Evolution of Scareware Scams

Evolution of Scareware Scams


Error # 3658eebc53c4218
Please call us immediately at: (8**) 77**-528*

Have you ever seen pop-ups on your browser window showing these type of scary warnings? If yes, you are not alone.

These pop-ups vary in terms of messaging. Some of them literally scream (using text to speech) that your computer is infected with a virus.  Others warn you that your confidential information has been compromised. Usually the end game is to either lure users into downloading a fake software or convincing them to make a technical support call to a “call center” operated by scammers.  Scareware scams are usually categorized as Social Engineering Attacks (SEAs) rather than exploits or malware as in most cases you won’t find any exploit and malware within these html pages. Attack mechanism for these pages is just to use natural language and graphical objects to manipulate end users.

The technical support scams are interesting in a sense that these scams offer you a rare opportunity to have an actual conversation with cyber criminals. In a typical case when a victim makes a call, he or she will be greeted by a scammer introducing himself part of Microsoft, Google or Apple technical support team. The scammer would then lure the user into installing some kind of Remote Administration tool like TeamViewer, Joinme, Goto Meeting etc. so that this so called support person can log-on to the victim’s computer remotely for diagnostics. Once logged in, the usual course of action would be to run fake scans and random system commands for diagnostics and eventually asking victims to pay them either through PayPal or Credit Card so that they can fix the issue. It usually ends with scammer making few hundred dollars and a victim who is satisfied that the problem is fixed, at-least until he sees another scareware. We are aware of few cases where victims decided not to pay and scammers as a revenge destroyed their data. Needless to say payment information and machine’s remote administration credentials can be used to commit more frauds.

Most of these scareware pages are very dynamic in nature, these pages can parse operating system info, locale and geo location through HTTP headers and IP address in order to serve a page customized for target’s environment.

Here are a few attacks that we recently detected across our customer base:





Legacy Scareware pages usually did not use any html obfuscation which made them an easy target for signature based defenses. They have come a long way since then. Not only are we seeing that the Urls for these pages are becoming more and more polymorphic but the content is as well.

Base64 based Obfuscation

Here is an example where attackers were using javascript pop-ups encoded in base64:

javascript decoded from base64 responsible for the scareware pop-up is shown below:

Hidden Text Technique

Recently we have started seeing scareware pages that use random hidden text within HTML code in an attempt to fool signature based detection engines.

Interestingly the garbage text is placed within html code in such a way that it will not be visible anywhere on victim’s screen.

See the following example:



In some case these scareware pages will only consist of a big hex blob and a java script function that will decrypt the hex blob at runtime through encryption algorithms like AES.

It is evident that the use of signatures is not an answer for zero-day scareware pages . Dynamic analysis engines like Sandboxes were never designed to catch anything that doesn’t involve an exploit or executable. So what’s the solution? Anti malware industry that was designed around catching exploits and malware need to think beyond legacy technologies. It will take a brand new approach to detecting these scareware pages and Social Engineering Attacks in general.