Tech-support scammers have a new trick to send Chrome users into a panic

Here’s what to do after landing on a page that freezes your browser.

Read the whole story

 

[joequincy]

The most important thing to remember when encountering one of these windows is not to panic and to never call the phone numbers displayed in the warnings.

... unless you're bored and feel like wasting a scammers time for the lulz.

What we need is an automated system which wastes their time without wasting yours.

A white-hat robo-caller?

I knew that idea was ringing a bell! Someone totally did that a bit more than a year back. No idea how well it actually worked, but there is prior art!

https://www.onthewire.io/driving-roboca ... roger-bot/

 

[Bob.Brown]

In a better world, domain registration services would not let random criminals register domain names containing trademarked names like .microsoft. and would flag suspicious ones like .windows. for human review.

They would still allow registering free-speech and complaint sites like micsofts-a-naughty-puffin.com where it was not easily mistaken for an official company site, while protecting a few users from microsoft.ransomware.scam

The "bad" domain is msf-help.info. All the rest of that blarf is subdomain or host name.

I don't see how domain registrars could have prevented "msf-help" without being a giant pain in the posterior to people trying to register completely legit domains.

 

[dangoodin]

Chrome doesn't do the "browser tab is unresponsive, do you want to close?" thing on Windows, just Mac? That's weird, as I know I've seen it on other browsers in Windows (doesn't happen often, so can't remember for sure if it was IE11, Edge, or Firefox).

Also, second the question as to whether this is Chrome exclusive. I generally run a mix of Firefox and Edge at home.

It does on Linux too, unless you're a developer that gets annoyed with it when you're trying to debug performance issues and manually turn it off...(yes, I fit in that category).

Normally, Chrome also does this on Windows... however it seems that the specifics of the attack allowed the researchers to cause Chrome on Windows to lock up in a way that prevents it from showing.

Still a pretty serious flaw, but not the "why the heck is this functionality only available on some platforms" oversight it appears to be at first glance.

I just updated the story to add:

1) The researchers have been unable to get the technique to work on any browser other than Chome, so yes, this is a Chrome-only issue.

2) The Chrome dialog box about an unresponsive page is displayed to Windows users, but the box is of no help because the attackers have somehow figured out a way to prevent the "exit page" button from showing on Windows. This doesn't happen to Chrome users on a Mac.

The updated information starts in paragraph six.

 

[TEA-Time]

As the right side of the image shows, the CPU resources of Windows machines are exhausted, a condition that's sure to contribute to the worry that something with the computer isn't right. In an e-

In an e-..... what? Don't leave me hangin'!

 

[MechR]

By combining the API with other functions, the scammers force the browser to save a file to disk, over and over, at intervals so fast it's impossible to see what's happening.

Wouldn't enabling the "Ask where to save each file before downloading" option stop this on the first attempted download?

I dunno, it might end up spamming you with file-save dialogs instead. Depends if Chrome is smart enough to not do that.

 

[panton41]

Chrome is getting to big for its own good.

or anyone's good, for that matter.

Windows being pegged and brought to its knees by apps. What a clusterf*ck of an OS.

Yeah, because I want my 3D rendering software to be forced to only user 50% of available CPU because... why? And if the 3D program is allowed to do it why can't other programs?

Also, I've used Linux and Mac and both have the same problem if a program has gone rogue. At least on Windows the GUI display framework doesn't crash and burn when a program goes out of control like it can on Linux. (Windows will get unresponsive, but I've had the Linux GUI backend flat out crash and not recover on me.)

 

[Lonyo]

Chrome doesn't do the "browser tab is unresponsive, do you want to close?" thing on Windows, just Mac? That's weird, as I know I've seen it on other browsers in Windows (doesn't happen often, so can't remember for sure if it was IE11, Edge, or Firefox).

Also, second the question as to whether this is Chrome exclusive. I generally run a mix of Firefox and Edge at home.

It does on Linux too, unless you're a developer that gets annoyed with it when you're trying to debug performance issues and manually turn it off...(yes, I fit in that category).

Normally, Chrome also does this on Windows... however it seems that the specifics of the attack allowed the researchers to cause Chrome on Windows to lock up in a way that prevents it from showing.

Still a pretty serious flaw, but not the "why the heck is this functionality only available on some platforms" oversight it appears to be at first glance.

I just updated the story to add:

1) The researchers have been unable to get the technique to work on any browser other than Chome, so yes, this is a Chrome-only issue.

2) The Chrome dialog box about an unresponsive page is displayed to Windows users, but the box is of no help because the attackers have somehow figured out a way to prevent the "exit page" button from showing on Windows. This doesn't happen to Chrome users on a Mac.

The updated information starts in paragraph six.

Does Ctrl+F4 work to close the tab? I find it can end up closing things that a mouse didn't work on when popups are involved.

 

[dangerstranger]

Add that scenario to a few more unit-tests.

I wonder what the feasibility of stopping these types of attacks would be by throttling requests for browser resources over a set threshold (saving files, but also imagine the print dialog, etc.). So if a specific page is spamming the save dialog every 1/10th of a second, opening pop-ups, etc., then it puts in a progressive time delay before the next attempt goes through (like fail2ban). This should give the user enough time to close out.

 

[GFKBill]

Can you use Chrome's task manager (shift+esc in Windows) to eventually kill the offending tab?

Once it opened, at least, since I assume it would take a while to start with all the resources being taken up.

Ctrl-F4 kills the current task in windows, which in most modern browsers is the current tab.

And ctrl-shift-esc takes you straight to the Windows task manager by the way, no need to ctrl-alt-del then choose Task Manager.

 

[ChefJoe]

I think I had something similar to this on Chrome in Android from a local Seattle TV news station. Some thing that took over the page from www.facebook.com-newegg.com and seemed like the only safe option was to close that tab entirely, because on a phone.

 

[passivesmoking]

The scams are often transmitted through malicious advertisements or legitimate sites that have been hacked

Install ad-blockers and keep them up to date. You need one for your safety these days, not just to reduce the hideous annoyances of ads that are so heavyweight they increase page load times 500% (this is not an exaggeration, I've seen sites take over a minute to load normally that load in 10 seconds with an ad-blocker).

Lets face it, ad-networks are a fundamentally broken idea and always were.

As for Chrome, WTF? It can save arbitrary files programatically without user input and nothing to mitigate abuse?

 

[soulsabr]

"Stealing Pictures"? I mean I get it, they're just creating fear, but if some jerk wants to look through the 200GB of movies and pictures of my kids, more power to them. Maybe they'd like to come over for a slide show presentation?

? Did you even take a moment to think before you posted? You do realize that the world doesn't simply revolve around you .... right?

 

[drfisheye]

A new technique [...] works against Chrome by abusing the programming interface known as the window.navigator.msSaveOrOpenBlob.

That can't be true. Chrome doesn't support that interface, only Internet Explorer does. Hence the 'ms' prefix. Instead, the script creates a download-link to a blob and programmatically clicks that link in a loop.

 

[Veronezzi]

I used to work in a Microsoft Store taking care of the crap that happens like this. I still remember the most evil thing these scammers would do.

At some point during the phone call they would setup a syskey password. Which prevents Windows from booting, has no 'forgot password' like feature or anyway to be permanently disabled.

The only thing that could be done was to restore to an earlier point, but they started deleting restore points as well.

They'd use this to hold the computer ransom for payment, threatening never to give over the password until some high sum was forked over. Sometimes they even gave the wrong password when money was paid.

So glad this was remove in the Fall Creators Update.

Well, locking Windows to boot is a minor hassle: put an USB filled with a live version of Windows or Linux in the USB port, turn on the computer, let the system at the USB load and through it copy all your files to another pendrive oranother type of external store. Almost all home users don't encrypt the hard drive so this scam and many others are useless if the owner of the PC knows that. The problem is people freaking out instead of thinking about what to do ( fix themselves the problem or call a local technician to have a look at the problem ). The majority of individuals that develop such scams are lame, which is in this case. Just a small percentage have intelligent and skills to create something really difficult to solve...

 

[Uxorious]

Manually shutting down the entire browser risks losing any unsaved work contained in any open windows.

Unless you are in Google Docs or something, there isn't really much "unsaved work" that people have open in a browser. Just give Chrome the three finger salute, then blacklist the site that crashed you in your HOSTS file. Then go back to surfing.

Why let bad traffic all the way inside your network? Ban it at the edge of your network at your router/firewall.

 

[bdp]

Nitpick: "...by using the Windows Task Manager (control-alt-delete)..."

That gets you to a lock screen where you can click a button to launch Task Manager. Ctrl-shift-esc gets you to Task Manager directly. I don't have deep knowledge of Windows keyboard shortcuts, but I've been using ctrl-shift-esc ever since I learned about it since it saves me moving the mouse and clicking each time I launch Task Manager.

 

[Fred Duck]

In an e-..... what? Don't leave me hangin'!

He must have died while carving it.

Wait, Split Personality A, you can't use that Monty Python quote. You're over limit for today.

Split Personality A: Aw, you're no fun anymore.

Split Personality B: Clearly, chrome froze up on Chris whilst he was writing it so he didn't get around to fixing it.

Split Personality A: You mean Dan.

Split Personality B: Yes, sorry.

 

[SteveMB]

In a better world, domain registration services would not let random criminals register domain names containing trademarked names like .microsoft. and would flag suspicious ones like .windows. for human review.

They would still allow registering free-speech and complaint sites like micsofts-a-naughty-puffin.com where it was not easily mistaken for an official company site, while protecting a few users from microsoft.ransomware.scam

Also, phone companies would quickly seize the 800 number and redirect it to a help line to fix the problem (bonus points for directing all calls from the "pay your tax bill or the police will come to arrest you" scammers to the tech-support scammers and vice versa).

 

[raptormissle]

Yeah, because I want my 3D rendering software to be forced to only user 50% of available CPU because... why? And if the 3D program is allowed to do it why can't other programs?

Also, I've used Linux and Mac and both have the same problem if a program has gone rogue. At least on Windows the GUI display framework doesn't crash and burn when a program goes out of control like it can on Linux. (Windows will get unresponsive, but I've had the Linux GUI backend flat out crash and not recover on me.)

No OS should allow any app to peg the CPU at 100% and make the system UI unresponsive. I've never experienced that on a Mac, but on Windows it's very common. As for that 50% you pulled out of your ass, the system should dedicate as much CPU resources as it can without sacrificing the responsiveness of the system UI so the user can gracefully recover from any app that's pegging the system.

 

[Legatum_of_Kain]

Considering that Chrome at this point is basically an OS, not too surprising. I'm not a computer scientist, but I'd perhaps recommend Google to have a slimmed down version of the browser (Perhaps without power user options) that can't take over the CPU (this alone could help with mining and exploits like this), and that way leave the full blown browser for power users.

Or conversely, have the full blown app through UWP which would probably not have this behavior, due to how the platform works.

 

[panton41]

Yeah, because I want my 3D rendering software to be forced to only user 50% of available CPU because... why? And if the 3D program is allowed to do it why can't other programs?

Also, I've used Linux and Mac and both have the same problem if a program has gone rogue. At least on Windows the GUI display framework doesn't crash and burn when a program goes out of control like it can on Linux. (Windows will get unresponsive, but I've had the Linux GUI backend flat out crash and not recover on me.)

No OS should allow any app to peg the CPU at 100% and make the system UI unresponsive. I've never experienced that on a Mac, but on Windows it's very common. As for that 50% you pulled out of your ass, the system should dedicate as much CPU resources as it can without sacrificing the responsiveness of the system UI so the user can gracefully recover from any app that's pegging the system.

An OS that runs on arbitrary hardware that people actually want to do work on might actually need to peg CPUs at 100% even at the sacrifice of UI responsiveness. I used the 3D rendering example because for what I do it's the most common reason I personally have for an unresponsive UI. It's rare that I have anything but that kind of specialty software that is able to saturate all my cores at 100% and things like games and more mundane programs like browser and office suites don't do that.

I'd imagine if you told someone using a Mac for scientific or compute-intensive graphics rendering purposes an OS should not be allowed to peg the CPU at 100% even if that means sacrificing UI responsiveness they'd just laugh at you. Macs aren't magical boxes running on fairy dust and unicorn farts and they actually do have problems like every other computer.

 

[Sajuuk]

Considering that Chrome at this point is basically an OS, not too surprising. I'm not a computer scientist, but I'd perhaps recommend Google to have a slimmed down version of the browser (Perhaps without power user options) that can't take over the CPU (this alone could help with mining and exploits like this), and that way leave the full blown browser for power users.

Or conversely, have the full blown app through UWP which would probably not have this behavior, due to how the platform works.

Browser dialog windows aren't "power user options". UWP doesn't allow any rendering engine besides what Edge uses, which defeats the entire purpose (unless your market share is just that big).

 

[bill_flynn]

"... by using the Windows Task Manager (control-alt-delete) ..."

A better option is to press Ctrl-Shift-Esc. This brings the Task Manager up directly.

 

[ImSpecial]

I vote for calling the number listed, and opening like this..

"If you are looking for ransom, I can tell you I don't have money. But what I do have are a very particular set of skills, skills I have acquired over a very long career. Skills that make me a nightmare for people like you. If you let my computer go now, that'll be the end of it. I will not look for you, I will not pursue you. But if you don't, I will look for you, I will find you, and I will kill you."

 

[raptormissle]

An OS that runs on arbitrary hardware that people actually want to do work on might actually need to peg CPUs at 100% even at the sacrifice of UI responsiveness. I used the 3D rendering example because for what I do it's the most common reason I personally have for an unresponsive UI. It's rare that I have anything but that kind of specialty software that is able to saturate all my cores at 100% and things like games and more mundane programs like browser and office suites don't do that.

I'd imagine if you told someone using a Mac for scientific or compute-intensive graphics rendering purposes an OS should not be allowed to peg the CPU at 100% even if that means sacrificing UI responsiveness they'd just laugh at you. Macs aren't magical boxes running on fairy dust and unicorn farts and they actually do have problems like every other computer.

If that arbitrary hardware is running a GUI then the OS needs to guarantee the UI is responsive and not subject to freezing once something tries to peg the CPU. If that arbitrary hardware doesn't need the UI to be responsive, then give the OS an option to allocate all resources to apps.

I'd imagine if you told someone using a Mac for scientific or compute-intensive graphics rendering purposes an OS should not be allowed to peg the CPU at 100% even if that means sacrificing UI responsiveness they'd just laugh at you. Macs aren't magical boxes running on fairy dust and unicorn farts and they actually do have problems like every other computer.

I'm sure they would gladly give up 5-10% of their computing resources rather than dropping f-bombs at you when they repeatedly encounter the extreme frustration of having to deal with an unresponsive UI.

 

[j17robotdancer]

if malware tries to screw my iphone I just close the browser and erase the data before restarting it.
" " my android I just close the browser go into the settings and erase everything before restarting.
" "my laptop I just close firefox and upon restart I'm good as new since it doesn't retain things session to session.

 

[Legatum_of_Kain]

Considering that Chrome at this point is basically an OS, not too surprising. I'm not a computer scientist, but I'd perhaps recommend Google to have a slimmed down version of the browser (Perhaps without power user options) that can't take over the CPU (this alone could help with mining and exploits like this), and that way leave the full blown browser for power users.

Or conversely, have the full blown app through UWP which would probably not have this behavior, due to how the platform works.

Browser dialog windows aren't "power user options". UWP doesn't allow any rendering engine besides what Edge uses, which defeats the entire purpose (unless your market share is just that big).

The dialog is an advance feature of HTML, it’s not evenly implemented by browsers, especially the dialog tag, which is only supported by Chrome’s engine.

 

[Sajuuk]

Considering that Chrome at this point is basically an OS, not too surprising. I'm not a computer scientist, but I'd perhaps recommend Google to have a slimmed down version of the browser (Perhaps without power user options) that can't take over the CPU (this alone could help with mining and exploits like this), and that way leave the full blown browser for power users.

Or conversely, have the full blown app through UWP which would probably not have this behavior, due to how the platform works.

Browser dialog windows aren't "power user options". UWP doesn't allow any rendering engine besides what Edge uses, which defeats the entire purpose (unless your market share is just that big).

The dialog is an advance feature of HTML, it’s not evenly implemented by browsers, especially the dialog tag, which is only supported by Chrome’s engine.

Dialog windows don't require the HTML5 tag, Javascript dialog windows have been around forever. Safari and Opera both support the tag as well.

 

[Grumpy Wolf]

Um, this isn't new, this has been around since windows 10 launch at the least. I used to do tech support for surface, this was one of the most common calls of the day.

 

[darkangel666]

Revenge on a Tech Support Scam - Call Flooder:
https://www.youtube.com/watch?v=EOs_SjPGPNs

 

[Chemical Tribe]

Yeah, because I want my 3D rendering software to be forced to only user 50% of available CPU because... why? And if the 3D program is allowed to do it why can't other programs?

Also, I've used Linux and Mac and both have the same problem if a program has gone rogue. At least on Windows the GUI display framework doesn't crash and burn when a program goes out of control like it can on Linux. (Windows will get unresponsive, but I've had the Linux GUI backend flat out crash and not recover on me.)

No OS should allow any app to peg the CPU at 100% and make the system UI unresponsive. I've never experienced that on a Mac, but on Windows it's very common. As for that 50% you pulled out of your ass, the system should dedicate as much CPU resources as it can without sacrificing the responsiveness of the system UI so the user can gracefully recover from any app that's pegging the system.

An OS that runs on arbitrary hardware that people actually want to do work on might actually need to peg CPUs at 100% even at the sacrifice of UI responsiveness. I used the 3D rendering example because for what I do it's the most common reason I personally have for an unresponsive UI. It's rare that I have anything but that kind of specialty software that is able to saturate all my cores at 100% and things like games and more mundane programs like browser and office suites don't do that.

I'd imagine if you told someone using a Mac for scientific or compute-intensive graphics rendering purposes an OS should not be allowed to peg the CPU at 100% even if that means sacrificing UI responsiveness they'd just laugh at you. Macs aren't magical boxes running on fairy dust and unicorn farts and they actually do have problems like every other computer.

Running something at 100% and still having a UI that still is responsive, isn't mutually exclusive. It's called priorities. Been around for decades.

Only time my UI completely freezes in Linux is typically when a drive messes up, or I didn't properly umount a NFS share, or of course, the file manager crashes and takes the UI with it. But it's still fluid though even with a hd movie being compressed, because that's at a low priority.

 

[Iggy the Jiggy Piggy]

The most important thing to remember when encountering one of these windows is not to panic and to never call the phone numbers displayed in the warnings.

... unless you're bored and feel like wasting a scammers time for the lulz.

I can never do it. I'm not a good enough actor. Someone called here telling me he was from Microsoft tech support and I had a virus. I was ready to pretend to follow his instructions. I tried to do a convincing "Oh no!" but he hung up on me.

 

[siliconaddict]

Chrome doesn't do the "browser tab is unresponsive, do you want to close?" thing on Windows, just Mac? That's weird, as I know I've seen it on other browsers in Windows (doesn't happen often, so can't remember for sure if it was IE11, Edge, or Firefox).

Also, second the question as to whether this is Chrome exclusive. I generally run a mix of Firefox and Edge at home.

Yeah that statement is bullshit. Windows has this dialog box the difference being is unlike past versions of Windows Microsoft has extended the time out period to give applications enough time to start responding again. Because the last thing you want to do is to end task an application when it's may come back after a minute or so. This can be customized in Windows. I can't remember if it was a registry entry or a group policy editor, but there is somewhere where you can tweak the settings. I am 99% certain that given enough time Chrome would display that dialog box as well. That is assuming the OS actually sees the app as not responding.

 

[Rootstown]

I ran across this Chrome browser take-over issue while reading a normally reputable newspaper web site in Chrome on an Apple iPad. Apparently, an infected advertisement launched a modal dialog that prevented closing the offending tab or switching tabs. No way was I about to click through some scammy fake contest winner announcement.

Initally, killing Chrome and restarting proved no help because the offending tab would reload faster than anything could be done to stop the offending modal dialog from launching.

The fix turns out to be to force Chrome closed, then place the device in airplane mode or elsewise deny an Internet connection. Reopen Chrome; the script will not initialize and not run in the offending tab without an Internet connection. Simply close the bad tab, then reenable the Internet connection. To be on the safe side, I forced Chrome closed before reenabling Internet access, and then reopened Chrome after restoring Internet access, at which point my other previously opened good tabs were still intact.

This seems like a fairly easy solution on Apple IOS, Android, etc. devices that don’t offer the granularity of Windows’ task manager to kill just the one sub process of the offending tab. It is also fairly easy to explain to end users if you are the supplier of phone support.

 

[kentobin]

This is old news.

I was seeing this Chrome browser value added feature several months ago but nothing recent. I don't remember if I was still on Windows 8 or had migrated to 10. I agree that the only way to get rid of it was to kill the browser with the task manager and also lose any data from your other open Chrome sessions.

 

[fat_beaver]

By combining the API with other functions, the scammers force the browser to save a file to disk, over and over, at intervals so fast it's impossible to see what's happening.

Wouldn't enabling the "Ask where to save each file before downloading" option stop this on the first attempted download?

Might just be saving a relatively small temporary file or something. Mega for example, can download the whole file before even showing you a popup.

I always get informed that (not exact quote) "this site is requesting to store a large file on your computer" with an allow/deny option (firefox) also, by the looks of the screenshots it appeared to be a regular download.

 

[apistoletov]

Chrome is getting to big for its own good.

or anyone's good, for that matter.

Windows being pegged and brought to its knees by apps. What a clusterf*ck of an OS.

Yeah, because I want my 3D rendering software to be forced to only user 50% of available CPU because... why? And if the 3D program is allowed to do it why can't other programs?

Also, I've used Linux and Mac and both have the same problem if a program has gone rogue. At least on Windows the GUI display framework doesn't crash and burn when a program goes out of control like it can on Linux. (Windows will get unresponsive, but I've had the Linux GUI backend flat out crash and not recover on me.)

CPU usage cap is not the same as properly set priorities and properly implemented task schedulers. The first wouldn't solve the issue even if it were done; if the cap is 50%, then 2 processes will use 100% together and, by your definition, the system is pwned.
Good implementation of task scheduling and priorities (taking into account different types of shared resources, it's not only about CPU and RAM) is harder to do and harder to explain in layman's terms but it is certainly not about simply limiting "X can use Y% of Z" and it's one of these invisible but important things that differentiate a good OS kernel from a mediocre kernel.
And I'm yet to see any non-realtime OS which does that properly. All mainstream OSes (Windows, GNU/Linux, macOS) can't do that 100% right because it's possible to make them unresponsive by user code (i.e. not running as root), while it shouldn't be possible.
For majority of tasks this is not a big deal but for others it could make sense to explore other options.

 

[ANONYMOUSE001]

Whoever wrote this article is unfamiliar with control w and the fact that....it works to remove this window. Plenty of tricks to remove the window without task manager actually....few scripts that auto remove it as well that anyone can write with basic knowledge of programming...

 

[ZippyPeanut]

Manually shutting down the entire browser risks losing any unsaved work contained in any open windows.

Unless you are in Google Docs or something, there isn't really much "unsaved work" that people have open in a browser. Just give Chrome the three finger salute, then blacklist the site that crashed you in your HOSTS file. Then go back to surfing.

Yep. And this illustrates once again a danger of cloud-based work. If folks want to use cloud-based apps, Google Docs or Office 365 or Adobe Whatever, then fine; they should have that choice. But please don't take away my local applications, my local storage, my local processing.

More on topic: Anybody ever surf for porn? If your answer is yes, then browser freezes with some kind of message telling you that your PC is infected are so common that it's become nothing more than a nuisance. Ctrl+ Alt+Delete, end task, run Ccleaner, go back to surfing (avoid site that caused the freeze).