Phishing

[Harold Dye]

I just started my computer and when I tried to open a site I got a Red full screen notice that said it was from Firefox. I have Win 10 and Firefox as my browser. The notice said there was some suspicious activity and I needed to call Firefox and it gave a number. It said some accounts had some suspicious activity. I don't do banking or anything like that online. I tried to close the page but it shut down my mouse and I tried to delete it but no luck. I could not shut the computer down with the off button so I had to unplug it. When I started it up again I had no problems so I did a virus scan. This sounds like phishing to me and I can't imagine Firefox would send a notice like this. Any ideas??

[Jim Fogle]

If it's shutting down your computer and shows up on start up your computer has a virus.

You may end up having to have a professional remove it or at least using a anti-virus program installed on a bootable USB memory stick to find and remove it.

[Wiz Feinberg]

That was a "Browser Locker" scam page. It happened when you inadvertently opened a web page that contained a poisoned ad, or a compromised website that contained a redirection script that opened the red screen browser tab and locked your PC. It is a variation of the infamous tech support scams.

When you shut off the computer you flushed the malicious URL out of the browser's cache. Chances are that even if you reopen the browser to the exact same web page, that malicious red page won't reappear. There is a random number generator in the JavaScript that delivers these scams. Once shown to a unique user, it may not happen again for a long time, or ever. This is to frustrate security researchers and avoid riling up wizened up (aka: woke), security conscience end users.

There are ad and scripting blockers that also block JavaScript and Flash by default until you allow them to pass. I use the Firefox NoScript add-on to protect my browser from JavaScript redirects and exploit pages. I whitelist pages and domains as I see fit.

In the case of approved domains, if you whitelist an entire domain and all the networks that it allows to connect and a rogue JavaScript redirect script takes you to a hostile page full of JavaScript exploits, they will be blocked because you didn't approve that other domain.

[Harold Dye]

Thanks Wiz. The site I opened was the local newspaper website. When I opened the page it came up but then the red page popped up. As you said I flushed the red page when I restarted the computer and so far have not seen it again.

[Wiz Feinberg]

Harold;
Please check for updates to Firefox as newer releases now contain some built-in safeguards against browser lockers. As I type this the current version for Windows 10 is 71.0.

You haven't mentioned whether or not you are using a third party security program, or your operating system and version. If your computer is basically unprotected, consider purchasing an annual subscription to Malwarebytes. The free version doesn't protect your computer in real time and stuff like what you just went through happens. MB blocks poisoned ads and their redirection landing pages, but doesn't lock your browser in the process.

[Harold Dye]

Wiz I use PC Matic. Firefox sends updates often and I always update when it comes in. I updated a few days ago but I don't know the number of the update.

[Wiz Feinberg]

Wiz I use PC Matic. Firefox sends updates often and I always update when it comes in. I updated a few days ago but I don't know the number of the update.

Okay. Thanks for that information. PC-Matic is like a firewall for software (programs/Apps) that run on your computer. It uses a system known as whitelisting, or approving known to be safe programs, as well as those chosen by end users. Everything else is blocked. That is how they describe their protection method.

The problem with this approach to security is that it assumes that the approved programs will always remain safe and trustworthy. But, as you found out, even a trusted program, like Firefox, can become an unwitting vessel for malware. Your browser was exploited by a malicious script that took advantage of a vulnerability in the browser code. Rest assured that the threat actors behind this exploit put a lot of work into it.

You are going to need more security than the doorman checking tickets against a list of approved guests. You need a bouncer that can sense trouble in the making and stop it in its tracks. That's one thing that Malwarebytes is really good at doing. It's called behavioral analysis.

[Harold Dye]

Wiz just happened again.

[Wiz Feinberg]

Wiz just happened again.

When you shutdown and reboot the computer is everything looking and operating normally? Or, does it seem sluggish?

BTW, what version of Windows is the computer running on?

I strongly recommend that you download Malwarebytes, install and update it, then scan the computer for malware. Malwarebytes is free to use in manual mode. If it finds malware it will remove it. If it finds suspect files it will quarantine them. If you allow it to operate in full trial mode (2 weeks I think), it will monitor your browser and computer in real time and block the malicious website. After the trial is over you can decide whether it is worth paying for ongoing protection.

You may have to approve MB in PC-Matic (which obviously didn't protect your browser).

I hope this helps.

[Wiz Feinberg]

Harold;
I wanted to know if you scanned your computer with Malwarebytes and if it uncovered any malware and removed it.

If so, can you now browse websites without getting scam pop-overs?

BTW: What is the name and/or (URL) location of the website you went to when the red screen popped over it? I could investigate it for you to see if there is any hostile code on the landing page. If there is the Webmaster needs to be notified.

[Harold Dye]

Wiz at this time I have not but will soon.

[Wiz Feinberg]

If you know which website is causing the pop-overs, send me a link via a private message. I will check it out to see if it is unknowingly compromised and contact the webmaster if it is.