Cybercriminals are professional scammers; their specialty is tricking users into helping them achieve their malicious goals. Attackers use many different tactics, including spam, phishing emails, and fake ads. In each case, the unsuspecting user plays an active role in his own victimization when he clicks a link or opens an attachment. Recently, an unconventional campaign emerged in the wild which exploits its victims via live phone interaction.

The campaign targets users who make a typo when entering a URL,   wwwcnbc[.]com instead of www[.]cnbc[.]com, for example) or click what turns out to be a malicious link. The users are redirected to a malicious site containing a JavaScript that activates a popup warning message. This “warning” states that the user’s system has been infected with a virus and that the user must call 1-855 # (toll free) to get rid of it. To make the ploy more believable, the malicious server’s back-end extracts the victim’s ISP and includes it in the popup message.

After encountering such an incident, the Check Point Incident Response Team investigated further:
When the user calls the number, it is answered by a “tech support” employee asking what the problem is. After the user explains the situation, “tech support” offers to help, and asks the user to approve a remote desktop connection to his system to install diagnostic tools.

The “diagnostic tool” is actually a Wire Transfer Fraud malware that allows the attacker to steal the user’s banking credentials.

This is the redirection flow which leads the user from the initial link he entered or clicked to the malicious URL:

SG1

Figure 1: Redirection flow and fake message

 

As we can see in the diagram above, the redirection is executed by a Volummtrk URL. VOLUMMTRK is a legitimate tracking and analytics campaign manager and control panel run by voluum.com.
Apparently, the attackers use this platform to keep track of their redirections and viewing statistics, such as number of clicks and visits. Using a legitimate link also reduces the chances their links will be flagged as suspicious, allowing them to bypass security measures.

We identified two types of scripts used by these schemes:

The first type is simple, and is encoded in Base64 with an “alert()” function that creates the popup on the user’s browser (Chrome can disable window.alert  that removes the popup):
SG2

Figure 2: Encoded Script

 

 

SG3

The second is more evasive, and manages to overcome Chrome’s blocking option. It reloads the page on a new window with every curser movement, detecting which browser the victim uses and reacting accordingly:

 

SH4

Figure 4: Evasive Script – Initial settings
SG5

Figure 5: Evasive Script – BaseString, URL Builder and Alert function

 

 

SG6

Figure 6: Evasive Script – Browser Detector, Mouse Tracker and Base64 Decoder

 

How can you protect yourself?
Users should never trust any so-called “technical support” from unknown sources, and definitely should not allow remote access to their computer. The first step in fighting scammers is awareness of their existence and tactics.

Check Point IPS Blade detects and blocks this threat. (“Suspicious Link Redirection JavaScript Phishing Attempt” – CPAI-2016-0382)

 

Appendix 1: IOCs
crash-key-qs2[.]co
failure-code-ax7[.]co
error-message-trsfr[.]info
virus–breach–virus[.]com
virus-virus-virus-virus[.]com
virus–concern[.]com
virus-x1zc[.]co
virus-code2[.]co
virus–alert–warning[.]com
virus-issues[.]com
pc-alarm-virus[.]com

7hrpx[.]voluumtrk[.]com/0b815580-3f5a-41fa-98df-9932e7a4a724
7hrpx[.]voluumtrk[.]com/4a1efb3f-dab9-4351-84a5-b053f55c7e15
6lk4y[.]voluumtrk[.]com/41289e7d-0d0f-4560-b462-0494e65685e9
6lk4y[.]voluumtrk[.]com/856896e0-7744-4cdb-ba84-d7131b2eeed7
6lk4y[.]voluumtrk[.]com/a182f502-6b4a-453c-a2f9-adacef5fdf40