OT: Loveworm scam

[terrypin]

Thought I'd report this incident, in case it's more widespread.

My browser is Firefox and one of the many extensions is called Tab Mix Plus. I haven't visited the TMP Forum for a long time. (Maybe never on this new Win 10 PC which is now 10 months old.) I did so this morning to post a question and I clearly used a bookmark which is now no longer valid: http://tmp.garyr.net/forum. (Haven't tried it again since, so BE CAREFUL.)

It was immediately hacked (redirected), with the following page displayed:

https://dl.dropboxusercontent.com/u/4019461/Hack.jpg

A continuously looped audio track was played:

"Critical alert from Microsoft. Your computer has alerted us that it is infected with a virus and spyware. If you close this page before calling us we will be forced to disable your computer to prevent further damage to our network...."

The page and Firefox were frozen so I exited via Windows 10 Task Manager.

I'm still trying to find what caused it, probably a PUP, downloaded with some other genuine program when I was less careful than usual during the installation procedure.

--
Terry, East Grinstead, UK

 

[Regedit32]

The redirect you are alluding to is just a variation of countless other JavaScript injected redirects on websites with poor security or administrators who intentionally force a redirect for malicious reasons, or to earn click dollars from advertisers.

Each browser handles these differently, however, generally, once the redirect loads and the speech begins, tapping your Escape key continually while clicking to close the affected tab will result in preventing a browser freeze.

Once closed you may continue browsing, but upon completion you will need to remove Cookies and cached tracking data to prevent the redirection opening when you next use your browser.

Typically the cached data will contain at least one .HTM file with the injected redirect JavaScript.

This data will in this particular instance allow this redirection to repeat; it will be located:

C:\Users\Regedit32\AppData\Local\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC in subfolders with names starting with a #! for your Microsoft Edge browser. Obviously, replace Regedit32 with your own username.

Firefox stores its cookies, and cached tracking data in a similar fashion, but I've not used it for a long while so you'll need to verify the storage location yourself for its cookie data.

At this point there is no point creating a whitelist of JavaScripts or a list of exclusions as the bull has all ready run through the China store. Simply, avoid low security websites, and for the popular ones that should be safe, make sure you email and complain to the Site admin, as if no one bothers doing this, they will probably never bother securing their sites.

Regards,

Regedit32

 

[terrypin]

Thanks, very informative. I'll try that Escape tip if this ever happens again. (It hasn't so far, after several restarts of Firefox, although no revisit to that old site.)

However, I'm not really clear re your suggestion about identifying and deleting the source of the re-direction. I understand you say it's in a Firefox cookie? In Firefox you can find and delete individual cookies via Tools > Options > remove individual cookies, as you see here:

But what am I looking for please? Would it be this one?

I'm unclear re your Microsoft Edge instructions - but then I don't use that browser unless Win 10 insists! Searching for the string 8wekyb3d8bbwe\AC on my C: drive delivered these 18 hits, if that's relevant:

--
Terry, East Grinstead, UK

 

[Regedit32]

Hi again,

Correct, its the persistent cookie from the website you attempted to visit that may or may not still contain injected code forcing the redirection; hence removing it would be a good idea.


As the event in your case took place in Firefox, its not important to locate cookies from MS Edge, however, if you want to clear this too, then in that search result of yours, its the:

C:\Users\terry\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC

Open that and you will see one or more subfolders that begin with the ascii characters #! and continue with 3-digits. Each of these folders may or may not contain cookie and htm/html data from previous Edge browsing sessions. The particular infected htm page often sticks itself into #!007 folder which it creates then hides among other browser session data it stores during the redirection mess which can quickly add up to tens or hundreds of extra files.

Note: It does not exclusively use #!007, so its probably easiest to simply clear all cookie and session data here; or alternately use tools such as SuperAntiSpyware to scan these specific folders if you prefer to allow a security program to do the leg work.

Regards,

Regedit32