Fake web alerts – how to spot and stop them

By Sean Gallagher

Internet scammers are always looking for a better way to separate unwitting device users from their money. And as with all other endeavors, they’ve learned that it pays to advertise.

At SophosLabs, we recently researched a collection of scams that exploit web advertising networks to pop up fake system alerts on both computers and mobile devices. The goal: to frighten people into paying for a solution—to a problem they don’t even have.

It’s not exactly a new trick. “Scareware” pop-ups have been used for years to prompt people into downloading fake virus protection and other malicious software, including ransomware. But the latest variations find other ways to cash in on fake alerts: using them as the entry point to technical support scams or prompting their victims to purchase fraudulent apps or “fleeceware” off a mobile app store.

Browser developers have done a lot to limit the damage that can be done by malicious pop-up sites, including recent fixes by Mozilla that attempt to limit the ability of malicious web pages to slow down and lock up the Firefox web browser. But even if the scammers don’t lock up your web browser, they can make it appear that something has gone terribly wrong—and that you need to do something immediately about it.

That’s where the potential damage begins, with victims allowing the fraudsters to gain access to their device, and to install and extract payment for totally unneeded (and potentially harmful) software. These scams reap tens of millions of dollars from their victims each year. A whole industry has sprung up around fake alert scams, including scam kit toolkit developers and commercial platforms for managing malicious advertising campaigns.

That industry is diversifying its customer base as well. We’ve recently spotted fake alert campaigns targeting Japanese, German, and French-speaking Windows and macOS users, and have observed efforts by tech support scammers to find people who speak those languages to participate in their scams.

What to do?

Fortunately, these scams are usually pretty easy to spot if examined critically. Like phishing messages, they often contain messages with strange phrasing, capitalization, and grammar or spelling mistakes.

Sometimes they include a countdown, in order to make you more nervous—after which they suggest your phone or computer will be damaged.

And some technical support scams will play computer-generated voice messages urging you to take action. But all of these scams have one very specific thing in common—they go away when you close your browser.

While mobile fake alerts and similar pages on desktop browsers can be easily closed, “browser lock” support scam pages often use scripts that make it difficult or impossible to close the web browser normally or navigate away from the page, including:

• Forcing the browser window to full screen size.
• Hiding or camouflaging the mouse cursor.
• Launching never-ending file downloads.
• Popping up log-in boxes that request a username and password.
• Attempting to capture keystrokes to prevent navigation away from the page with keyboard shortcuts.

Using Task Manager (on Windows) or Force Quit (on macOS) may be the only way to escape some of these pages, short of a reboot—that and not allowing the browser to restore pages from the last session when re-launching.

However, the best way to prevent most of these attacks is to cut off the ad networks that they rely on.

Privacy tools such as the Electronic Frontier Foundation’s Privacy Badger browser add-on block trackers used by less reputable ad networks.  Reputation-tracking services can help as well, blocking domains known to host or deliver malicious ads.

As with phishing, education is also key. If you’re on your guard for these scams you’re less likely to fall for them.

(The writer is a Senior Threat Researcher at Sophos)