Cybercriminals are professional scammers; their specialty is tricking users into helping them achieve their malicious goals. Attackers use many different tactics, including spam, phishing emails, and fake ads. In each case, the unsuspecting user plays an active role in his own victimization when he clicks a link or opens an attachment. Recently, an unconventional campaign emerged in the wild which exploits its victims via live phone interaction.
After encountering such an incident, the Check Point Incident Response Team investigated further:
When the user calls the number, it is answered by a “tech support” employee asking what the problem is. After the user explains the situation, “tech support” offers to help, and asks the user to approve a remote desktop connection to his system to install diagnostic tools.
The “diagnostic tool” is actually a Wire Transfer Fraud malware that allows the attacker to steal the user’s banking credentials.
This is the redirection flow which leads the user from the initial link he entered or clicked to the malicious URL:
Figure 1: Redirection flow and fake message
As we can see in the diagram above, the redirection is executed by a Volummtrk URL. VOLUMMTRK is a legitimate tracking and analytics campaign manager and control panel run by voluum.com.
Apparently, the attackers use this platform to keep track of their redirections and viewing statistics, such as number of clicks and visits. Using a legitimate link also reduces the chances their links will be flagged as suspicious, allowing them to bypass security measures.
We identified two types of scripts used by these schemes:
The first type is simple, and is encoded in Base64 with an “alert()” function that creates the popup on the user’s browser (Chrome can disable window.alert that removes the popup):
Figure 2: Encoded Script
The second is more evasive, and manages to overcome Chrome’s blocking option. It reloads the page on a new window with every curser movement, detecting which browser the victim uses and reacting accordingly:
Figure 4: Evasive Script – Initial settings
Figure 5: Evasive Script – BaseString, URL Builder and Alert function
Figure 6: Evasive Script – Browser Detector, Mouse Tracker and Base64 Decoder
How can you protect yourself?
Users should never trust any so-called “technical support” from unknown sources, and definitely should not allow remote access to their computer. The first step in fighting scammers is awareness of their existence and tactics.
Appendix 1: IOCs