How does this happen?

Brint Hannay · Post by **Brint Hannay** » 28 Dec 2017 12:17 pm

Today, shortly after turning on my computer and opening Firefox,suddenly the whole screen went bright red, with text supposedly from Firefox urgently "alerting" me that my computer and personal data were at risk, with a female voice with normal American accent urging the same message. It wanted me to call the 877 number on the screen immediately--"Don't waste your time"--to get instructions on removing something like "Adaware Spyware Virus". Though the speaking voice was free of language errors, the written page still had noticeable points of un-idiomatic or ungrammatical English.

Now, everything about this struck me as bogus, and I simply closed the page, closed and restarted Firefox, and ran a Trend Micro Full Scan, which detected no threats.

But what I wonder is, how did this find its way onto my screen? Should I worry, or is the problem entirely external to my computer?

Dave Potter · Post by **Dave Potter** » 28 Dec 2017 12:30 pm

Agree, that sounds a lot like a thinly-disguised phishing attempt; something's running that you don't want, and needs to be removed. I wouldn't be satisfied nothing's there from just the Trend Micro scan.

If it does that again, I'd be looking to see what's on the location bar, or maybe in your Firefox History, for the source (the url), and then trying to find out what I could about it using a WhoIs Lookup, as well as Googling it to see what's out there on the net about it. I'd also check Firefox settings to see if something's redirected your startup page.

Good luck.

Wiz Feinberg · Post by **Wiz Feinberg** » 28 Dec 2017 2:50 pm

The bogus tech support pop-overs are entirely browser based JavaScript attacks that are delivered via poisoned ads or compromised PHP driven websites (e.g. WordPress).

It may take some detective work to figure out whether the attack came from an ad network on the page, or the website itself. I use Firefox's View Page Source to see if there is a breadcrumb when I detect a browser based attack (or if one is blocked by Malwarebytes).

There are abuse reporting options available if you can actually identify a compromised or hostile website or server.

Wiz Feinberg · Post by **Wiz Feinberg** » 28 Dec 2017 2:54 pm

I have noticed that Malwarebytes 3.x is the first to detect and block most browser based attacks, especially tech support scams and links to exploit attack kits.

Brint Hannay · Post by **Brint Hannay** » 28 Dec 2017 5:02 pm

But is is it an attack or only an attack attempt? That is, if I didn't respond to it does the fact that I got the pop-over nevertheless mean my computer is already infected with something?

Clyde Mattocks · Post by **Clyde Mattocks** » 28 Dec 2017 8:28 pm

I used to get that one. It smelled. I just ignored it.

Wiz Feinberg · Post by **Wiz Feinberg** » 28 Dec 2017 9:54 pm

Brint Hannay wrote:But is is it an attack or only an attack attempt? That is, if I didn't respond to it does the fact that I got the pop-over nevertheless mean my computer is already infected with something?

In the past, fake virus alerts were caused by an already present Trojan. The current tech support phone-in scam does nothing if you close your browser as soon as it appears. It is a page overlay loaded by JavaScript when you are served a poisoned ad, or there is a link to an exploit server at the bottom of the page. Closing it should delete that script.

To be safe, run CCleaner immediately after closing the browser, flushing out the browser's cache (default setting). This will flush out any malicious scripts that might be lingering. It also deletes any executables that were dropped into your local user's Temp directory.