Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

AV Phone Scan via Fake BSOD Web Pages

Published: 2015-10-13
Last Updated: 2015-10-14 10:37:04 UTC
by Xavier Mertens (Version: 1)
4 comment(s)

A few days ago, I found a malicious website which tries to lure the visitor by simulating a Microsoft Windows Blue Screen of Death (BSOD) and popping up error messages within their browser. This is not a brand new attack but it remains in the wild. For a while, we saw "Microsoft engineers" calling people to warn them about an important problem with their computer (I blogged about this last year). In this case, it is different: the computer itself warns the user about a security issue and users trust their computer! The following URL (it changes depending on the ongoing campaign) is accessed by the browser and:

  • Displays a fake BSOD
  • Displays constant Javascript pop-up messages containing technical information about a process failure
  • Plays a MP3 with a female voice asking you to not reboot your computer and to call a provided toll-free number

The URL contains also many parameters which, I presume, can help the attacker to identify his victim and adapt the social engineering scenario based on browser, location, etc. Here is an example of such URL:

hxxp://makeitfaster.website/blut924/?campaign=0f72fd0a-3507-4370-bf5c-21f9b8cd7643&os=Windows&domain=&isp=Wz%20Communications%20inc.&state=Florida&city=Miami&ip=<redacted>&tracking=vwwlv.voluumtrk.com&browser=Opera&browserversion=Opera%2020&voluumdata=vid..00000000-54a7-440a-8000-000000000000__vpid..7d250800-6905-11e5-8dee-e0e7be81898c__caid..0f72fd0a-3507-4370-bf5c-21f9b8cd7643__rt..H__lid..4c4a0d7d-d78e-48aa-9f68-f2dd9d51c91b__oid1..4dedcb41-feee-41c5-a0fd-ed93f8447dbc__oid2..13034530-ab85-4189-adbf-aea214fb4794__var1..2821__rd..astoob\.\org__aid..__sid..&source=2821&clickid=

The domain has been registered in July 2015 (whois details) and the index page calls an index.js file with obfuscated JavaScript. Here is the decoded content:

<table width="904" height="645" border="0" align="center" cellpadding="2" cellspacing="2">
<tbody><tr>
<td height="631" bgcolor="#000093"><div align="center" class="style1">
<p class="style5">0x000000CE DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS</p>
<p class="style6">&nbsp;</p>
<p class="style4">WINDOWS HEALTH IS CRITICAL<br>DO NOT RESTART</p>
<p class="style4">PLEASE CONTACT MICROSOFT-CERTIFIED TECHNICIANSS</p>
<p class="style2">BSOD: Error 333 Registry Failure of operating system - Host :<br>BLUE SCREEN ERROR 0x000000CE</p>
<p class="style4">Please contact microsoft-certified technicians Toll Free at:<br><script>document.write(var_number);</script></p>
<p class="style4">To Immediately Rectify issue to prevent Data Loss</p>
</div></td>
</tr>
</tbody></table>
<audio autoplay="autoplay" loop>
<source src="gp-msg.mp3" type="audio/mpeg">
</audio>
<div style="height:1px;width:1px;"><a style="height:1px;width:1px;" href="http://link.everythingfastagain.link/click/2">.</a></div>

Note the link to the MP3 file, which can be played as is (the link is a safe copy available from my blog). Interesting, the phone number displayed in message is customized and, in my cases, I received different numbers:

  • (855) 348 1197
  • (888) 725 1202

It was too tempting to call them. I picked up the first one and reached a call center broadcasting professional messages ("your call can be monitoring and recorded", "your call is very important to us"). After waiting for a few minutes, I spoke to a human guy (without Indian accent!) who presented himself as working for a premium technical support for computers. I explained to him my problem ("It seems that my computer is infected by a virus") but he was not able to help me!?  I did not test the second number but it has already been reported as malicious by other people.

This is not a brand new attack but it can make non-technical people scary. I also found that, since June 2015, Emerging Threats provides rules to detect this in their open rule set:

# grep "Fake AV Phone Scam" emerging-current_events.rules |awk 'match($0, /sid:[0-9]+/) { print substr($0, RSTART, RLENGTH)}'
sid:2021177
sid:2021181
sid:2021182
sid:2021183
sid:2021206
sid:2021207
sid:2021256
sid:2021255
sid:2021258
sid:2021285
sid:2021286
sid:2021287
sid:2021288
sid:2021294
sid:2021295
sid:2021357
sid:2021358
sid:2021359
sid:2021365
sid:2021366
sid:2021367
sid:2021368
sid:2021447
sid:2021448
sid:2021449
sid:2021500
sid:2021522
sid:2021811

I recorded a small video of the web page.

Xavier Mertens
ISC Handler - Freelance Security Consultant
rootshell.be
truesec.be

Keywords:
4 comment(s)
Diary Archives