The IT experts of Barracuda Research they discovered CypherLoca sophisticate Web-based scareware kitwhich would have already recorded approx 2.8 million attacks. The goal of scammers is to use these items to manipulate psychologically the victim to the point of pushing him to call a fake technical support numberwhere operators who they claim to be Microsoft support they will try to extort money from her and thus complete the attack. Unlike traditional malware, which infects computer files, this system operates entirely within the browser, using encrypted code that is activated only under very specific browsing conditions, making it difficult for common security systems to detect.
Once running, it turns a normal web page into a full-screen error screen: crashes the browser, plays alarming sounds, and shows the user’s IP address to give the impression of active control over the device. Fake login forms also appear which, while not collecting any data, make the screen more credible and increase the sense of panic when the credentials entered do not solve anything.
How CypherLoc malware works
We are used to thinking that cyber threats always come from an infected file downloaded onto the computer. CypherLoc shows that this is not always the case. In this case, the attack lives entirely in the browserwithout leaving any traces on the system. This is one scarewarethat is, software designed not to damage your device, but to scare the user and push him to carry out rash actions.
It all starts with a phishing email with a link to a seemingly innocuous page. Inside it hides the payload, the operational heart of the attack, which remains encrypted and invisible until certain conditions are met. The mechanism is called hash-gating: the code can only be deciphered if a specific fragment is present in the URL address and if the encrypted content passes a cryptographic integrity check via HMAC. If the page is opened by a scanner or in a sandbox (the virtual environments used by security analysts) the payload does not fire and the page simply displays a blank screen, making the attack invisible to analysis tools.
However, when all conditions are met, he comes a full screen interface is shown. From now on, every click, every go to full screen, and every page reload triggers alarm sounds. There is no real damage to the computer, but the combination of these effects – visual, audio and interactive – creates a convincing system crash illusion.
If the user tries to examine the page with the browser’s developer tools, CypherLoc responds by launching a continuous asset reloading cyclerestarting media streams and recalculating the layout, sending the browser into a tailspin and reinforcing the impression that something serious is really happening. The only apparent way out is the technical support number clearly visible on the screen. Whoever calls him finds it on the other side a scammer pretending to be a Microsoft operatorready to complete the deception by trying to extort money.
How to protect yourself from the blocked browser scam
Defending yourself from this type of attack presupposes the use of both adequate technical toolswhether of one good dose of awareness. On the technological front, it is essential to equip yourself with effective anti-phishing solutionsflanked by security systems for web browsing and for the protection of devices connected to the network.
On a purely psychological front, the most important rule is that of ignore supposed security warnings that block your browserask you to call a support number, or require you to submit personal information (such as credit or debit card information) to resolve the issue.
