In the original More than Meets the Eye blog, we discussed attackers’ ability to hide in plain sight. A very successful campaign that utilizes this approach is the fake FBI ransom webpage; a fraudulent website that claims to be an FBI property, but then attempts to extort the victim.
Figure 1: Fake FBI website
This site appears to lock the browser, creating an illusion that the system is locked and the only way to unlock the browser is to pay a ransom. The previous entry, referenced above, explains how it works.
Attacks of this nature have been so successful recently that new variations on the theme are continually discovered. There are even localized versions of the attack, specifying the local law enforcement agencies of several countries. However, the underlying technology that is used to evade detection remains consistent. Traditional AV and static scanning technology generally doesn’t block these pages because the underlying code used to lock the browser is actually not malicious. However, when applied improperly, it can certainly be used maliciously.
In this case, it simply uses a loop statement that loops 150 times. This means that if a user just clicks through the process 150 times, the browser will be unlocked. But the user has no way of knowing this, and will likely surrender. Also, there is nothing stopping the attackers from increasing the count from 150 to 150,000 times.
There is good news. First, the problem can actually be solved by nearly any user, without needing to obtain or use any complex security tools. These four steps (detailed below) will unlock the browser.
- Kill the Process
- Clear all history and reset the browser
- Change ‘Restore from crash’ settings
- Update browsers
Killing the browser process is just like killing a hung program. In Windows, press Ctrl-Alt-Del and look for the browser process and terminate it. On a Mac, click the Apple icon | Force Quit and then choose the browser app and terminate it. This will kill the locked browser.
The attackers know that this will be the first thing most users attempt, so they make sure that the fake website will survive once the browser process is terminated. Typically, re-opening the browser will render the fake FBI website again. The attackers have built-in persistency.
The second step, clearing all history and resetting the browser, partly addresses the persistency problem. There are different ways to accomplish this, depending on the browser you are using. Figure 2, depicts resetting Safari on a Mac. Figure 3 shows how to clear the browser history for Firefox in Windows.
Figure 2: Resetting Safari
Figure 3: Clearing History of Firefox
Of course, the problem is still not entirely solved. The crash restoration settings must also be changed. Force-quitting or terminating a process is considered a crash condition by the app or program. If the program, in this case the browser, is set to display its last session after recovery from a crash, opening the browser will point again to the fake FBI website. To prevent this, set all browsers to open fresh sessions or go directly to the home page after recovery from a crash. Some browsers will present the user with an option to open the last session, rather than going directly to the page. For Safari, set it to open with “a new window” rather than “all windows from last session” as seen in Figure 4. This setting is found under the General Tab of Safari | Preferences.
Figure 4: Safari Restore from Crash
The first three steps require some effort, but solve the fake website problem without needing any additional tools. The browser manufacturers are aware of the fake ransom website problem and have taken steps to limit the exploitation of this lock mechanism that is hiding in plain sight. Instead of going through 150 iterations to remove the dialog box, some browser vendors have introduced a simple tick box that asks the user if they wish to dismiss the message window upon clicking “OK”. This worked pretty well in thwarting the fake ransom sites.
Therefore, updating browsers (the forth step in the process) is very important. In addition to possibly preventing the problem from re-occurring, it also ensures that all the latest features and security fixes are available. That said, it could introduce compatibility issues with your plugins, but that’s another story.