Con artists pushing tech-support scams have an arsenal of ways to lock up the browsers of potential marks. On Tuesday, a researcher disclosed a new weapon that freezes Google Chrome, which, by most measures, is the Internet’s most widely used browser.
The point of all the techniques is to render a browser unusable immediately after it displays a fake error message reporting some sort of security breach. Given the appearance of a serious crash that can’t be fixed simply by exiting the site, end users are more likely to be worked into a panic and call the phone number included in the warning. Once called, the scammers—posing as representatives from Microsoft or another legitimate company—stand a better chance of tricking the caller into providing a credit card number in return for tech support to fix the non-existent security problem. The scams are often transmitted through malicious advertisements or legitimate sites that have been hacked.
A new technique reported by security provider Malwarebytes works against Chrome by abusing the programming interface known as the window.navigator.msSaveOrOpenBlob. By combining the API with other functions, the scammers force the browser to save a file to disk, over and over, at intervals so fast it’s impossible to see what’s happening. Within five to 10 seconds, the browser becomes completely unresponsive. Users are left viewing a page that looks like the left side of this image:
As the right side of the image shows, the CPU resources of Windows machines are exhausted, a condition that’s sure to contribute to the worry that something with the computer isn’t right.
To recover, people on Windows machines generally use the Windows Task Manager to terminate the browser processes. After a period of inactivity, macOS will show Chrome users a system message reporting that the open browser tab has become unresponsive and give users the option to close it. This is generally a more attractive option than the one available to Windows users, because it involves closing only the abusive page. Manually shutting down the entire browser risks losing any unsaved work contained in any open windows. (Malwarebytes researchers didn’t immediately test the technique on a version of Chrome for Linux.)
Jérôme Segura, lead malware intelligence analyst at Malwarebytes, said the new technique became more widely adopted after Chrome developers shut down a previous trick that abused a bug in the HTML5 specification. In an e-mail, Segura said he has been unable to get the same technique to work against other browsers.
“As far as I can tell this is Chrome specific (other tricks will be used for Firefox, Internet Explorer or Edge based on the user-agent string),” he wrote. “I tried to ‘artificially’ replay it with Edge and Internet Explorer by simulating the Chrome user-agent but I was able to normally close the browser. Whoever wrote that code also had Google Chrome in mind. You can see in the screenshot where they named the functions: “bomb_ch”, “ch_jam”, where “ch” stands for Chrome.”
He added that while Chrome for Windows displayed a dialog box saying the browser was unresponsive, it provided no help because the the option to close the responsible tab wasn’t visible. The same dialog box displayed by Chrome for macOS didn’t suppress the option. Google representatives said they didn’t immediately have a comment on the new technique.
Segura said that tech support scammers have a variety of techniques to stymie other browsers, including vexingly tricky pop-unders that leave users stuck between alert dialogs that don’t go away easily. Another technique targeting Firefox users abuses authentication pop-up windows to maximize the disruption.
The most important thing to remember when encountering one of these windows is to not panic and to never call the phone numbers displayed in the warnings. When all else fails, the browsers can almost always be unlocked by using the Windows Task Manager (control-alt-delete) or the macOS Force Quit feature (Apple menu).