Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
Shoppers Stop tech scam campaign of forced ad injections
Message
<blockquote data-quote="Prorootect" data-source="post: 734413" data-attributes="member: 905"><p><span style="font-size: 18px"><strong>Shoppers Stop tech scam campaign draws from thousands of forced ad injections</strong></span></p><p></p><p>by Jérôme Segura</p><p> </p><p>These days, there are a lot of browser locker campaigns fueled by malvertising or redirection from hacked sites. But the Shoppers Stop tech scam campaign is actually a bit of both, using compromised sites injected with advertising code that redirects users to other threats, including tech support scams, via malvertising.</p><p>We believe those ad injections came from pirated CMS themes. Normally, these are WordPress themes that people typically have to pay to download. Instead, they are offered for free, with a bonus bundle of malicious code.</p><p>One aspect we noticed as part of the redirection mechanism was an online shopping portal registered to domains with suspicious TLDs such as <em>.trade</em>, <em>.accountant</em>, <em>.ml</em> that quickly rotate to make blacklisting approaches futile. However, using that same artifact, we were able to flag other browser locker incidents for this particular campaign.</p><p></p><p><span style="font-size: 15px"><strong><u>The browlock</u></strong></span></p><p></p><p>The browser locker used in this campaign is a spin-off of the Google Chrome Safebrowing warning. The scammers have added scare tactics to it (e.g. <em>Hard Drive Safety Delete Starting in: 5:00 minutes</em>), as well as authentication pop-ups that prevent the user from closing the browser tab or window.</p><p><a href="https://blog.malwarebytes.com/wp-content/uploads/2018/05/browlock_.png" target="_blank"><img src="https://blog.malwarebytes.com/wp-content/uploads/2018/05/browlock_.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></a></p><p>In this template, the crooks have not bothered with changing the IP address (supposedly of their victim), which still belongs to the original creator of that page, located somewhere in India. The toll-free number, dynamically populated both on the page and the URL, is what the scammers hope potential victims will dial.</p><p></p><p></p><p>...read more on the website...</p></blockquote><p></p>
[QUOTE="Prorootect, post: 734413, member: 905"] [SIZE=5][B]Shoppers Stop tech scam campaign draws from thousands of forced ad injections[/B][/SIZE] by Jérôme Segura These days, there are a lot of browser locker campaigns fueled by malvertising or redirection from hacked sites. But the Shoppers Stop tech scam campaign is actually a bit of both, using compromised sites injected with advertising code that redirects users to other threats, including tech support scams, via malvertising. We believe those ad injections came from pirated CMS themes. Normally, these are WordPress themes that people typically have to pay to download. Instead, they are offered for free, with a bonus bundle of malicious code. One aspect we noticed as part of the redirection mechanism was an online shopping portal registered to domains with suspicious TLDs such as [I].trade[/I], [I].accountant[/I], [I].ml[/I] that quickly rotate to make blacklisting approaches futile. However, using that same artifact, we were able to flag other browser locker incidents for this particular campaign. [SIZE=4][B][U]The browlock[/U][/B][/SIZE] The browser locker used in this campaign is a spin-off of the Google Chrome Safebrowing warning. The scammers have added scare tactics to it (e.g. [I]Hard Drive Safety Delete Starting in: 5:00 minutes[/I]), as well as authentication pop-ups that prevent the user from closing the browser tab or window. [URL='https://blog.malwarebytes.com/wp-content/uploads/2018/05/browlock_.png'][IMG]https://blog.malwarebytes.com/wp-content/uploads/2018/05/browlock_.png[/IMG][/URL] In this template, the crooks have not bothered with changing the IP address (supposedly of their victim), which still belongs to the original creator of that page, located somewhere in India. The toll-free number, dynamically populated both on the page and the URL, is what the scammers hope potential victims will dial. ...read more on the website... [/QUOTE]
Insert quotes…
Verification
Post reply
Top