A few days ago, I found a malicious website which tries to lure the visitor by simulating a Microsoft Windows Blue Screen of Death (BSOD) and popping up error messages within their browser. This is not a brand new attack but it remains in the wild. For a while, we saw "Microsoft engineers" calling people to warn them about an important problem with their computer (I blogged about this last year). In this case, it is different: the computer itself warns the user about a security issue and users trust their computer! The following URL (it changes depending on the ongoing campaign) is accessed by the browser and:
The URL contains also many parameters which, I presume, can help the attacker to identify his victim and adapt the social engineering scenario based on browser, location, etc. Here is an example of such URL: hxxp://makeitfaster.website/blut924/?campaign=0f72fd0a-3507-4370-bf5c-21f9b8cd7643&os=Windows&domain=&isp=Wz%20Communications%20inc.&state=Florida&city=Miami&ip=<redacted>&tracking=vwwlv.voluumtrk.com&browser=Opera&browserversion=Opera%2020&voluumdata=vid..00000000-54a7-440a-8000-000000000000__vpid..7d250800-6905-11e5-8dee-e0e7be81898c__caid..0f72fd0a-3507-4370-bf5c-21f9b8cd7643__rt..H__lid..4c4a0d7d-d78e-48aa-9f68-f2dd9d51c91b__oid1..4dedcb41-feee-41c5-a0fd-ed93f8447dbc__oid2..13034530-ab85-4189-adbf-aea214fb4794__var1..2821__rd..astoob\.\org__aid..__sid..&source=2821&clickid=
The domain has been registered in July 2015 (whois details) and the index page calls an index.js file with obfuscated JavaScript. Here is the decoded content: <table width="904" height="645" border="0" align="center" cellpadding="2" cellspacing="2">
<tbody><tr> <td height="631" bgcolor="#000093"><div align="center" class="style1"> <p class="style5">0x000000CE DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS</p> <p class="style6"> </p> <p class="style4">WINDOWS HEALTH IS CRITICAL<br>DO NOT RESTART</p> <p class="style4">PLEASE CONTACT MICROSOFT-CERTIFIED TECHNICIANSS</p> <p class="style2">BSOD: Error 333 Registry Failure of operating system - Host :<br>BLUE SCREEN ERROR 0x000000CE</p> <p class="style4">Please contact microsoft-certified technicians Toll Free at:<br><script>document.write(var_number);</script></p> <p class="style4">To Immediately Rectify issue to prevent Data Loss</p> </div></td> </tr> </tbody></table> <audio autoplay="autoplay" loop> <source src="gp-msg.mp3" type="audio/mpeg"> </audio> <div style="height:1px;width:1px;"><a style="height:1px;width:1px;" href="http://link.everythingfastagain.link/click/2">.</a></div> Note the link to the MP3 file, which can be played as is (the link is a safe copy available from my blog). Interesting, the phone number displayed in message is customized and, in my cases, I received different numbers:
It was too tempting to call them. I picked up the first one and reached a call center broadcasting professional messages ("your call can be monitoring and recorded", "your call is very important to us"). After waiting for a few minutes, I spoke to a human guy (without Indian accent!) who presented himself as working for a premium technical support for computers. I explained to him my problem ("It seems that my computer is infected by a virus") but he was not able to help me!? I did not test the second number but it has already been reported as malicious by other people. This is not a brand new attack but it can make non-technical people scary. I also found that, since June 2015, Emerging Threats provides rules to detect this in their open rule set: # grep "Fake AV Phone Scam" emerging-current_events.rules |awk 'match($0, /sid:[0-9]+/) { print substr($0, RSTART, RLENGTH)}'
sid:2021177 sid:2021181 sid:2021182 sid:2021183 sid:2021206 sid:2021207 sid:2021256 sid:2021255 sid:2021258 sid:2021285 sid:2021286 sid:2021287 sid:2021288 sid:2021294 sid:2021295 sid:2021357 sid:2021358 sid:2021359 sid:2021365 sid:2021366 sid:2021367 sid:2021368 sid:2021447 sid:2021448 sid:2021449 sid:2021500 sid:2021522 sid:2021811 I recorded a small video of the web page. Xavier Mertens |
Xme 687 Posts ISC Handler Oct 14th 2015 |
Thread locked Subscribe |
Oct 14th 2015 6 years ago |
Perhaps it would have been more effective when trying to solicit the call-taker for help to say - rather than "I have a virus" - that you received a BSOD that told you to call this number. The call takers may have been instructed that they should only be handling calls specifically from this BSOD scam campaign; calls from old campaigns or that don't describe this fake issue may no longer be interesting to them or may be indicative to the scammers that someone who isn't just a common end user is probing their scam.
|
Anonymous |
Quote |
Oct 14th 2015 6 years ago |
Maybe but he audio message says explicitely that the computer is infected... I'll try to call the 2nd one tonight (I'm in the GMT+1 timezone).
|
Xme 687 Posts ISC Handler |
Quote |
Oct 14th 2015 6 years ago |
I experienced something similar. A user accidentally typed www.citibak.com and it redirected them to a webpage which acted like the Windows Blue Screen of Death with a BSOD driver error. The webpage even tried scaring the user with a fake Windows Defender notification. The pop-up asked the user to call Customer Service (1-877-452-9201).
|
Ender 4 Posts |
Quote |
Oct 14th 2015 6 years ago |
I just called the second number ((888) 725 1202). After a welcome message and a few seconds, I was redirected to a call-center where the guy was clearly an indian guy. And the scenario started as usual. Here are some questions he asked me:
- My computer age - The OS - A number to call me back (in case of) - My name (I'm always John Doe in such cases) - If I was authorized to install software on my computer I did not have a VM ready so I hung up but the scenario looks classic: download a RAT, connect to the computer, etc... |
Xme 687 Posts ISC Handler |
Quote |
Oct 14th 2015 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!