WOOF locker: Unmasking the browser locker behind a stealthy tech support scam operation

We reveal details on the most sophisticated browser locker campaign we’ve seen yet. Learn how this tech support scam fools users by hiding in plain sight. In the early days, practically all tech support scammers would get their own leads by doing some amateur SEO poisoning and keyword stuffing on YouTube and other social media sites.

They’d then leverage their boiler room to answer incoming calls from victims. Today, these practices continue, but we are seeing more advanced operations with a clear separation between lead generation and actual call fulfillment. Malvertising campaigns and redirections from compromised sites to browser locker pages are owned and operated by experienced purveyors of web traffic.

There is one particular browser locker (browlock) campaign that had been eluding us for some time. It stands apart from the others, striking repeatedly on high-profile sites, such as the Microsoft Edge Start page, and yet, eluding capture. In addition, and a first to our knowledge, the browser locker pages were built to be ephemeral with unique, time-sensitive session tokens.

Source: malwarebytes.com