Google Chrome Security News: Users Warned of Scammers Disguised as Tech Support Agents
A new internet scam has been recently observed that mostly targets Google Chrome users where attackers combine the use of browser exploits and pretend to be technical support agents.
Some Chrome users might have experienced seeing their browsers suddenly freeze and then getting a warning screen instructing them to call a certain number to fix the so-called threat. These are all part of a recently reported scamming method that can lead to the victim giving out sensitive information to the fake technical support people.
According to Malwarebytes lead malware intelligence analyst, Jérôme Segura, they started noticing this type of activity since the "past quarter" and "noted an increase in fake browser alerts pushing tech support scams."
The researcher explained that the scam was mostly being spread through malicious advertising, but they have also seen evidence that attackers carry out this modus through an authentic website that had been covertly hacked.
Attackers were found using the Blob API window.navigator.msSaveOrOpenBlob, which is legitimately used to prompt a file download from a website. However, the API is being abused to trigger multiple downloads in a non-stop pace, which then freezes the browser "within a few seconds."
In the screenshot animation shown on Malwarebyte's report, the close buttons on the affected browser did not seem to be working. The victim was then shown a frantic warning that their credit card details, locally saved photos, and ISP account "is being stolen."
The attackers included a seemingly toll-free number that was pretending to be a Microsoft customer care hotline to trick the panicking victim into calling the bogus technical support agent.
According to Ars Technica, calling the fake number gives the attackers more chances to steal the victim's credit card number in exchange for fixing the browser issue.
Malwarebytes said scam activities of the same nature have also been observed on Firefox and Brave. However, the former explained: "The primary targets for this particular browser freeze are Google Chrome users on Windows. ... Considering that Chrome has the most market share in the browser category, this is yet another example of the desire for threat actors to deploy new social engineering schemes."
Meanwhile, Segura further explained to Ars Technica: "I tried to 'artificially' replay it with Edge and Internet Explorer by simulating the Chrome user-agent but I was able to normally close the browser."
The codes used in the scam also commonly contain "ch," which Segura believed was an indication that the attackers primarily targeted Google Chrome from the start.
Meanwhile, since the scam is mostly spread through malvertising, users can increase their chances of avoiding this issue through employing ad blockers. But once they accidentally open a compromised website leading to this incident, they are advised to simply use the Windows Task Manager and force the affected browser to stop running.