Partnerstroka: Large tech support scam operation features latest browser locker

Tech support scams continue to be one of the top consumer threats in 2018, despite actions from security vendors and law enforcement. Scammers are constantly looking for new ways to reel in more victims, going beyond cold calls impersonating Microsoft to rogue tech support ads using the good name of legitimate brands, and of course, malicious pop-ups.
We have been monitoring a particular tech support scam campaign for some time which, like several others, relies on malvertising to redirect users to the well-known browser lockers (browlocks) pages. While it is common for crooks in this industry to reuse design templates, we were still able to isolate incidents pertaining to this group which we have been tracking under the name Partnerstroka.
However we caught up with the same campaign again recently and noticed that the fake alert pages contained what seemed to be a new browlock technique designed specifically for Google Chrome. In this blog post, we share some of our findings on this group and their latest techniques.
Identification
The browser locker is typical of those we normally see, but the crooks have ensured that most browsers and operating systems are covered with their own landing page. This is determined by looking at the user-agent string when the client requests the page to the malicious server. It is further customized via JavaScript functions that perform the “locking” part of the scam.
Different templates for the same browlock domain
The name we track this campaign under is inspired by the string “stroka” found within the HTML source code. That same string (and similar code) was also present in previous JavaScript-based “Police Browlocks” that required users to pay a fine with vouchers. However, because code reuse is common among scammers, it is likely to be an entirely different group.
Campaign identification via redirects, TLD and registrar
The threat actors use dozens of Gmail accounts following a somewhat predictable pattern.
Registrants emails tied to the Partnerstroka campaign
Each email address is tied to anywhere from a few to several hundred .club (gTLD) browlock domains abusing the GoDaddy registrar/hosting platform, with whom we have shared our investigation.
A view of the domains belonging to one email address
We were able to extract over 16,000 malicious domains during a period of several months, but we believe the actual number is much higher. Indeed, our visibility into the depth of this campaign was partly tied to the email addresses we had cataloged and unfortunately, the new privacy laws around whois records hindered our research.
Traffic distribution
We observed different techniques to redirect unsuspecting users to the browlock pages, although malvertising was almost always an element in the chain. The likelihood of getting redirected to one of these browlocks is higher when visiting websites that have less than optimal advertising practices.
BlackTDS
BlackTDS is a Traffic Distribution System (TDS) used by crooks to deliver web threats and avoid unwanted traffic (i.e. not real humans). The kind of traffic that comes out of it ranges from social engineering attacks to infections via exploit kits.
The Partnerstroka group used various ad networks to drive visitors to the browlock page, sometimes directly but often times via the intermediary of an .info gate.
BlackTDS traffic, malvertising, .info gate, and .club browlock
Decoy sites
Another technique the threat actors leveraged was redirects via decoy portals performing what we call “cloaking,” a trick used to only serve malicious content to certain kinds of users and redirect others (non targets) to a benign-looking page instead.

Traffic from decoy sites leading to .club browlock
Blogspot redirects
We also came across a number of blogs hosted on Blogger (now owned by Google). These were either empty or only showed limited content, and again, their purpose was to perform redirects to the browlock pages.
Rogue Blogspot pages used for redirects
Studying their redirection chain more closely, we found something interesting in how the browlock domain was being called. They used a marketing tracker in between that would respond with the latest registered browlock domain:
Redirect from Blogspot to the browlock
Malvertising via injected sites
The majority of activity we are observing lately comes from websites that have been injected with ad code. While some website owners do this purposely to monetize their traffic, it becomes a lot more suspicious when we find matching ad campaign identifiers across domains that have seemingly nothing in common.
Browser locker for Edge on Windows 10 from a malvertising chain
The evil cursor
There are many different documented techniques that can be used to prevent users from closing a tab or browser window, and often times those are specific to each browser. For instance, Edge and Firefox users will often get the authentication required prompt in a loop, while Chrome users are served with more nasty stuff, such as actual attempts to freeze the browser or trigger thousands of downloads.
In early September, we came across the Partnerstroka group again and noticed that they had incorporated a browser locker technique that was working against the latest version of Google Chrome (69.0.3497.81). Similar to other tricks, it effectively prevented from closing the offending page because the mouse cursor had been hijacked.

As can be seen in the animation above, the red dot represents what the user actually clicks on, even though the cursor itself seems to be way off. The code responsible for this unwanted behavior can be found within the HTML body tag:
A few lines of code to alter the mouse cursor
The Base64 blurb decodes to a simple image of a low-resolution mouse cursor, but the important bit is the 128×128 transparent pixel, which essentially turns your cursor into a large box. We reported this issue via the Chromium bug tracker portal, and the first person who replied showed what that custom “evil” cursor looks like:
The new cursor showing an actual (invisible) square
This is one example of many such tricks that can be used against modern browsers. Often times, features that are either well-documented or more obscure turn into attack vectors used to further fool end users, causing them to dial up the scammers for assistance. Indeed, the sound of an alert and a browser that appears to be completely locked up triggers panic for many people. These are essentially the same scare tactics that have been used for ages and still work well.
Similar campaigns
We have noted an increase in tech support scams abusing the NameCheap registrar. While we cannot positively identify that this is also the Partnerstroka group (landing page reuse among scammers is a thing), they definitely share some common traits.
Domain Name: ukxhdp[.]club
Registrar URL: http://www.namecheap.com
Creation Date: 2018-08-21T15:06:23Z
Browlock using the same cursor trick with a domain registered via Namecheap
Domain Name: descorservicesavailoffer[.]club
Registrar URL: http://www.namecheap.com
Creation Date: 2018-08-22T12:16:07Z
Browlock hosted on AWS S3 bucket
Mitigations
Due to the size and ever-changing nature of the infrastructure between different browser locker campaigns, applying a domain/IP database approach against them is not an effective solution. Although it does offer some coverage, scammers are always a step ahead because of their ability to register new (yet to be detected) domain names.
Here at Malwarebytes, we tackle this issue using both blacklist and, more importantly, heuristics techniques. Our browser extension (Beta) can detect and prevent browlocks:
Browlock stopped via the Malwarebytes extension
Tech support scams have been going on for some time and followed various trends over the years. While social engineering is their main leverage, they often incorporate techniques that help with that effort. We can expect crooks to keep coming up with clever ways to disrupt the browsing experience and abuse advertising, registration, and hosting platforms along the way.
As defenders, we must also face new challenges in tracking threat actors that benefit from changes brought up by privacy protection laws. As we adapt to these new realities, sharing threat intelligence with involved parties becomes more important than ever to tackle the problem at a larger scale.
Indicators of Compromise
Registrant emails
popsingh887958@gmail[.]com
kumarsanga5466@gmail[.]com
aungkhana55788@gmail[.]com
bubanirani456@gmail[.]com
chukwu47753@gmail[.]com
huangchiong466@gmail[.]com
jeene27@gmail[.]com
kunal475681@gmail[.]com
kuomsopheak@gmail[.]com
nanudusingh@gmail[.]com
nehasharma665256@gmail[.]com
nitishchauhan567@gmail[.]com
nitishchauhan764@gmail[.]com
pankajrana7685@gmail[.]com
pluekchamchaisri566@gmail[.]com
punam885478@gmail[.]com
rahulkumar456743@gmail[.]com
rajeev885478@gmail[.]com
settachai5688@gmail[.]com
teerayutpanswat344@gmail[.]com
huang45785@gmail[.]com
dineshpehlwan7984@gmail[.]com
suwimolphangkaew567@gmail[.]com
gaurav32765@gmail[.]com
boonnat567@gmail[.]com
chukwuukwunna466@gmail[.]com
dogc676@gmail[.]com
heena998545@gmail[.]com
himansu55844@gmail[.]com
rajaram554787@gmail[.]com
raktasingh666@gmail[.]com
rupsingh789878@gmail[.]com
sinisa577843@gmail[.]com
tarang886547@gmail[.]com
thanawitnomrit5566@gmail[.]com
tiwarisingh885645@gmail[.]com
umargul658458@gmail[.]com
vinodsharma5565@gmail[.]com
danishkumar4567@gmail[.]com
badshahkhan6628@gmail[.]com
kiransha678@gmail[.]com
vaisnavi55666@gmail[.]com
finleympowell@gmail[.]com
andrewmichael2682@gmail[.]com
174lkjhgfdd@gmail[.]com
Recent .info redirectors
getshopea7[.]info
meshopea4[.]info
bestshopec97[.]info
Recent .club browlocks
ourtabta133[.]club
xtabtec134[.]club
doebase1089[.]club
digivinta137[.]club
99shopez16[.]club
Decoy sites
allaboutsearching[.]com
bestcookingonline[.]com
best10traveltips[.]com
thronetheater[.]com
bestporngifs[.]org
bestshockers[.]com
toptipstotravel[.]com
hddfilms[.]com
Blogger redirects
part-added-to-a-book-document[.]blogspot.com
best-account-in-world.blogspot[.]com
thjdfk.blogspot[.]com
webanalysesteam.blogspot[.]com
latestdeliverystatusesofallyours[.]blogspot.com
speechwordstominutes.blogspot[.]com
templateanditwillalwaysservethe.blogspot[.]com
themeswritingpadandcustomise.blogspot[.]com
Tracker

v7mle20cvo.js-delivr[.]com

The post Partnerstroka: Large tech support scam operation features latest browser locker appeared first on Malwarebytes Labs.
Click here for best antivirus and antispyware software

Powered by WPeMatico