A new tech support scam involving Google Chrome has been detected. Apparently, the scam is using a novel technique to hijack the browsing sessions of Chrome users. The scam relies on well-known tricks such as browser locking where the user is redirected to “locking” pages (or the so-called browlock pages) where he is prompted to watch videos for ad fraud purposes.
New Browlock Technique Affecting Chrome’s Latest Version
This technique is also associated with the generation of unwanted and intrusive pop-ups which freeze and crash the system, or in other cases the user may be flooded with fake tech support messages about detected infections. We have seen plenty of these scams circling the Web countless times.
This latest scam which was called Partnerstoka has added another technique to fraudsters’ arsenal. The technique itself has been dubbed “evil cursor” and redirects users to fake pages designed for browser locking purposes. The technique is designed specifically for the latest version of Google Chrome, version 69.0.3497.81.
The new trick aims to prevent the victim from leaving the page by hijacking his/her mouse, hence the “evil cursor” name. The user’s attempts to leave the page will be unsuccessful, because the mouse has been hijacked.
As summarized by Chromium researchers:
Tech support scammers use this technique to lock users’ browsers. Browlocks are responsible for many tech support scams where victims that panic will call for assistance. Instead of speaking with what they think is Microsoft, they are dealing with scammers that will defraud them of hundreds of dollars.
How is this latest technique functioning? Shortly said, the issue is caused by HTML code which decodes a low-resolution mouse cursor. As explained by the researchers, a 128×128 transparent pixel is included and it is turning the targeted mouse into a “large box” which is designed to trick users into thinking they are clicking in one particular spot while in fact they are not able to.
The worst part is that this new browlock technique appears to be shared with more scammers, and is part of a scamming toolkit. On top of that, the loophole allowing this technique to work is still not patched making it more appealing for scammers to exploit it in active campaigns.