Browser lockers (aka browlocks) are a class of online threats that prevent the victim from using the browser and demand a ransom. A locker is a fake page that dupes the user, under a fictitious pretext (loss of data, legal liability, etc.), into making a call or a money transfer, or giving out payment details. The “locking” consists of preventing the user from leaving the current tab, which displays intimidating messages, often with sound and visual effects.
This type of fraud is not new and has long been on the radar of researchers. The past decade has seen numerous browser locking campaigns targeting users worldwide. Despite its mature age, the threat has lost none of its popularity; on the contrary, the number of tricks used by scammers is only growing. They include imitating the “blue screen of death” (BSOD) in the browser, false warnings about system errors or detected viruses, threats to encrypt files, legal liability notices, and many others. In this post, we examine two families of lockers that mimic government websites.
Propagation methods
Both families spread mainly via advertising networks, primarily aimed at selling “adult” content and movies in an intrusive manner; for example, through tabs or windows that open on top of the visited site when loading a page with an embedded ad module (pop-ups) or after clicking anywhere on the page (click-unders). Presumably cybercriminals pay for ads to show browser lockers in pop-ups.
Family #1. Fake websites of the Russian Ministry of Internal Affairs: “Give us your money”
Members of the first family under consideration mimic the website of the Russian Ministry ..
Support the originator by clicking the read the rest link below.
