Barracuda Networks Report Identifies CypherLoc Scareware Kit
Barracuda Networks today revealed it has been tracking since the beginning of this year a scareware kit that employs advanced evasion techniques to seize control of web browsers, to induce victims to contact a fraudulent technical support via a phone call.
Dubbed CypherLoc, Barracuda Networks researchers have now observed approximately 2.8 million attacks using this scareware kit.
Specifically, CypherLoc makes use of new and innovative use of encrypted loaders, hash-gated execution, and page replacement during operational runtime to first freeze screens and then send an alert that directs end users to call a support phone.
The attack usually starts with a phishing email that directs the victim to a malicious web page through a link that is either embedded in the email body or in an attachment. Initially, the web page appears legitimate, but after successful decryption, the original page erases itself and is replaced by an entirely new page that resets scripts and breaks live inspection.
The trigger for this transition is hidden in the web page and will only decrypt if certain conditions are met. CypherLoc hides its real functionality inside an encrypted payload embedded directly into the web page. The code only decrypts when the page is opened under the right conditions. When the required URL fragment hash is present and the page is subjected to a series of cryptographic integrity checks. If the hidden fragment is missing or the page is being opened in a scanner, sandbox or test environment, the malicious payload refuses to run, and the page redirects to a blank screen to hide the attack from security tools.
Once launched, CypherLoc restricts user activity by taking over in full-screen mode, disabling context menus, hiding the cursor, and blanketing the screen with overlays. Any attempt to regain control triggers immediate ‘relocking’ behavior.
Additionally, if anyone tries to inspect or examine the page while it’s running, the page deliberately causes the browser to become slow, glitchy or unstable to create the illusion that there is a serious issue.
Merium Khalid, director of offensive security for the security operations center (SOC) at Barracuda Networks, said that while the attack itself is a straightforward social engineering attempt to steal credentials over the phone, the tactics used to evade detection are significantly more sophisticated.
For example, a fake security page automatically plays warning sounds whenever the user clicks, the page switches to full screen or the page reloads. This extra noise and activity can slow the browser down, make it glitchy, or even cause it to crash. CypherLoc also retrieves the victim’s public IP address at page load and displays it on the landing page. Showing this IP address is a psychological tactic, designed to both make the warning feel personalized and increase the overall sense of urgency.
For good measure, login forms are presented to victims, asking for usernames and passwords. These inputs are never processed. Their purpose is again purely psychological as they make the threat look legitimate, keep the victim on the page for longer, and escalate the sense of panic when the issue is not immediately resolved.
Ultimately, the best defense against these types of attacks is better end-user training, said Khalid. Once end users are made aware of how these attacks are being launched, they are going to be much less likely to engage, she added.
The challenge, of course, is finding a way to educate end users in a way that doesn’t require someone they might know to serve as an example of what not to do the next time their browser freezes.
