'

Windows support scam uses evil cursor attack to hijack Google Chrome sessions

Partnerstroka uses an "evil cursor" attack to hijack the mouse of Google Chrome browser users.

A tech support scam is using a novel technique to hijack the browsing sessions of Google Chrome users.

Tech support scams -- Microsoft Windows being one of the main brands abused in this manner -- and general phishing operations often use what is known as malvertising to secure potential victims.

This can include search engine poisoning and malicious ads, the deployment of adware and spyware payloads, or forced browser redirection.

Browser locking is one such technique that support scams also employ. This technique focuses on redirecting users to "browlock" pages in an attempt to force them to watch videos for the purpose of ad fraud, cause user browsers to seethe with pop-ups that may eventually freeze and crash systems, or prevent victims from clicking away from a warning that their PC is "infected."

In the latter case, the warning often provides a number for "tech support" to resolve the issue, in which fraudsters may attempt to sell "antivirus" software or gain remote access to a user's PC.

One particular tech support scam, dubbed Partnerstroka, has been tracked by antivirus solutions provider Malwarebytes and has now introduced a novel way to hijack browsing sessions.

On Thursday, researchers revealed the details of the attack technique, dubbed "evil cursor." The campaign redirects users to fake pages which contain the new browlock technique, specifically created to work against the latest Google Chrome build, version 69.0.3497.81.

CNET: How to avoid tech support scams

Victims find themselves redirected to the malicious domains through various ad networks which have permitted malicious adverts and links to slip through the net. In total, over 16,000 malicious domains have been connected to this campaign.

See also: Data management firm Veeam mismanages own data, leaks 445m records

screen-shot-2018-09-13-at-15-31-57.png

The browser locker itself, is many ways, is typical of such scams and uses JavaScript functions to lock browsers in place. However, it is one slice of code which makes the scam unusual.

TechRepublic: Why that email from your boss could be a scam waiting to happen

The fraudsters prevent visitors from leaving the page by hijacking the user's mouse. The user may believe they are clicking buttons to exit, but as the mouse has been hijacked, they are actually clicking elsewhere.

screen-shot-2018-09-13-at-15-33-40.png

The technique, which has been reported via the Chromium bug tracker portal, is caused by HTML code which decodes a low-resolution mouse cursor.

The inclusion of a 128x128 transparent pixel turns a mouse into a "large box," according to the researchers, which fools the users into believing they are clicking in one particular spot -- or away from the session -- when they actually are not able to.

Jerome Segura, a researcher at Malwarebytes told ZDNet that Partnerstroka is one of, if not the "most prolific campaign we are seeing in terms of global reach via multiple delivery chains."

While it is not known how many users are impacted, there is "constant activity," according to the researcher, which may suggest current, active campaigns.

We have also found that this new browser locker technique had already been shared with other groups, and is part of the scammers toolkit. While they can choose from a number of different tricks to match with their victims' browsers, this latest one is still unpatched as we speak.

"This is one example of many such tricks that can be used against modern browsers," Malwarebytes said. "Often, more-or-less documented features turn into attack vectors used to further fool end users and cause them to dial up the scammers for assistance. Indeed, the sound of an alert and a browser that appears to be completely locked up triggers panic for many people. These are essentially the same scare tactics that have been used for ages and still work very well."

ZDNet has reached out to Google and will update if we hear back.

Previous and related coverage