Last Updated: 2015-10-14 10:37:04 UTC
by Xavier Mertens (Version: 1)
A few days ago, I found a malicious website which tries to lure the visitor by simulating a Microsoft Windows Blue Screen of Death (BSOD) and popping up error messages within their browser. This is not a brand new attack but it remains in the wild. For a while, we saw "Microsoft engineers" calling people to warn them about an important problem with their computer (I blogged about this last year). In this case, it is different: the computer itself warns the user about a security issue and users trust their computer! The following URL (it changes depending on the ongoing campaign) is accessed by the browser and:
- Displays a fake BSOD
- Plays a MP3 with a female voice asking you to not reboot your computer and to call a provided toll-free number
The URL contains also many parameters which, I presume, can help the attacker to identify his victim and adapt the social engineering scenario based on browser, location, etc. Here is an example of such URL:
Note the link to the MP3 file, which can be played as is (the link is a safe copy available from my blog). Interesting, the phone number displayed in message is customized and, in my cases, I received different numbers:
- (855) 348 1197
- (888) 725 1202
It was too tempting to call them. I picked up the first one and reached a call center broadcasting professional messages ("your call can be monitoring and recorded", "your call is very important to us"). After waiting for a few minutes, I spoke to a human guy (without Indian accent!) who presented himself as working for a premium technical support for computers. I explained to him my problem ("It seems that my computer is infected by a virus") but he was not able to help me!? I did not test the second number but it has already been reported as malicious by other people.
This is not a brand new attack but it can make non-technical people scary. I also found that, since June 2015, Emerging Threats provides rules to detect this in their open rule set:
I recorded a small video of the web page.