HackDig : Dig high-quality web security articles for hackers

«No Previous
No Next

AV Phone Scan via Fake BSOD Web Pages, (Tue, Oct 13th)

2015-10-14 17:30

A few days ago, I found a malicious website which triesto lure the visitor by simulating a Microsoft Windows Blue Screen of Death(BSOD) and popping up error messages within their browser. This is not a brand new attack but it remains in the wild. For a while, we saw Microsoft engineers calling people to warn them about an important problem with their computer (I blogged about this last year). In this case, it is different: the computer itself warns the user about a security issue and users trust their computer! The following URL (it changes depending on the ongoing campaign) is accessed by the browser and:

  • Displays a fake BSOD
  • Displays constant Javascript pop-up messagescontaining technical information about a process failure
  • Plays a MP3 with a female voice asking you to not reboot your computer and to call a provided toll-free number

The URL contains also many parameters which, I presume, can help the attacker to identify his victim">hxxp://makeitfaster.website/blut924/?campaign=0f72fd0a-3507-4370-bf5c-21f9b8cd7643os=Windowsdomain=isp=Wz%20Communications%20inc.state=Floridacity=Miamiip=redactedtracking=vwwlv.voluumtrk.combrowser=Operabrowserversion=Opera%2020voluumdata=vid..00000000-54a7-440a-8000-000000000000__vpid..7d250800-6905-11e5-8dee-e0e7be81898c__caid..0f72fd0a-3507-4370-bf5c-21f9b8cd7643__rt..H__lid..4c4a0d7d-d78e-48aa-9f68-f2dd9d51c91b__oid1..4dedcb41-feee-41c5-a0fd-ed93f8447dbc__oid2..13034530-ab85-4189-adbf-aea214fb4794__var1..2821__rd..astoob.org__aid..__sid..source=2821clickid=

The domain has been registered in July 2015 (whois details)and the indexpage calls an index.js file with">table width=904 height=645 border=0 align=center cellpadding=2 cellspacing=2
tbodytr
td height=631 bgcolor=#000093div align=center class=style1
p class=style50x000000CE DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS/p
p class=style6/p
p class=style4WINDOWS HEALTH IS CRITICALbrDO NOT RESTART/p
p class=style4PLEASE CONTACT MICROSOFT-CERTIFIED TECHNICIANSS/p
p class=style2BSOD: Error 333 Registry Failure of operating system - Host :brBLUE SCREEN ERROR 0x000000CE/p
p class=style4Please contact microsoft-certified technicians Toll Free at:brscript/script/p
p class=style4To Immediately Rectify issue to prevent Data Loss/p
/div/td
/tr
/tbody/table
audio autoplay=autoplay loop
source src=gp-msg.mp3 type=audio/mpeg
/audio
div style=a style= href=http://link.everythingfastagain.link/click/2./a/div

Note the link to the MP3 file, which can be played as is (the link is a safe copy available from my blog). Interesting, the phone number displayed in message is customized and, in my cases, I received different numbers:

  • (855)348 1197
  • (888) 725 1202

It was too tempting to call them. I picked up the first one and reached a call center broadcasting professional messages (your call can be monitoring and recorded, your call is very important to us). After waiting for a few minutes, I spoke to a human guy (without Indian accent!) who presented himself as working for a premium technical support for computers. I explained to him my problem (It seems that my computer is infected by a virus) but he was not able to help me!? I did not test the second number but it hasalready been reportedas malicious by other people.

This is not a brand new attack but it can make non-technical people scary.I also found that, since June 2015,EmergingThreats provides rules to detect this in their"># grep Fake AV Phone Scam emerging-current_events.rules |awk match($0, /sid:[0-9]+/) { print substr($0, RSTART, RLENGTH)}
sid:2021177
sid:2021181
sid:2021182
sid:2021183
sid:2021206
sid:2021207
sid:2021256
sid:2021255
sid:2021258
sid:2021285
sid:2021286
sid:2021287
sid:2021288
sid:2021294
sid:2021295
sid:2021357
sid:2021358
sid:2021359
sid:2021365
sid:2021366
sid:2021367
sid:2021368
sid:2021447
sid:2021448
sid:2021449
sid:2021500
sid:2021522
sid:2021811

I recorded a small videoof the web page.

Xavier Mertens
ISC Handler - Freelance Security Consultant
rootshell.be
truesec.be

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.


Source: ssr;pma&15202=diyrots?lmth.yraid/ude.snas.csi

Read:3473 | Comments:0 | Tags:No Tag

“AV Phone Scan via Fake BSOD Web Pages, (Tue, Oct 13th)”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Tools