Fake tech support has learned to intercept the mouse cursor and prevent the site from being closed.
Scammers posing as tech support have adopted a new attack to hijack Chrome browser sessions. According to a report by Malwarebytes, the fraudulent grouping Partnerstroka uses a technique called an evil cursor to hijack the session.
Through malicious advertisements on websites, victims are redirected to fake web pages that “freeze” the browser, and users can neither close the tab or window, nor go to another site or to the OS desktop (browlock technique).
According to the researchers, Partnerstroka's browlock technique targets the latest Google Chrome build 69.0.3497.81. In total, the researchers found 16,000 domains used in this campaign.
To "freeze" the browser, Partnerstroka scammers use mouse cursor interception. When a user clicks on a button to close the site, they are actually clicking somewhere else, and the site does not close accordingly.
The evil cursor technique relies on HTML code to decode a low-resolution mouse cursor. As the researchers explained, adding a transparent pixel of 128x128 turns the mouse into a "big box." The victim thinks he clicks at one specific point, but in fact does not get there. Since the user cannot click on one specific location, he cannot close the site or browser.
The technique is gradually beginning to be mastered by other groups as well. In addition, it is included in the scam toolkit.
Scammers posing as tech support have adopted a new attack to hijack Chrome browser sessions. According to a report by Malwarebytes, the fraudulent grouping Partnerstroka uses a technique called an evil cursor to hijack the session.
Through malicious advertisements on websites, victims are redirected to fake web pages that “freeze” the browser, and users can neither close the tab or window, nor go to another site or to the OS desktop (browlock technique).
According to the researchers, Partnerstroka's browlock technique targets the latest Google Chrome build 69.0.3497.81. In total, the researchers found 16,000 domains used in this campaign.
To "freeze" the browser, Partnerstroka scammers use mouse cursor interception. When a user clicks on a button to close the site, they are actually clicking somewhere else, and the site does not close accordingly.
The evil cursor technique relies on HTML code to decode a low-resolution mouse cursor. As the researchers explained, adding a transparent pixel of 128x128 turns the mouse into a "big box." The victim thinks he clicks at one specific point, but in fact does not get there. Since the user cannot click on one specific location, he cannot close the site or browser.
The technique is gradually beginning to be mastered by other groups as well. In addition, it is included in the scam toolkit.
