analytics tracker ID: gtag(‘config’, ‘UA-8888888-x’), in addition to using the maps-google[.]us Google look-alike domain."
Even if users fall to these scams, they should know that they are not at all dangerous and most if not all of them can be dismissed by killing the web browser process using the operating system's process manager.
