How does this happen?

The machines we love to hate

Moderator: Wiz Feinberg

Post Reply
Brint Hannay
Posts: 3942
Joined: 23 Dec 2005 1:01 am
Location: Maryland, USA

How does this happen?

Post by Brint Hannay »

Today, shortly after turning on my computer and opening Firefox,suddenly the whole screen went bright red, with text supposedly from Firefox urgently "alerting" me that my computer and personal data were at risk, with a female voice with normal American accent urging the same message. It wanted me to call the 877 number on the screen immediately--"Don't waste your time"--to get instructions on removing something like "Adaware Spyware Virus". Though the speaking voice was free of language errors, the written page still had noticeable points of un-idiomatic or ungrammatical English.

Now, everything about this struck me as bogus, and I simply closed the page, closed and restarted Firefox, and ran a Trend Micro Full Scan, which detected no threats.

But what I wonder is, how did this find its way onto my screen? Should I worry, or is the problem entirely external to my computer?
Dave Potter
Posts: 1564
Joined: 15 Apr 2003 12:01 am
Location: Texas

Post by Dave Potter »

Agree, that sounds a lot like a thinly-disguised phishing attempt; something's running that you don't want, and needs to be removed. I wouldn't be satisfied nothing's there from just the Trend Micro scan.

If it does that again, I'd be looking to see what's on the location bar, or maybe in your Firefox History, for the source (the url), and then trying to find out what I could about it using a WhoIs Lookup, as well as Googling it to see what's out there on the net about it. I'd also check Firefox settings to see if something's redirected your startup page.

Good luck.
User avatar
Wiz Feinberg
Posts: 6091
Joined: 8 Jan 1999 1:01 am
Location: Mid-Michigan, USA
Contact:

Post by Wiz Feinberg »

The bogus tech support pop-overs are entirely browser based JavaScript attacks that are delivered via poisoned ads or compromised PHP driven websites (e.g. WordPress).

It may take some detective work to figure out whether the attack came from an ad network on the page, or the website itself. I use Firefox's View Page Source to see if there is a breadcrumb when I detect a browser based attack (or if one is blocked by Malwarebytes).

There are abuse reporting options available if you can actually identify a compromised or hostile website or server.
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog
User avatar
Wiz Feinberg
Posts: 6091
Joined: 8 Jan 1999 1:01 am
Location: Mid-Michigan, USA
Contact:

Post by Wiz Feinberg »

I have noticed that Malwarebytes 3.x is the first to detect and block most browser based attacks, especially tech support scams and links to exploit attack kits.
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog
Brint Hannay
Posts: 3942
Joined: 23 Dec 2005 1:01 am
Location: Maryland, USA

Post by Brint Hannay »

But is is it an attack or only an attack attempt? That is, if I didn't respond to it does the fact that I got the pop-over nevertheless mean my computer is already infected with something?
Clyde Mattocks
Posts: 2992
Joined: 26 May 2005 12:01 am
Location: Kinston, North Carolina, USA

Post by Clyde Mattocks »

I used to get that one. It smelled. I just ignored it.
LeGrande II, Nash. 112, Harlow Dobro
User avatar
Wiz Feinberg
Posts: 6091
Joined: 8 Jan 1999 1:01 am
Location: Mid-Michigan, USA
Contact:

Post by Wiz Feinberg »

Brint Hannay wrote:But is is it an attack or only an attack attempt? That is, if I didn't respond to it does the fact that I got the pop-over nevertheless mean my computer is already infected with something?
In the past, fake virus alerts were caused by an already present Trojan. The current tech support phone-in scam does nothing if you close your browser as soon as it appears. It is a page overlay loaded by JavaScript when you are served a poisoned ad, or there is a link to an exploit server at the bottom of the page. Closing it should delete that script.

To be safe, run CCleaner immediately after closing the browser, flushing out the browser's cache (default setting). This will flush out any malicious scripts that might be lingering. It also deletes any executables that were dropped into your local user's Temp directory.
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog
Post Reply