Browser lockers: extortion disguised as a fine

[harlan4096]

Browser lockers (aka browlocks) are a class of online threats that prevent the victim from using the browser and demand a ransom. A locker is a fake page that dupes the user, under a fictitious pretext (loss of data, legal liability, etc.), into making a call or a money transfer, or giving out payment details. The “locking” consists of preventing the user from leaving the current tab, which displays intimidating messages, often with sound and visual effects.

This type of fraud is not new and has long been on the radar of researchers. The past decade has seen numerous browser locking campaigns targeting users worldwide. Despite its mature age, the threat has lost none of its popularity; on the contrary, the number of tricks used by scammers is only growing.

They include imitating the “blue screen of death” (BSOD) in the browser, false warnings about system errors or detected viruses, threats to encrypt files, legal liability notices, and many others. In this post, we examine two families of lockers that mimic government websites.

Propagation methods

Both families spread mainly via advertising networks, primarily aimed at selling “adult” content and movies in an intrusive manner; for example, through tabs or windows that open on top of the visited site when loading a page with an embedded ad module (pop-ups) or after clicking anywhere on the page (click-unders). Presumably cybercriminals pay for ads to show browser lockers in pop-ups.

Family #1. Fake websites of the Russian Ministry of Internal Affairs: “Give us your money”

Members of the first family under consideration mimic the website of the Russian Ministry of Internal Affairs (MVD), and are thus aimed at users from Russia. In Q4 2020, more than 55,000 users encountered them.

What the victim sees (and hears)

On landing on a fake browlock site, the user typically sees a warning, supposedly from the browser, saying that if they leave the page some changes might not be saved.

If the user simply closes the tab, nothing happens; but if they click anywhere on the page, the main content of the locker expands to full screen. As a result, an imitation of a computer screen with an open browser appears in front of the user: at the bottom is a taskbar with the Google Chrome icon, and at the top is an address bar displaying the real URL of the MVD. The notification on the page states that the device has been locked due to a violation of the law. Under the pretext of a fine, the victim is instructed to transfer a certain amount to a mobile account, ranging in size from 3,000 to 10,000 rubles (US$40–130). In case of refusal, the ransomwarers threaten file encryption, as well as criminal liability under Article 242 of the Russian Criminal Code. The page is accompanied by an audio recording with threats and a demand to pay the fine.

Technical details

The scammers use full-screen mode to make it difficult for the user to access the browser window controls and taskbar, and to create a locking effect. In addition, to convince the victim that the mouse is unresponsive, the attackers hide the cursor by manipulating the CSS property cursor.
...

Continue Reading