You are blocked from using the network - an intriguing scam

As I've started writing about scams and how to detect them, my reaction to some of them has changed. From being annoyed and aggrieved at pointless popup scams in my browser, I now almost rejoice when I see a new one, wondering if I should take a screen capture and write a blog about it.

It is remarkable the lengths that some will persist with to make their scams believable. I am referring to scams that are more than just technical wizardry - those that are crafted to play the user no matter what their experience level. In my recent Internet adventures, I encountered one of the most well contrived scams I have seen in a long while. This is a scam that I have encountered many times over the years, but what I saw the other day was the best representation of this type of scam that I have ever seen. It had all the necessary deceptive elements that a scam could use, from misdirection and misrepresentation to fear-mongering, to clever technical elements that make it so the user believes that escape is a hopeless prospect.

This scam was also one that some of my customers had recently been deceived by, and I have mentioned it in passing in my article "Who to Trust - Part3". However, this scam elevates the art of scams to such a level whilst appearing to remain 'legal', that I figured it deserved its own article so that I could dissect its elements, and provide some simple advice on how to skip around it if you ever encounter it.

Ethical vs Legal

Whilst this scam itself is not illegal, the method that it is delivered to the user, a cross-site-scripting (XSS) attack, is. The scam does not pass muster against consumer laws such as the Competition and Consumer Act (2010), and the New South Wales Fair Trading Act (1987). However, at best I can only charge it with being highly unethical. What is saddening is that it is not perpetuated by some small backyard hacker in his shed, it is actually being proliferated by a legitimate business, registered in the United States, with centres of operation around the world. But just because something is legal, does not make it right. Keep in mind that I pointed out that the technical method used to deliver the onscreen elements of the scam is illegal.

Unfortunately, since this business would appear to have a rather substantial collection of operations in the USA, UK and Australia, I am guessing that they have substantial financial reserves. Therefore, I will not be naming and shaming them here, lest I find myself facing a lawsuit. However, from the detail that I present below, you should hopefully be able to side-step this scam before getting to the point of being in contact with them yourself.

An Artful Presentation

This article is about a scam that I both detest and admire. I detest it – because it is a scam, and it is delivered by an XSS attack. I admire it because it is such a well rounded example of deception at work.

As you can see, it appears to be a webpage in the background with a warning message in front, and a popup dialog asking for your authentication details.

A pinch of misrepresentation – to inspire trust

For the unwary user, this scam immediately gives the impression of something that they might trust. The webpage that is supposedly in the background of this has the Microsoft branding and logos at the top. Down the bottom, it has some familiar Microsoft brands and icons. This is all done to give the user a comfortable feeling that this message is coming from a tech-giant that they can trust.

A bit of misdirection – to add legitimacy

The warning message that comes up states a ‘Service Number’. Little touches like these help to make things look all the more official, and more believable. Really, its just another lie.

There is also an attempt to create in the user’s mind a reference to Google’s Safe Browsing components of the Chrome browser, with a reference to a URL that contains ‘safebrowsing’ within it. Here it is http://safebrowsing.in. In related research and scam reports, there has been evidence of the use of http://safebrowsing.biz. It would not be surprising to find that the scammers have a range of similar URLs that they refer to.

A drop of obfuscation – to cover tracks

The warning message gives the user a 1800 phone number to call. Notice that there is no attribution of who this number belongs to. If they were to directly claim that it was a Microsoft number, Microsoft could take them to court.

A little bit of research can be helpful. If you check the phone number given against Microsoft’s own website, you’ll see that the number quoted is not theirs. If you do some further research on sites such as http://www.reverseau.com and http://www.411phonesearch.com.au, you will find that the quoted number is possibly a premium SMS number (high charges for calling), and the complaints of other people who have been scammed by calling this number.

Whilst the number quoted above is linked to scams, do not think that this will be the only phone number that could be. The groups that run such scams are smart enough to use a number of different phone numbers, so people are less likely to detect a new scam.

Of course the one problem that many users will encounter is that they only have the one PC or device that they surf the Internet on, and this scam has locked up it’s Internet access. The scammers are counting on the fact that you cannot double check the ‘facts’ that they present to you.

A threat or two – to inspire fear

This scam works on fear. There is no escaping that. Two messages that come across clearly are that you are blocked from using “this network”, and that hackers may be getting your details right now. Or are these messages really that clear?

Regards the message about being blocked from using the network: Which network? Whose network? To you average home user, their ‘network’ as such is their PC, router, and perhaps their service provider. But this is not a message from you service provider. Even if this was an alert from Microsoft (which we know it is not), Microsoft do not own the entire Internet, nor do they own any networks outside of their own. So, the threat that you are blocked from using this network – rubbish.

Funnily enough there is some truth to the second claim – hackers may be stealing your details right now. In the middle of this screen is a dialog window asking for you to authenticate. I the haste to get rid of this problem, the people who perpetrated this are hoping that you will supply a user name and password. They are hoping that you’ll enter any user name and password that seems relevant – your ISP logon, your PC logon, your Microsoft account logon. PLEASE DO NOT enter any details here. The scammers are hoping that you will give them some name and password here – because they will then have one more detail about you that they didn’t before.

A blaring klaxon – to crank up the urgency

If the fact that you can’t seem to get these messages off your screen wasn’t enough, this XSS attack has the added brilliance of a looping audio track that you may find hard to ignore. Many people given the time to sit calmly may find the way to get rid of this problem before them. But now that your computer is speaking the warning message, it may attract the attentions of others nearby – perhaps close family members or friends, who will wonder what you were looking at on the Internet when this problem began to occur. This is designed to make you want to do what ever it might take to end this as soon as possible.

If you need more time to think about what you are doing, there is a simple solution; turn down or turn off the speakers that are connected to the computer. The repeating message will no longer be ringing in your ears, and it won’t attract the attention of other people.

A technical flourish – to seal the deal and make it inescapable

This is an XSS attack. Note that at the top of the browser window with the warning, the URL does not look normal. It starts with ‘data’. Next is tells us that the data is ‘text-html’ format. Towards the end it gives a whole raft of letters and numbers in a seeming random combination. This is the script in the XSS attack, but you can not read it, because the script has been encrypted. The encryption has been applied to enable to the attack to get past any firewall or anti-malware scanners you may be running.

The script that is delivered in the XSS attack is quite simple but ingenious. It has been coded such that you cannot get rid of it. You cannot use your browser to research the truth of the scam, nor can you close down the browser windows that you had open, which may cause you embarrassment, and as much as you try to close the dialog that is requesting authentication, it keeps popping-up. So thoroughly annoying.

One mean recipe for a scam

So this scam is truly annoying. It is somewhat a masterpiece. A script hidden in a page or a link, downloads onto your PC, avoids the security features of your anti-malware software because it is encrypted, runs this program that hi-jacks your browser session, miss-directs and deceives you into thinking that Microsoft are warning you about this problem, that you are cut-off from the Internet, wants you to call an unknown number to get help, and will happily accept any user name and password combinations you give it.

Truth is, if you call the number, you will be taken into a conversation about updating your anti-virus software, and about how the company you have called (which is not Microsoft) will be able to fix the immediate issue you are having, only if you allow them remote access to your computer and sign-up to a 6 or 12 month plan for maintenance of your computer, which will cost several hundred dollars.

The contract that they will send to you, will already have a digitised version of your name in a fancy font, as a digital signature. This will happen without you actually signing anything. This is not legal. The clauses in the contract may be poorly written and do not form a sensible contract. Except the clauses that allow the organisation that is wanting this contract with you to sell the contract at anytime they choose, or the clauses which require you to download a form from their website and email it back to them if you need their assistance.

Stop and think that last point through. If your PC is broken, or your Internet connection is not working, how are you supposed to download a form, print it, sign it, scan it, and attach it to an email. Worse still, if the problem is that you suffer a similar XSS attack in the future, and you are told to ring a different number, you may have to pay another company more money to get past that problem.

How to escape this scam, with your wits and bank-balance intact.

There is good news. There is a way to get around this attack/scam without phoning anyone, without paying any money, and without giving up passwords.

Whilst this attack ties up your browser, it does not prevent the use of other applications on your computer. An important such application is Windows Task Manager. The easiest way to get to task manager is the keyboard shortcut combination Ctrl+Shift+Esc. You may small window come up that asks “Do you want to allow this application to make changes to your PC?” If so, just click ‘Yes’. This will open Windows Task Manager.

In Windows Task Manager, you will see there is a list of Processes (on older versions of windows, this will be a list of Applications). From this list scroll down until you find the row (or rows) listing your browser. For each row (there may be many) listed for you browser, this represents a chunk of memory dedicated to your browser window. It is in one of these chunks of memory that the script from the XSS attack will be running. The best thing to do is to close all of them. Starting from the top in the Apps listing Windows 10) or just the first row representing your browser for older versions, right-click on the row for your browser, then from the pop-up menu select Terminate or End Task depending upon your Windows version. You will be asked to confirm, do so. Repeat this as many times as is necessary to shutdown all processes related to your browser.

Once this is done, you should no longer see the warning message, nor hear the audio from it. You can reopen your browser, but avoid going to the same page you did last time.

Further Precautions

I would recommend that at this point, you do some worthwhile checks on your PC. Run an anti-virus scan. Make sure that the remote assistance options for Windows are turned off. Use Windows Task Manager to check for applications running on your PC that you have never heard of.

If in doubt, or you want to be as safe as you can, contact your local IT professional – someone who can come to you and help you, who will not charge an arm and a leg, and who you can get to know face-to-face.